Network communication nowadays relies on multilayer protocols. The ISO OSI Reference Model employs the (N)-, (N+ 1)- and (N-1)- notation in layering. Elements in a layer (N) interact directly only with elements in the adjacent higher layer (N+1) or the adjacent lower layer (N-1) of a system. Which of the following is not true?
A. Layering is the same as the concept of defense in depth.
B. Security aspects are also general architectural elements of protocols.
C. Layering manages dependencies and reduces complexity based on modularity.
D. Distributed Network Protocol 3 (DNP3) covers layers 2, 4, and 7 in the ISO OSI model.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Layering is the same as the concept of defense in depth.
According to NIST SP 800-160 V1, “the security design principles of modularity and layering are not the same as the concept of defense in depth.” When it comes to system engineering or security engineering, layering and layered defense (or defense in depth) are different concepts. It can be confusing that the Sybex official study guide treats layering the same as “defense in depth.”
- System engineering typically emphasizes hierarchical layers that optimize dependencies and reduce complexity.
- The official study guide stresses the concentric circles or bullseye of layers with a focus on the serial deployment (not parallel) of security controls.
Defense in Depth (aka Layered Defense)
Defense in depth describes security architectures constructed through the application of multiple mechanisms to create a series of barriers to prevent, delay, or deter an attack by an adversary. (NIST SP 800-160 V1)
Modularity and Layering
Modularity and Layering are structural design principles that affect the fundamental architecture of the system, also known as architectural design principles.
- Modularity means a complex system can be decomposed into smaller well-defined logical units (or modules) in terms of function, data, structure, security, etc.
- Layering refers to the process of organizing those units into layers in terms of cohesion and coupling to manage dependencies and complexity.
According to ISO 7498-1, security aspects are also general architectural elements of protocols.
Security-informed modular decomposition includes the following:
- allocation of policies to systems in a network;
- allocation of system policies to layers;
- separation of system applications into processes with distinct address spaces; and
- separation of processes into subjects with distinct privileges based on hardware-supported privilege domains.
Source: NIST SP 800-160 V1
Distributed Network Protocol 3 (DNP3)
In terms of the OSI model for networks, DNP3 specifies a layer 2 protocol. It provides multiplexing, data fragmentation, error checking, link control, prioritization, and layer 2 addressing services for user data. It also defines a Transport function (somewhat similar to the function of layer 4) and an Application Layer (layer 7) that defines functions and generic data types suitable for common SCADA applications.
- Distributed Network Protocol 3 (DNP3)
- Decomposition Techniques
- Divide-and-conquer algorithm
- Functional decomposition
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
現代的網絡通信依賴多層協議(multilayer protocols)。 ISO OSI參考模型在分層(layering)時使用（N）-，（N + 1）-和（N-1）-等表示法。 層（N）中的元素僅能直接與系統的相鄰的較高層（N + 1）或相鄰的較低層（N-1）中的元素直接互動。 以下哪一項是不正確的？
A. 分層與深度防禦(defense in depth)的概念相同。
D. 分佈式網絡協議3（DNP3）涵蓋了ISO OSI模型中的第2、4和7層。