Previous Table of Contents Next


Open Systems Interconnection (OSI) Model

The OSI Reference Model is a layered architecture (Figure 7.10) consisting of a set of international networking standards known collectively as X.200. Developed by the International Standards Organization (ISO), the basic process began in 1977 and was completed in 1983. The OSI model defines a set of common rules that can be used by computers of disparate origin in order to exchange information (communicate). As is the case with SNA and other such proprietary architectures, the model is layered to segment software responsibilities, with supporting software embedded in each node to provide an interface between layers. Specific levels of service can be negotiated between nodes.


Figure 7.10  OSI Reference Model.

The transmitting device uses the top layer, at which point the data is placed into a packet, prepended by a header. The data and header, known collectively as a Protocol Data Unit (PDU), are handled by each successively lower layer as the data works its way across the network to the receiving node. At the receiving node, the data works its way up the layered model; successively higher layers strip off the header information.

Layer Seven (Application Control)
provides support services for user and application tasks. File transfer, interpretation of graphic formats and documents, and document processing are supported at this level. As a example, X.400 e-mail messaging takes place at Layer Seven.
Layer Six (Presentation Control)
performs functions related to the formatting and displaying of received data by terminals and printers. Functions herein include data formatting, code set conversion (EBCDIC-to-ASCII), and text compression and decompression.
Layer Five (Session Control)
formats the data for transfer between end nodes, provides session restart and recovery, and general maintenance of the session from end-to-end.
Layer Four (Transport Control)
is responsible for maintaining the end-to-end integrity and control of the session. Data is accepted from the Session Control layer and passed through to the Network Control layer. The two protocols that can be used at this layer include Transmission Control Protocol (TCP) and the five levels of the OSI Transport Protocol (TP). The X.25 packet-switching protocol operates at Layers One, Two, Three, and Four.
Layer Three (Network Control)
comprises software that addresses the PDUs and transports them to the ultimate destination, setting up the appropriate paths between the various nodes. At this layer, message routing, error detection and control of internodal traffic are managed. The Internetwork Protocol (IP) operates at this layer.
Layer Two (Data Link Control)
establishes the communications link between individual devices over a physical link or channel. At this level lie responsibility for framing, error control, flow control, data sequencing, time-out levels, and data formatting. HDLC is used at this level.
Layer One (Physical Control)
defines the electrical and mechanical aspects of the interface of the device to a physical transmission medium, such as twisted pair, coax, or fiber. At this layer are found communications hardware and software drivers, as well as electrical specifications such as RS-232C.

Security

Security is an issue of prime importance (Figure 7.11) across all dimensions of communications and networks, but perhaps most importantly in the world of data communications. In the traditional data world of mainframes in glass houses, security was very tightly controlled. In the contemporary world of distributed processing and networked computer resources, security is much more difficult to develop and control. Security encompasses a number of dimensions, including physical security, authentication, authorization, port security, transmission security, and encryption.


Figure 7.11  Security as a priority.

Physical security

Physical security involves access control—control over the individuals who have access to the facilities in which the systems reside. Clearly, access must be restricted by security guards, locks and keys, electronic combination locks and/or electronic card key systems which require additional input, such as a Personal Identification Number (PIN). The latter is preferable, as the system can maintain a record of specific access.

Authentication

Authentication provides a means by which network managers can authenticate the identity of those attempting access to computing resources and resident data. Authentication consists of Password Protection and Intelligent Tokens. Password protection should be imposed to restrict individuals on a site, host, application, screen and field level. Passwords should be of reasonably long length, alphanumeric in nature and changed periodically. There is a current trend toward the use of dedicated password servers for password management. Intelligent tokens are one-time passwords which are generated by hardware devices and which are verified by a secure server on the receive side of the communication. They often work on a cumbersome challenge-response basis.

Authorization

Authorization provides a means of controlling which legitimate users have access to which resources. Authorization involves complex software which resides on every secured computer on the network; ideally, it provides single sign-on capability. Authorization systems include Kerberos, Sesame, and Access Manager.

Kerberos
the best known authorization software, was developed by Massachusetts Institute of Technology (MIT). Although it is available without charge, commercial versions exist. As Kerberos uses DES, it is not easily exportable to other nations [7-9]. IBMs Kryptoknight is a Kerberos variant, weaker but exportable. Kerberos is named after the three-headed monster which guards the gates to the underworld according to Greek myhtology.
Sesame (Secure European System for Applications in a Multivendor Environment)
was developed by the ECMA (European Computer Manufacturers Association. It is flexible, open and intended for large, heterogeneous network computing environments. It also is highly complex and not effective for smaller applications.
Access Manager
recently approved by the IETF (Internet Engineering Task Force), uses an API for applications, employing scripting. Scripting involves a process of mimicking the log-on procedures of a program, providing basic levels of security for small networks.


Previous Table of Contents Next