OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brass, Phil (ISS Atlanta) (PBrass@iss.net)
Date: Sun Nov 11 2001 - 12:06:38 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TLS, the replacement for SSL, stands for Transport Layer Security (or
    something like that), right?

    Phil

    -----Original Message-----
    From: abuse [mailto:abuse@webfargo.com]
    Sent: Saturday, November 10, 2001 10:53 PM
    To: cisspstudy_1@yahoogroups.com; cisspstudy@securityfocus.com
    Subject: Re: Encryption Protocols and OSI layers - inconsistancies

    ssl definition is tough. ssl sits above layer 4, but below layer 7. i
    have not been able to determine if it is considered layer 5 or 6. here is
    a slide from netscape about it.
    http://developer.netscape.com/misc/developer/conference/proceedings/cs2/sld0

    03.html

    here are a couple more resources.
    http://home.netscape.com/eng/ssl3/draft302.txt
    http://developer.netscape.com/docs/manuals/security/sslin/contents.htm

    ipsec is much easier. ipsec resides at layer 3.

    http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2401.html
    IPsec provides security services at the IP layer by enabling a system to
    select required security protocols, determine the algorithm(s) to use for
    the service(s), and put in place any cryptographic keys required to provide
    the requested services.

    hope that helps!

    mike

    At 05:21 PM 11/10/2001 -0800, you wrote:

    >With 3 days remaining before writing the exam, I need some
    >inconsistancies addressed. I'm concerned about where in the OSI model,
    >certain encryption protocols fall - specifically SSL and IPSec.
    >
    >SSL
    >----
    >
    >Tipton ISHM 4th edition p.162 indicates the SSL is a session (layer 5)
    >protocol. Other online resources claim SSL is an application layer
    >protocol.
    >
    >Since SSL is typically implemented in browser applications, I would
    >lean towards placing SSL in layer 7. Anyone have the definitive answer?
    >
    >IPSec
    >------
    >
    >Tipton ISHM 4th edition p.162 indicates IPSec is a transport (layer 4)
    >protocol. In the same book, chaper 14 "An Introduction to IPSec"
    >discusses IPSec as a network layer implementation. Other online
    >resources I've read indicate IPSec is a layer 3 protocol as well.
    >
    >The whole idea behind IPSec is that by working at layer 3, you can
    >secure any application regardless of the IP service or transport.
    >
    >Its difficult to pigeon-hole encryption protocols in different OSI
    >layers, especially when definitive resources conflict. Can oneone help
    >me address these inconsistancies?
    >
    >Cheers,
    >
    >--
    >Jeff Newton
    >