The establishment of the seven-tier model is mainly to solve the compatibility problems encountered in heterogeneous network interconnection. Its greatest advantage is to distinguish between the three concepts of service, interface and protocol, and to share different functions of the different functional modules of the network. That is, the original intention is to solve the compatibility, but when the network developed to a certain scale, security issues become prominent. So there has to be an architecture to address security issues, so the OSI security architecture emerges.
The OSI security architecture is built on the OSI Seven layer protocol model. This means that the OSI security architecture is relative to the OSI seven layer. There are different security technologies at different levels. The OSI security architecture looks like this:
figure: OSI security Model
The corresponding security technologies for each layer are as follows:
Data Link layer: Point-to-point Channel Protocol (PPTP), and second-tier channel protocol L2TP
To point-to-channel protocol PPTP, the English full name is Point–to–point tunneling Protocol. is a new technology to support multi-protocol virtual private network, which can enable remote users to access the enterprise network securely through the Internet. This is the VPN technology used in peacetime. With this protocol, remote users can connect to the Internet through any of the network operating systems, and then connect to their corporate network via a public network. That is, PPTP makes a simple encrypted tunnel on the channel used.
figure: PPTP-based inter-site VPN diagram
L2TP is a protocol that Cisco's L2F combines with PPTP. Part of the L2TP is the PPTP protocol, which can be used to encrypt network traffic as well. However, there are differences, such as PPTP requires the network for the IP network, L2TP requirements for the packet-oriented point-to-point connection; PPTP uses a single tunnel, L2TP uses multiple tunnels; L2TP provides Baotou compression, tunnel validation, and PPTP is not supported.
Network layer: IP Security Protocol (IPSEC)
IPV4 in the design, only consider the sharing of information resources, not too much to consider the security issues, so can not fundamentally prevent network layer attacks. The application of IPSec on existing IPV4 can enhance its security, and IPSec provides IP message confidentiality, integrity, IP message Source address authentication and anti-pseudo-address attack capability at the network layer. IPSec can protect traffic on all IP-enabled transport media, protecting all protocols running on the network layer from being securely transported between hosts. An IPSec gateway can be installed anywhere you need security, such as a router, firewall, application server, or client.
figure: Data encapsulation with IPSec
IPSec consists mainly of three protocols:
1. AH (Authentication Header) Authentication header, which provides authentication of the source address of the message integrity message.
2. ESP (encapsulating Security Payload) encapsulates the secure payload, providing encryption and authentication for the content of the message.
3. IKE (Internet Key Exchange) Internet Key Exchange, negotiate the parameters of AH and ESP that protect IP messages between source and beacon nodes, such as encryption, authentication algorithms and keys, lifetime of keys, and so on. Also known as the Security Alliance. Ah and ESP are network layer protocols, and IKE is the application layer protocol. In general, IPSec refers only to the network layer protocol AH and ESP. Because the IPSec service is provided at the network layer, any upper layer protocol can be used to this service.
Transport layer: Secure Sockets Layer (SSL) and Transport Layer Security Protocol TLS
Secure Sockets Layer (secure Sockets LAYER,SSL) is a protocol introduced by Netscape (Netscape) in the launch of the first version of the Web browser. SSL employs public key technology to ensure the confidentiality and reliability of communication between two applications, so that communication between client and server application is not intercepted by attackers. Support can be implemented on both sides of the server and client, which is now an industry standard for secure communication on the Internet, and the current Web browser combines HTTP and SSL for secure communication. The advantage of the SSL protocol is that it is independent of the application-level protocol independence. High-level application layer protocols (such as Http, FTP, Telnet, and so on) can be transparently built on top of the SSL protocol. The SSL protocol has already completed the encryption algorithm, the negotiation of the communication key and the server authentication work before the application layer protocol communication. After this, the data transmitted by the application layer protocol will be encrypted, thus guaranteeing the privacy of the communication.
figure: SSL is located on the transport layer
Transport Layer Security Protocol (TLS) is a protocol that ensures communication applications and their user privacy on the Internet. When the server and client communicate, TLS ensures that no third party can eavesdrop or steal information. TLS is a successor to the Secure Sockets Layer (SSL) protocol. TLS is comprised of two layers: the TLS logging protocol and the TLS handshake protocol. The TLS logging protocol uses secret methods, such as Data Encryption Standard (DES), to ensure secure connections. The TLS logging protocol can also be used without encryption technology. The TLS handshake protocol enables servers and clients to authenticate each other prior to data exchange and negotiate cryptographic algorithms and keys. TLS uses key algorithms to provide endpoint identity authentication and communication secrecy on the Internet, based on public Key Infrastructure (INFRASTRUCTURE,PKI). In a typical example of implementation, however, only network services are reliably authenticated, and their clients are not necessarily. This is because the public key infrastructure is generally commercially operating, and the electronic signature certificate is quite expensive and the general public can hardly afford it. The design of the protocol can in some way enable the master-slave architecture application communication itself to prevent eavesdropping, interference (tampering), and message forgery.
Session Layer: SOCKS Agent Technology
Socks is a kind of network transport protocol, which is mainly used for intermediate transfer between client and external network server. Socks is the abbreviation of sockets.
When a client behind a firewall accesses an external server, it is connected to the SOCKS proxy server. This proxy server controls the client's eligibility to access the extranet and, if allowed, sends the client's request to an external server. This protocol was originally developed by Devid Koblas and then extended to version 4 by NEC's Ying-da Lee. The latest protocol is version 5, which adds support for UDP, authentication, and IPV6 compared to the previous version. According to the OSI model, socks is the middle tier between the application layer and the transport layer.
Application Layer: Application proxy
Application proxy works on the application layer, between the client and the server, completely blocking the exchange of data between the two. From the client view, the proxy server is the equivalent of a real server, and from the server, the proxy server is a real client. When the client needs to use the data on the server, the data request is first sent to the proxy server, which then requests the data from the server based on that request, and then the proxy server transmits it to the client. Because there is no direct data channel between the external system and the internal server, the external malicious attack can hardly harm the internal network system of the enterprise. and transparent to the data below the application layer. Application layer proxy Server is used to support Proxy application layer protocol, such as: HTTP, HTTPS, FTP, Telnet, etc. Because these protocols support proxies, all requests to the client are automatically forwarded to the proxy server as long as the proxy server entry is set in the client's browser or other application software and the proxy server's address is set. The request is then processed or forwarded by the proxy server.
OSI Security Architecture