首頁 產業/市場分類 出版商一覽 Email 通知 GII媒體代理會議 公司簡介 聯絡我們
- English Japanese Korean
首頁 > 市場調查報告書 > 通訊 > IT安全性 > 避免內嵌式安全系統帶來的災害:內嵌式安全系統銷售企業、OEM及開發人員應知道的事
產業/市場分類
通訊 (11579)
企業概況 (775)
光纖網路 (265)
次世代無線通信 (540)
行動用戶 (129)
行動設備 (760)
軟體 (1031)
電子商務 (210)
網路 (673)
網路與進入設備 (266)
數位廣播 (305)
數據中心 (345)
寬頻 (392)
衛星遠程通信 (141)
線上廣告 (143)
整合 (177)
整合通訊 (304)
機上盒 (63)
聯繫中心 (135)
Contents (626)
IT安全性 (500)
IT委外 (323)
LBS (160)
NFC (151)
RFID (213)
Web服務 (549)
WLAN/WiMAX (567)
市場調查報告書

避免內嵌式安全系統帶來的災害:內嵌式安全系統銷售企業、OEM及開發人員應知道的事

Avoiding an Embedded Security Disaster: What vendors, OEMs and developers need to know about embedded security

出版商 Embedded Market Forecasters
出版日期 2007年07月 商品編碼 53494
內容資訊 英文 43 pages
價格
US $ 3750 PDF by E-mail (Single User License)


避免內嵌式安全系統帶來的災害:內嵌式安全系統銷售企業、OEM及開發人員應知道的事 是由出版商Embedded Market Forecasters在2007年07月所出版的。 這份英文市場調查報告書包含43 pages 價格從美金3750起跳。

簡介

專門於內嵌式技術領域調查的美國市調公司 Embedded Market Forecasters (總公司:Massachusetts state)出版了一本關於內嵌式安全系統動向的報告書 "Avoiding an Embedded Security Disaster: What vendors, OEMs and developers need to know about embedded security"

本報告書內容包括:內嵌式安全系統相關重要疑惑驗證、經許可的密碼化技術的缺失、未經確認的協定安裝、管理及監視不足的問題、在可行範圍內提供的對策、可利用的內嵌式規格FIPS簡介等。內容綱要摘記如下:

介紹

實施概要

密碼化(或缺乏密碼化)

美國聯邦資訊處理標準(FIPS):內嵌式安全系統銷售企業、OEM及開發企業應將內建FIPS 140-2的理由

不當的密碼化應用程式

  • 未妥善利用強力的密碼化技術
  • 鑰匙大小不對等
  • 「假裝」的密碼化之利用

未經確認的協定安裝

  • SNMP
  • TCP/IP
  • 開放SSL:衍生物
  • 不可避免的結果

保護錯誤的對象

管理及監視能力上的缺失

伴隨著痛苦的高價昇級檔管理(最低限度的責任能力)

安全性條件及與既有安全性標準對立的內嵌式元件的限制

  • SSL
  • SSH
  • IP-Sec
    • 共同條件:SSL、SSH及IP-Sec
  • SSL、SSH、及IP-Sec過度發展時

缺乏銷售企業及產業自身的最佳實務典範

初期設定不安全

模糊不清的責任範圍

摘要

附錄A:FIPS 140簡介

附錄B:內嵌式解決方案與FIPS-140認定模組的整合

附錄C:內嵌式安全性產品調查

附錄D:專有名詞集

目錄

Abstract

Introduction

For many years, embedded systems have been quietly working behind the scenes of almost all modern technologies, from automobiles to factory floors to space exploration missions. Increasingly, these critical embedded systems are built from COTS software, and often incorporate standards-based network connectivity. Just as the early networked desktop PC' s and server' s were unprepared to address the new security implications of network connectivity, today' s embedded systems present a significant new security concern, which must be addressed immediately and systematically. This paper will examine several significant embedded systems security concerns, and where possible outline recommended courses of remedial action.

Executive Summary

Embedded systems are responsible for the availability and functionality of many critical systems, from factory automation to gas pipeline monitors to networking equipment. Unfortunately, the critical importance of embedded systems is seldom matched with a strong, comprehensive security infrastructure. Some of the critical security issues presented by modern embedded systems are:

  • Diverse network-connected embedded systems use combinations of custom and COTS software, the details of which are typically known only to the vendor of each embedded device, making vulnerability assessment, risk analysis, and patch management difficult
  • Many embedded protocol implementations derive from older versions of opensource software like OpenSSL and the BSD TCP/IP stack, resulting in vulnerabilities to known attacks, which have since been patched in the main software distributions
  • Many other protocol implementations are built entirely from scratch, and have not benefited from years of public analysis and repeated attack, resulting in unproven protocol implementations that may be vulnerable to attack
  • Even when vulnerabilities are identified, patches must be developed for each device or device family by the vendor, requiring tight collaboration between embedded software developers and the OEM' s building devices based on the developers' software
  • Deployment of software patches is even more difficult, expensive, and timeconsuming than the most elaborate mobile/remote patch management systems for PCs and PDAs, making the total cost of a vulnerability in an embedded system much higher, and the motivation to patch that vulnerability much lower
  • Most network-aware embedded devices lack sufficient management and auditing functionality, making centralized configuration and monitoring difficult and costly, and severely limiting the data available for attack pattern detection and afterattack forensic analysis
  • Embedded systems are not always considered an IT responsibility, and thus often fall outside IT control, resulting in lax policy enforcement, minimal configuration management and auditing, distorted risk analyses, and little or no integration with enterprise security tools

Remediation of these issues will require a concerted effort on the part of commercial and custom embedded software developers, OEM' s building embedded systems, vendors selling them, and customers purchasing and implementing products based on network-aware embedded software. Until information security becomes a strategic technology for embedded systems developers, their products will continue to be characterized by complacency and vulnerability.

Table of Contents

  • AVOIDING AN EMBEDDED SECURITY DISASTER: What vendors, OEMs and developers need to know about embedded security
  • Introduction
  • Executive Summary
  • Encryption (or lack of)
  • Lack of Certified Encryption
  • The Federal Information Processing Standards (FIPS): Why embedded vendors, OEMs and developers need to incorporate FIPS 140-2
  • Improper Application of Encryption
    • Using Strong Encryption, Weakly
    • Key Size Disparities
    • Using "Pretend" Encryption
  • Unproven Protocol Implementations
    • SNMP
    • TCP/IP
    • OpSenSSL-derivatives
    • Inevitable Conclusion
  • Protecting the Wrong Things
  • Lack of Management & Monitoring Abilities
  • Painful & Expensive Patch Management with Minimal Accountability
  • Embedded Limitations At Odds with Security Requirements & Existing
  • Security Standards
    • SSL
    • SSH
    • IP-Sec
    • Common Requirements - SSL, SSH, and IP-Sec
    • When SSL, SSH, and IP-Sec Are Overkill
  • Lack of Vendor- or Industry-Originated Best Practices
  • Insecure by Default
  • Ambiguous Responsibilities
  • Summary
  • Appendix A - A Brief Introduction to FIPS 140
    • What Is FIPS 140?
    • Why is FIPS 140 Important?
    • I' ve never heard of FIPS 140, So How Important Can It Be?
    • How is FIPS 140 different from the Common Criteria certification?
    • How is FIPS 140 different from SSL or IP-sec?
    • If I have FIPS 140 certification, does that mean my system is secure?
    • How can I get FIPS 140 certification?
  • Appendix B - Integration of FIPS 140-certified Modules into Embedded Solutions
    • Embedded Systems Support
    • Insufficient Flexibility
    • Unacceptable Pricing, Licensing Terms
    • Out Of Date Certifications
    • Available Toolkits
    • Integrating FIPS 140 into New and Existing Embedded Systems
      • An SSL Implementation
      • An IP-Sec Implementation
      • A Proprietary Product with Existing Encryption Capabilities
      • A Proprietary Product without Existing Encryption Capabilities
  • RTOS CONSIDERATIONS
  • Appendix C - A Survey of Embedded Security Products
    • IP-Sec Implementations
      • TeamF1 V-IPSecure
      • Elmic Systems Voyager IPsec/IKE
      • InterPeak IKE
      • InterPeak IP-sec
    • SSL Implementations
      • TeamF1 SSLimSecureSecure
      • Interpeak Embedded SSL
      • Accelerated Technology Nucleus SSL
    • SSH Implementations
      • TeamF1 SSHield
      • Interpeak Embedded SSH
    • Proprietary Encrypted Communication Tools
      • TeamF1 SSMartSecure
    • Embedded Management Technologies
      • Interpeak Embedded SNMP
    • FIPS 140 Certified Encryption Toolkits
      • Certicom SecurityBuilder GSE
      • Cryptos Mobile Systems TACHYON-Crypt
      • Atmel AT97SC3201
  • Appendix D: Glossary
Back to Top