Network security services ensure adequate security systems connected in the and it ensures a secure data transfer. It is X.800, a security architecture for Open Systems Interconnection that defines these security services. We can also define security services as a processing or communication service provided by the system that offers a specific kind of protection to the system resources.
We broadly categorize network security services into 5 kinds of services. Let us learn more about these security services in the following section.
Network Security Services
- Access Control
- Data Confidentiality
- Data Integrity
- Availability Service
The authentication service ensures that the communication is authentic i.e., the communicating entities are the one that they claim to be. When it is a single message indicating a warning or an alarm the authentication service ensures the recipient that the message is arrived from the authentic source it is claiming.
Now when there is an ongoing interaction between two entities the authentication security service ensures two things:
- First, the security service ensures that the two entities involved in the communication are the ones they claim to be.
- Second, the security service even ensures that the connection is not interfered with by any third party that can masquerade as any one of the two legitimate entities involved in communication.
So, the two specific authentication security services that X.800 defines are:
Peer entity Authentication
The peer entity authentication service verifies the identity of the peer entity in the association. We consider two entities as peers if they implement the same protocol. This service is provided at the time of connection establishment or at the time of the data transfer phase.
Data Origin Authentication
The data origin authentication security service verifies the source of the data unit. It does not provide protection against the duplication or modification of data units.
The security service defines access control as a service that controls and limits the access of third parties to host systems and applications through communication links.
In order to accomplish this service, any entity trying to gain access to the host system must be first verified so that the access right can be tailored according to the individual.
Data confidentiality is the security service that ensures the protection of the transmitted data from all possible passive attacks. The level of protection raises depending on the content of the data transmitted.
The broader form of data confidentiality service provides protection to all the messages between two users over a period of time. However, the narrower form of data confidentiality service only provides protection to a single message or it provides protection to even a specific field within the message.
Although the narrow form of data confidentiality service is less useful than the broader service is even more complex and expensive to implement. In another way, this service can even provide protection to the flow of traffic from being analyzed. Thus, it prevents the attacker from observing the source and destination, and even the frequency, length, or other characteristics of the traffic.
Just like the data confidentiality service, we can apply the data integrity service either to a stream of messages, an individual message, or to selected fields within the message.
- The connection-oriented integrity service deals with the stream of messages, where it ensures that the message received does not include any duplication, insertion, modification, reordering, or replays. It also addresses the destruction of data.
- However, the connection-less integrity service deals with the individual message where it only provides protection against message modification.
We can classify the data integrity service on the basis of one that provides recovery and the one that does not provide recovery.
As the data integrity service only deals with the active attack. So, it is more bothered about the detection is less bothered about the prevention.
- The data integrity service without recovery when it identifies the violation of integrity, simply reports the violations and requires software or human intervention to recover from the violation.
- The data integrity service with recovery when identifying the violation of integrity provides a mechanism to recover from the loss of integrity of the data.
The nonrepudiation security services prevent both the sender and the receiver from denying the transmitted message. So here when the sender sends the message the receiver of the message can prove that it is sent from the alleged sender.
When the receiver receives the message, the sender can in fact prove that the alleged receiver has received the message.
We consider the availability of service as a property of the system or the system resources being accessible by the authorized entity. A variety of attacks can reduce the availability of the system. Some of these attacks are vulnerable to countermeasures such as authentication and encryption. While some attack requires physical activity to prevent or recover from the loss of availability. Thus, we can refer to availability service as the one that ensures the availability of the system to authorized entities.
The availability service even addresses the issue raised by the denial-of-service attack.
Thus, network security services offered by the protocol layers of the communicating devices in the network ensure the security of the communicating systems and the data transfer between them.
Although there is no universal agreement on many of the terms that we discussed above in security services. Sometimes, the term integrity covers all the information security services we discussed above. Sometimes, the term authentication refers to the verification of the communicating entities and also various services listed under integrity.
The security services we discussed are defined by X.800 and RFC4949.