Powerful Google developer tools for immediate impact! (2023-24 C)
Supplement V1.2
1. • 本投影片僅供教育訓練用,如有侵權,請留言通
知,將立即刪除,謝謝。
• The slide is for education purpose only. Please leave
your comment if there is any copyright infringement.
I will delete it immediately. Thank you.
4. Qualitative Risk Analysis Example
教育部 TANet 網路中心導入資訊安全管理制度計畫教育訓練教材
http://cissnet.edu.tw/download_tanet.aspx
5. FMEA Output
RPN=SEV x PF x DET
PRN: Risk Priority Number
SEV:Severity
PF:Probability Factor
DET:Detection Effectiveness
Rers: http://www.siliconfareast.com/fmea_quickref.htm#table
11. Access Control Conceptual Diagram
Access Control
2007/6/8
Anything
You Do Identify
Identification
Will Be Youself
Logged
Prove It
Accountability Authentication (I need to
Verify you)
Do What I
Authorization Tell You to
Do
12. TACACS+ and RADIUS Comparison
Criterion TACACS+ RADIUS
Transport TCP (reliable; more overhead) UDP (unreliable;
higher
performance)
Authentication Can be separated (more flexible) Combined
and
Authorization
Multiprotocol Supported (IP, Apple, NetBIOS, IP only
Support Novell, X.25)
Access to Supports two methods to control Not supported
Router CLI the authorization of router
Commands commands on a per-user or per-
group basis
Encryption Packet payload Passwords only
http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/Diameter+Det
ails/
13. RADIUS and Diameter Comparison
Characteristic RADIUS Diameter
Transport protocol Connectionless (UDP 1812). Connection-oriented (TCP, SCTP,
3868).
Transport security Optional IPsec. IPsec or Transport Layer Security
(TLS) is required.
Architecture Client-Server model Peer-to-peer model
State Stateless Stateful(Session ID, transaction
status)
Authentication Pre-shared key Pre-Shared key, digital certificate
PAP, CHAP, EAP PAP, CHAP, EAP
Only client to server re- Mutual re-authentication
authentication
Authorization Bind with re-authentication Re-authorization any time
Accounting Real-time accounting Real-time accounting
Confidentiality Only encrypt password Encrypt all data, or IP header(IPSec)
Integrity Poor Good
Scalability Poor Good
Extensibility Vendor-specific Public use
Security model Supports only hop-by-hop security. Supports end-to-end and hop-to-
Every hop can modify information hop security. End-to-end guarantees
that cannot be traced to its origin. that information cannot be
modified without notice.
14. XACML Policy Sample
<Policy PolicyId="SamplePolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-
overrides“>
<!-- This Policy only applies to requests on the SampleServer -->
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue>
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
</ResourceMatch>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>
20. Null Cipher
“A re you deaf, Father W illiam !” the young m an said,
“D id you hear w hat I told you just now ?
“E xcuse m e for shouting! D on’t w aggle your head
“Like a blundering, sleepy old cow !
“A little m aid dw elling in W allington Tow n,
“Is m y friend, so I beg to rem ark:
“D o you think she’d be pleased if a book w ere sent dow n
“E ntitled ‘The H unt of the Snark?’” -
“Pack it up in brow n paper!” the old m an cried,
“A nd seal it w ith olive-and-dove.
“I com m and you to do it!” he added w ith pride,
“N or forget, m y good fellow , to send her beside
“E aster G reetings, and give her m y love.”
27. Common Criteria Flow
an implementation-
independent Protection Category of Product
statement of security Profile (i.e., “firewalls”)
needs for a TOE type.
a set of software,
firmware and/or Target of Specific Product (i.e.,
hardware possibly Evaluation Cisco PIX 5xx)
accompanied by
guidance.
Security Vendor claims:
an implementation- Specifications and
dependent statement Target features
of security needs for a
specific identified TOE
Functional Assurance
Requirements Requirements
28. Implementation of Evaluated Products
TEST plan based on
Evaluation
stated requirements
EAL Levels
1 Functionally Tested
2 Structurally Tested
3 Methodically Tested
4 Methodically Designed, Tested, Reviewed
5 Semiformal testing
6 Semiformal verification
7 Formal verification and testing
Based on production
Certification environment
Accreditation
73. BCM is a Balancing Act(cont.)
High Cost High Loss
recovery
strategy disruption
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost/Loss
Cost
Cost
Cost
Cost
Cost
Cost
Cost
Cost
Optimal Lose Business
Point
Time 73