Network Security
Content
NETWORK
SECURITY
OVERVIEW
Stephen Trusted P.O.
T.
Walker
Information SYStemS, lnC. Box 45, Glenwood, MD 21738
ABSTRACT
has recently been focused on Much attention network evaluation computer developing trusted attempting this however, a criteria. Before better understanding of ~he ‘relationship between and networks that individual trusted computers This paper provides an link them is required. overall system view of the network and trusted and untrusted computers attached to it, and how data on networks of protecting various ways of the network must be affect which portions must be trusted and what security policy enforced. By examining several network model% it will become apparent where new or additional criteria need to be developed.
trusted specfic additional necessary, and, where identification of A systematic criteria. network where new or additional criteria are needed will be presented, rather than the criteria the mselves. IL DEFINITIONS definitions common are provided reference points, for as
Before beginning, several terms used as follows: SYSTEM -
A collection TERS linked
of two or more by a NETWORK.
COMPtJ-
COMPUTER
I.
OVERVIEW NETWORK
- Any device capable of storing and information processing and, if linked by a NETWORK, of communicating with other COMPUTERS. Computers used in this manner are commonly referred to as HOSTS, as contrasted with those used in communications applications, called SWITCHES). An entity composed of any of a number of communications media (e.g., wire, switched packet network) used to link COMPUTERS and transfer information.
Following the successful introduction of DOD Trusted Computer System Evaluation Criteria (CSCSTD-001-83 [the Orange Book], much attention has been focused on developing new guidelines for computer networks. The tendency has been, however, to commence developing criteria for various network components without comprehending their role in the Trusted Network Base (the equivalent of the Trusted in the Evaluation Criteria). A Computing Base to establish an overall preferred approach is system k view of the network and any trusted and untrusted computers attached to it, thereby determining which portions of the overall system are to be trusted and which security policy is to be enforced. This paper provides a framework for undermeasures enforce m ent standing security network of our understanding of based upon enlargement individual trusted computers. It will examine how to extend access control mechanisms to stand-alone computers with network connections, and how the various ways to protect data in networks affect how much and which portions of the network must be trusted. and its implications on Each approach net work security policy, access control mechanisms ~ out of and trusted components will be examined. this will come the basis for net work extensions to present Trusted Computer System Evaluation Criteria
(Accordinz to these definitions, computers perform infer mit ion LXocessin$z tasks: networks onlv transmit inform atio-n betw~en computers. Eve; networks containing computers for switching purposes do not process or store information, except as needed to perform their intended functions. The simplest model of a network is a set of individual wires; the most complex network model should be able to be described at some level of abstraction in terms of this simple model.) TRUSTED sYsTEhf (COMPIJTER or NETWORK) One which employs sufficient hardware and soft ware integrity measures to allow its use for processing simultaneously a range of sensit ivity or classified information from CSC-STD-001-83. POLICY - The set of laws, rules, and practices regulating how an organization manages, protects, and distributes sensitive information.
SECURITY
62
CH2150-1/85/0000/N62$Ol
.oOQ 19851EEE
TRUSTED
COMPUTING BASE - All the protection mechanisms within a computer system (hardware, firmware, and software) which enforce a security policy on that computer. NETWORK BASE - AH the protection mechanisms within a network which enforce a security policy on that network. SECURITY MODE - All system (Computer or Network) equipment used exclusively by that system, and all users cleared for and having a need-to-know for all information processed by the system.
When, then, do we neea to be concerned about ed network bases and network evaluation criteria?
trust-
TRUSTED
To answer these questions we must explore a series 01’ network security models, ranging from the simplest, untrusted networks linking untrusted hosts, to complex trusted networks making security policy decisions from process control information supplied by the hosts on the network. The following network security models will be considered: Model 1. The familiar situation hosts on an untrusted Trusted net work. hosts on an of untrusted network. untrusted network
DEDICATED
Model
2.
Model SYSTEM HIGH - All equipment (Computer or Network) protected in accordance with requirements for the most classified information processed by the system. All users cleared to that level, but some not having a need-to-know for some of the information. - Some users having neither a clearance nor a need-tosecurity know for some information processed by the system, but separation of and classified material not users essentially under operating system control. having neither a Some users clearance security nor a need-toknow for some information processed by the system; separation of personnel and material accomplished by the operating system and associated system software.
3.
Trusted hosts on trusted networks, showing the use of various forms of encryption, trusted packet switches, and trusted local area networks
(IANs).
Model
4.
Sophisticated trusted networks e; ploying detailed detailed processto-process access control measures.
CONTROLLED
MULTILEVEL
After this review, the relationship between trusted components of various network configurations will become evident, as well as when and how such components should be employed. To begin, though, we must review the basic elements of process-to-process communications in a trusted computer system and what happens to them when they include communications between hosts over a network. We will first explore how such hosts communicate over a simple network consisting of individual wires between computers. Such a network has practical value, since many vendor%pecific network products are basically implemented on host computers linked by individual communications lines. it is assumed that all resourIn this analysis ces of the hosts and communications lines are protected to a system high level (i.e., hosts are physically protected and communications lines link-encrypted). It is also assumed that network support software for the host operating systems are part of the Trusted Computing Base of that system, an important area of the Orange Book criteria that needs to be developed. The next section ing system security network security physical and procedural describes the trusted operatmodel, as applied to several situations, citing requisite controls.
III.
BACKGROUND
Given a collection of trusted computers that meet some level of the Orange Book specifications, it is logical to want to connect them via some form of network to form a trusted system. When must this network be trusted? What portions of it form the trusted net work base? What are the criteria against which this TNB must be evaluated? What role does encryption play in trusted networks? This paper will establish a context in which to answer to these questions. Networks take many forms, from simple wires to complete packet switching systems, but increased complexity does not necessarily involve increased security requirements. A suitably protected wire, for example, the simplest trusted net work, needs no reference monitor, enforces no security policy, and does not require evaluation against some form of Trusted Network Evaluation Criteria. A complex system such as the Defense Data Network (DDN), encryption suitably protected with endto-end measures, also needs no reference monitor, enforces no security policy relative to the hosts attached by E3 devices, and requires no criteria evaluation.
A.
Trusted
Operating
System
Security
Policy
Model
Figure 1 depicts a single trusted computer with two processes operating on behalf of specific users. All communication between processes is controlled by the (TCB), enforcing the Bellcomputer model. In trusted LaPadule security
63
Figure
1.
Process-to-Process a Trusted Computer
Communications System
within
HOST I I I ----lProcess I A(S) I I I I l----lProcess I I B(TS) II I I I --1+1 I I Process IProcess[ 1-------1-------1 I A I I B . . . II : ‘*” Table Level Secretl I TS ! i I !
1
I I
USER A ----(SECRET)
----
iii~
---Ill --1+11 I ITCB!I I_
USER (TS)
B -----
II
process has a security level rmesent session level of the (e~g., SL[A] = ;he present security clearance For two processes to communicate, of User A). following conditions, enforced by the (TCB), be true: systems, eaual to each the Process A can read information Process B only if: from
(SL)
user level the must
highly useful however when network with tions path.
simplification two processes an inherently
is not possible, are separated by a unreliable communica-
L(A) >= SL(B)
Process A can write Process B only if: SL(A) <= SL(B)
(simple
security to
rule~
information
(*
property).
of at least B2 on the In a trusted system Trusted Computer System Evaluation Criteria, provide security specific mechanisms level labels for all active processes and objects. The TCB controls the access of all subjects to all objects, ensuring that the above rules are enforced. Within the TCB, a Process Table lists the security levels at which all active processes may operate. When one process attempts to connect with another, the TCB enforces these security rules. B. Role of Reliable Communications
In a network environment, if Process A on Host 1 (operating at Secret) were to attempt to send information to Process B on Host 2 (at Top Secret), Process A could not assume the transfer would be successful, given the unreliable nature of the network link. protocols employed sophisticated between between processes on hosts ensure reliable transfer of information over inherently unreliable communications media, but require that acknowledgment of successful transfers be sent to the originator. Such an acknowledgment in the above case would constitute a violation of the * property. The implications of this restriction on trusted computers communicating over a network will be explored in the next section.
IV.
Network
Security
Models
to A.
With these concepts in mind, it is now possible examine a variety of network security models. Level 1 Model Network Untrusted Hosts on an Untrusted
communication normally Process-to-process utilizes a two-way handshake protocol whereby the successful receiver acknowledges receipt of the information. In the case of a trusted host where security levels of the two processes are not equivalent, the acknowledgment could create an illegal path, allowing the potential transfer of sensitive information from a higher to a lower level. If Process A operates at the Secret level, and Process B at TOD Secret. A can send information to B.. but. . accordin-g to t’he security rules stated above, Process B cannot respond without violating the * property. Within a single host this is not particularly difficult to overcome. Process A can write information to Process B without enlicit acknowled~ment because the process-to-proc&+s mechanism % highly reliable. Once Process A has initiated the transfer it can proceed, confident that the transfer has occured even without acknowledgment. This
The simplest model, Level 1, involves untrusted hosts operating in Dedicated or System High Mode on an untrusted network. While typical of systems in use today and accepted in some cent exts, its inability to handle multiple levels of classified or sensitive data severely limits its utility. Since there are no trusted components anywhere in the system, there is no need for a trusted network base or for evaluation criteria. B. Level 2 Model Network - Trusted Hosts on an Untrusted
When a trusted computer system, as discurised in Figure 1, is introduced to our simple wire link network, it becomes a Level 2 model (Figure 2). The essential feature of this is that normal access control mechanisms in a B2 or higher trusted computer system are extended beyond protecting 10Cal process-to-process communications to handle process-to-process links across the network.
64
Figure
2.
Level (Both
2 Network hosts have
Security a TCB
Model evaluated
at
B2
or
greater)
Host
1
Host
2 I I
I tt
II
I
A(S) I_; I
Ill I
B(TS)i_l 1111 TCBI
I 1---I I network
I
l-I
I II
II
.----
II 1 I I
l_l II
c(s)
I II
I II
I TCB!_l 1211
D(C)
~
I
l_l
Host 1 is to operate multilevel system at trusted as a secure TS & S.
l_l
I
Host 2 is trusted to operate as a multilevel secure system at TS, S & C. (At present only S & C processes are active) .
Operating Host
System 1
Process
Tables: Host
2
t Hosts
Processes I 1-------------I A at I B at I .*. I level level S TS
I
Hosts 2 at levels . . . TS-C
I
I
Processes
I -----------------1
l-------------lCatlevelSllatTS& I Datlevel I *. I
G
l------------S1 C I . . .
I
I
I I
I
I
Note
1: TCB1 a~- i authentication spoofing from
TCB2 must have _. ~dividual codes to ensure against other hosts o-n the network.
Note
2: Processes on different hosts (or operting systems that support them) may employ cryptographic checksums on data messages before sending them to the host. These checksums are used to ensure against data modification during transit. determines whether the As illustrated, TCB2 security level of Process A equals that of Process the Bell-LaPadula policy c. This restriction of used on a single operating system is Criticai the network is unreliable (subject to because messages, etc.). outages, partitioning, lost Information sent from Process A to Process C must be acknowledged by Process C to assure A that it was received. If the Bell-LaPadula policy mf:~~ acknowledgments governed such connections, higher levels would constitute security violations. It is imperative that the two processes on different hosts operate at equal security levels. The above restriction is not a serious limitation, for if a process operating at Secret wished to contact one at Top Secret on a separate host$ it could connect across the network to a Secret host, transmitting the inforprocess on the remote mation with full acknowled~ments. Once received, the Secret process could ~ass the information to the Top Secret process without acknowledgment} as described in Figure 1.
In addition to the processes which it directly controls, the TCB within each computer now must be aware of other hosts on the network and their security levels. The active process table in each computer is augmented with a list of hosts on the network. Because host-security level information is very stable, updates of this host security table are easily accomplished by periodic manual table updates by the Security Officer. A number of examples illustrate the basic access control checking flow of this model. When Process A, operating at SECRET level, attempts to communicate with Process C, also at Secret, TCB1 receives the request and checks to be sure that A is within the range level of Host 2. If not, the denied. TCB1 passes the request is If within, identity and security level of A to TCB2, which determines if the level of A equals that of C. If it does, the connection is extended to the two TCB2 informs TCB1 that the processes. If not, connection is invalid.
65
In a second case, Process B operating at Top Secret attempts to connect with C at Secret. TCB1 determines whether or not the level of Process B is within the range of Host 2. Since it is not, TCB1 immediately rejects the request. In the third case, when Process A operating at Secret attempts to connect with D at Confidential, checks to see if the level of TCB1 once again If so, Process A is within the range of Host 2. TCB 1 passes the identity of Process A and its security level to TCB2, which checks to determine whether the level of A equals the level of D. It is not, so TCB2 informs TCB1 that the connection is invalid.
The Level 2 model represents the simplest patterned computers, trusted involving structure model communications after the process-to-process presently in use on many networks. This simplicity does not require (or permit) host operating systems to be aware of other processes using the network. A more complex model would list foreign processes (existing on remote hosts) in a local host’s processor table, allowing the local host to base its access decisions on local information, and eliminating the need to query the remote host. Difficult problems remain, however, in maintaining for such processes, because in trusted databases contrast to the stability of host security levels, individual process security levels change dynami-
Figure
3.
Level Host
2 Network
Security
Model
with
an
Untrusted
:__
:: !!E! I l_l : IF; l_l
:
: ! I
Host 3 is not trusted and operates at System High Top Secret
1“1
I I Host 1 I A(S) I_: 0s3 I I
1-
I
I Host 2
II —1 ! I -------I 1! B(TS)l_i TCB! II 1111
h
Ii .— I
I network I
I
l_l
1
L----i
;11
c(s) —1
D(C)
I
I I
! I
I
Host
to
l_l
1 is operate multilevel system at trusted as a secure TS & S.
TCBj_l 1211 l_l
\ II
Host 2 is to operate multilevel
trusted as a secure
sYstem at Tsr S & C. (only S & C processes are active). Tables: Host 2 i Hosts -_--,---__________j SllatTS& I I ..0 S1 i I
Operating Host I Processes I -------------I A at level I B at level i Host ““” 1
System
Process
Hosts -------__--______\ S ! 2 at levels TSI 3 at level I . . I
G
I
I TS&Cl TS I 1 II not any t i I I I
I Processes I_____ lCatlevel lDatlevelC13atTS I . . .
3
(Since
this host is does not contain I i I I I Hosts --------; . . .
trusted, security
its
process table level information.)
I Processes -----I -----:;
66
tally. remote check.
Even host
if
these techniques must make the
were final
employed, security
the level
System High level tion is made to connection.
of B;
Host 3. if not,
If it is, the TCB
the connecrejects the
Figure 2 assumes that both operating systems are of the same TCB class, and can trust each other% access control mechanisms. The real world will always contain systems that either are not operating trusted or have different TCB class systemsi Any network security model must deal with this situation. Figure 3, an augmented version of Figure 2, shows an untrusted host operating at a System High Top Secret level attached to the network (with the operating system labeled 0S3 rather than TCB3). The same caveats associated with Figure 2 apply here. (Note the addition of Host 3 at a single security level to the host tables in 1 and 2. The Process Table in Host 3 knows about Hosts 1 and 2, com municating with them at the Top Secret level; however, it contains no security label information, because such information cannot be trusted to be accurate or reliable.) As shown below, Hosts 1 and 2 accept connections from 3, recognizing its operation in a System High Top Secret mode; all process-toprocess communications must therefore be at the Top Secret level. A number of additional cases are illustrated by The first is when the configuration in Figure 3. operating at Top Secret, requests a Process E, connection with Process B, also operating at TOP 0S3 (not trusted and without a security Secret. level in its Process-Host tables) establishes the which checks to determine connection with TCB, whether the security level of Process B equals the
In the next case, Process A, at Secret level, requests a connection with Process F on Host 3. TCB1 determines whether the level of Process A equals the System High level of Host 3. As it does not, the TCB rejects the connection. A last case involves Process E attempting to connect with Process D on initiates a connection with the TCB, determine if the security level of D System High level of Host 3. It does TCB rejects the connection. on Host 3 Host 2. 0S3 checking to equals the not. and the
At this point we have described a network of trusted and untrusted computers communicating in useful, practical ways, with the network having no trusted components and enforcing no security policy or access control mechanisms. The next step is to understand the limitations of such a network. Figures 2 and 3 consist of host computers physically protected to a system high level (Top Secret is assumed in both cases). Processes for Host 2 currently run at the Secret and Confidential levels, but the computer itself must be operated in a Top Secret system high environment. Host 3 in Figure 3, an untrusted host, also operates at Top Secret System High. The relationship between the security levels at which hosts can operate on this simple network is shown 4. The network itself and all in Figure computers attached to it must be physically protected to the same system high level. Untrusted
Figure
4.
Trusted System
and High
Untrusted Network
Computers
on
an
Untrusted
Level
====== =.==== =.==== ===...
Top
===...
Network
===...
=====. ====== ==.=== ====
I Secret
I
I
I
I
.=====
= I ==== I
I I I
i Ill II Ill
i I I 1 II Ill T+T I
I 101 L 1s1 13[========!=== I I —1.1
I II
—. I
1:1 Icl
IBI
I
I
ITI==I====ITI==I Icl Icl I !Bi IBI I
I l_l_l
I 5 l====
Ill
I
121 i I 1==== I I i 3
Host ‘Al”
I
Secret I =======1====1
I
I Conf
11111 11111 1==1 II
II II
ITI Icl
IBI
I
1============
.===== = :
Host
I
1
l======================
Host “B2a
141============= II II II I l=============
d Host 5
2
Host “D”
TCB
=
“Al”
“C2”
67
hosts can only operate at that level, but trusted computers may operate over a range with a maximum at the network system high, depending upon the In Figure 4, for degree of trust in the system. example, Host 1 is trusted to the ‘Alw level, and over the range Top Secret to processes operate Confidential. Host 2 is trusted to the “B2” level, operating with processes at either Top Secret or Secret. Host 3 is untrusted and processes operate only at Top Secret. Host 4 operates processes over the range Secret and Confidential over the Top Secret System High Network. Since it may receive a Top Secret message from an untrusted host, 4 must operate over the full range, Top Secret to Confidential, and be trusted to the Al level. Host 5 must operate only at Top Secret because it is trusted only to the C2 level, providing only discretionary access contro~ and no mandatory labeling. Trusted highest hosts point in an untrusted network must have of their operating ranges at the
c.
Level 3 Networks
Model
-
Trusted
Hosts
on
Trusted
The network depicted in Figure 4 is still a trusted and untrusted connecting simple wire computers. As long as it is physically protected from external attack, it need not be trusted. Local area networks (LAN) and wide area networks (such as DDN), however, involve more sophistication. Figure 5 depicts derived from Figure Process Table and all Model are unchanged, Table has been added. a Level 3 network The Operating 3. the TCB checks of the but a Network Access model System Level 2 Control
the
same network system high level, since they can receive system high messages from untrusted hosts. Similarly, since untrusted hosts cannot protect security labels of information, they must operate only at system high. Note: The operating ranges shown in Figure 4 are arbitrary select ions. In an actual systems, the Designated Approving Authority or SY5tem Security Officer designates the degree of trust for each situation.
In the Level 2 Model, the untrusted network (our simple wire) established any connection requested by the hosts. In Level 3; the network authenticates each connection prior to establishing it. These checks can be performed on a host-byhost basis (the Level 3 model), or on a process-byprocess basis (Level 4, discussed later). Before proceeding, however, it is necessarY to understand various methods of protecting information on a communications network and performing the network access control measures shown in Figure 5.
Fi,gure
5.
Network
Access
Checking
-
A Level
3 Model
Host
1
Host
2 I
;IA(S)I ! II II I —1 i! B(TS)tlTCB Ill II
E3 I I Network
E3
-,,-- ,— 1
I I
c(c)
I / I I
---i I
i---l~t---t I
I i I I ‘~1 I I —— I I I AC/KDC I
I
TCB t Process I --------i IB A
I_
1 Table \ Host 1--------
! TCB 12 I_
I D(S) I
(s)
(TS)
‘
I I I i
E3
2
(S,c)l
TCB2 \ Process I --------I c (c) I D (S) ! ““”
Table i Host l---------i 1 (TS,S) 1 !
/
I
1 i
I
I
.. .
i 1
AC Table HOSt to Hostl -----______ _ I / 1 (S-TS) I 2 (C-TS) I i . . . 1 I I I
68
1.
Role
of
Cryptography
means of protecting data from The principle Compromise or communications modification in a network such as JIDN, is by end-to-end encryption (E3). With E3, the data portion of the message is encrypted prior to transmission and remains encrypted until delivered, while the address portion of the message remains in the clear. F3 usually provides a means of operating multiple communities of interest, separated cryptographically from each other, and in sonic cases operating at a higher security level than the network itself. a, IPL,I
encryption provides data protection at all times, except during a brief period in the Red side of the The address portion of the original message IPLL remains in the clear within the network switches, ensuring proper message routing. The IPLI provides a means of isolating communispecific sensitivity’ level, ties of interest at a even though the network itself may operate at a level (even unclassified). Untrusted hosts lower connected via commonly keyed IPLIs must operate at level. a specific system high security
b.
E3 with Access Distribution.
Control
and Remote
Key
The simplest form of E3, the Internet Private Line Interface illustrate; in Figure 6. (IPLI), is The IPLI and its associated cryptographic device are positioned between the host computer and the network. Groups of IPLIs form communities of interest in which all cryptographic devices share a eo.mmon key. IPLIs come in two sections: a Red or plaintext side, connected to the host computer and cryptographic device, and a Black or Ciphertext side, connected between the cryptographic device and the network. When the host requests a connection across the network, the Red side first determines the validity of the destination by checking the address in its host table. (This is the host-tohost access control mechanism required in the Level 3 Model.) E valid, the Red side passes the data portion to the KG and passes the table index number for the destination host over a special low bandwidth channel w hieh bypasses the cryptographic device. The Black side then constructs a new message header, using the index entrY listed in its host table. When the encrypted data is received from the cryptographic device, the Black side assembles a message from the new header and the encrypted text, and sends it to the netw”ork. At the destination, the process is reversed. It should be noted that
IPLIs provide a valuable means of connecting Their disadvancommunities to a common network. assignments to communities tages, however, are that of interest are static and cryptographic keys must be manually distributed and loaded at each site. h addition, hosts in a particular community cannot communicate with hosts outside that community. In effect, each has its own virtual network operating in System High or Dedicated Mode. To overcome these drawbacks, efforts have been underway for some time to build E3 systems with These would remote key distribution techniques. host-to-host, per allow process-to-process, or connection A separate individualized keying. Access Controller and Key Distribution Center (KDC) with redundant backup would be attached to the network, as shown in Figure 7. The E3 boxes contain large numbers of separate keys for use on a host or process pair basis. In the case of the host pair, when A attempts the first E3 box checks its to connect with B, tables to see if a key for such a connection exists. If so, the connection proceeds as in the the E3 box establishes a IPLI case. If not, connection with the Access Controller, and identifies the source and destination hosts for the requested connection. The Access Controller
Figure
6.
Internet
Private
Line
Interface
(IPLI)
I lAi 1
I I
I
IB
1 I I I
I ------1
0s
—1
I
I KG ID II __l_ I IRIBI e I 1 l------l l_d_l_k_l IPLI
I
I
Network
I
1--I
. .
Host
——
12 1431 I 568 1. [. I
Host
I I I I II
12 1 43 I 568 1. 1.
Tables
I ! I I I
Address
69
Figure
7.
E3
with
Remote
Key
Distribution
I I !A I
I
Host I ! I ----
E3 I Iz 1---1 Network I I I 1---1 I
E3 ZI----
1 [ Host I IBI I
I I
I
I ‘1-1
Access Control ‘Key Distrib Center I 1 & / I
E3 Authorized Host Pair Table I
[
I I I
..
A“;o B
I /
I I
d. Message
. . . .
;
Checks
decision based upon security-relevant mediates a Pair Host its Authorized in data authorization If authorized, the KIIC generates a new Table. unique key for use by these hosts in their communiThis is passed to both hosts’ E3 boxes, cations. keys. Gnce in their inciividual master encrypted this host pair key is between hosts ran proceed in place, as before. communication
Authentication
This version of E3 protection has many advanoperate dynamitages over the IPLI, for it ean cally, creating new host pair authorizations merely by making or changing an entry in the Authorized This works equally well with Host Pair Table. The latter, operating trusted or untrusted hosts. at the same system high security level, will have appropriate entries in the Authorized Host pair security different hosts at untrusted Table;
lC?VC’]S, nOt authorized to communicate, will be
protection End-to-end encryptiorr provitles against data disclosure and modification while in transit over an untrusted network. If the network is installed in a ph~ieally protected environment, (iatti disclosure is riot a as LANS frequently are, problem and simpler forms of protection against modification are possible. The Mess~ge Autl\entication Check (MAC) involves the appIicatiorl of au unforgable tag to a block of information. In such a network, the originator cwlculatc,s the tag based on the eontents of the information, and appends the tag to the information before sending it llmough an untrusted, but protected communications medium. The recipient then repeat; the tag calculation $rnd compares it with the If the two are equivalent, the originator’s tag. of confidence that recipient can have a high degree the information was not modified during transmission. ‘Ihe tag calculation is usually based on a function, with a secret key know,l, crypt ographie only to the originator and recipient. Typically, the information is passed through the encryption algorithm and after the block of information has been processed, the residual value is usually appended to the information being sent. Note: this technique k an integrity check; it does not protect information from being read while in transit. This procedure is being used on a number of systems to ensure the integrity of sensitive information. The SACDIN program will employ the National Bureau of Standards Data Encryption Standard (DES) algorithm to ~a]culate integritY checks on its messages before transmission to the IPLI devices on the DDN. The Intelligence Community is using a similar technique to protect data stored on a Iarge mainframe computer in the RECON system. National Standards Committee on X9, has published a Financial Institution Message Authentication Standard x9.9, dated April 13, 1982, defining a process ;or the computation, transmission, and validation of a Message Authentication Code (MAC) using DES. The The Financial American Services,
Autheffectively prohibited by the E3 mechanisms. orized trusted hosts will be listed in the Table, and control tl]e security levels of their individual as in links by utilizing access control mechanisms, the examples which follow. c. More Complex E3 Mechanisms
connectivity thus described provides Host pair of interest dynamic of communities authorization control access system consistent with trusted mechanisms. Nevertheless, a need frequently arises allowing for more E3 mechanisms sophisticated process-to-process or per connection access control. The basic structure remains as in Figure 5, but when A attempts to connect with B, it must identify the source and destination of its message. The access control checking mechanism is now much more complex because the Authorized Host Pair Table at this point becomes an ‘vAuthorized Process Pair Table.” Update and synchronization problems are associated with identifying remote processes These inherent with this type of access checking. and other factors associated with such mechanisms will be examined in detail later.
70
standard describes the message authentication process and issues related to key management. This standard is being widely adopted in the financial community and implementations of it on the input side of LAN interfaces may provide reasonable means of ensuring the integrity of messages passing through a LAN.
a System High net with only WW M CCS H6CIO0 hosts attached. In the future, some functional module co mput ers will be trusted, allowing limited multilevel security. Gradually the untrusted hosts will be phased out and full multi-level secure use will be possible. Figure 8 shows Message Authentication Checks applied at the Internet Protocol layer at each interface to the WIS LAN. A MAC must be calculated fOr each message entering the LAN, either in trusted host software or in a special interface box on the host or LAN. The Interface with the WIN gateway must be a special back-to-back MAC (probably using different encryption keys) to authenticate messages as they leave the LAN. A new MAC will be applied as the message enters the gateway and WIN. At the receiving site, a similar back-toback MAC authenticates into m ing messages and applies a new local MAC as it enters Site Brs LAN.
2.
End-to-End Environment
Encryption
Examples
in an Internet
The WWMCCS Information System (WIS) is ar example of end-to-end encryption in an internetwork environment (Figure 8). LANs will be installed at each WIS site to connect existing Honeywell 6000 computers, other functional module computers, and workstations. Each LAN will have a gateway connection to other LANs via the WWMCCS Intercomputer Network (WIN). As presently configured, the WIN is
Figure
6.
WIS LANs Checks.
and
WIN
with
Message
Authentication
I
I
Cus
I
I
l—l
l_l I M I Area
l—l
I_ I M I I
M =
Message Authentication Check (MAC) Device
=
I M I I H601)0 I I I--M-I II
M%
Back-to-Back
MACS
l-———
Local Ill MMM Ill l_l l_l Workstations
I
I
Net I _:: l_l I t I Gateway
I
I I
Site
A
I—1
I
I
I‘~1 I Optional E3 device
I I I I Ic1
Workstations 1 _i_
I
I
Optional
E3
device
I Gateway
1:11:11:1 II I
MMM
L
Mh
I
I I H 6000 I I
;--I I
l_l_l_ I M-1 Local I I
M
I_ I
Area Net I Site B
I I
M I
1 l—–l
I
M I
1--1
I ——
1 Cus
I
I
l_l
l_l
71
a.
WIS LANs Levels
Operating
at
Different
Security
In the above dis~ussion, all the LANs operated at the same System High security level. This configuration does not require any special trusted network components; neither the LANs nor WIN enforce a network security policy. Not all WW MCCS sites, however, will want to operate at the same security level. As systems grow in complexity and take on new functions, some will want to operate at different compartment levels. Once this happens, the system high level of the LANs will change and the simple model shown in Figure 4 (as extended through the use of M ACS) will no longer apply. Processes operating at a Secret level on a trusted -host connected to a Top Secret Compartment A LAN will still wish to to communicate with processes running at the same Secret level on a Top Secret Compartment B LAN. The Level 2 network model did not require any explicit network security policy nor enforcement mechanisms. Now, however, we need a network access defined network control mechanism, a security policy, and policy enforcement mechanisms. This new situation, with System High networks and trusted and untrusted hosts at different levels, is depicted in Figure 9. For the sake of simplicity, the two LANs are shown with only two hosts each, one running at both TS Compartmented and Secret and the other only at Secret. (It should be recalled that the host running at Secret must be capable of running at both Top Secret Compart mented and Secret, so that 4 may apply.) conditions described in Figure Processes at the TS Compart mented levels on the two LAN% may not communicate, as that would violate It should be of compartments. the separation possible (and will be expected), however, that processes running only at Secret on Hosts 2 and 3 should be able to communicate.
To achieve this level of operation, some form of network access control will be necessary to determine which processes on specific hosts may with its static host The IPLI, communicate. tables, is not sufficient, but the connection dynamic access checking system should provide the needed control. Figure 10 depicts the two LANs in 9 connected over the WIN with such E3 Figure The access controller/key distribution devices. center function provides the crucial network access across enforcing connections mechanism, control LANS Operating at different Network System High Levels. Assuming that Hosts 2 and 3 are operating only at the Secret level and that this is known to the access controller, an attempt by a process on Host 2 to connect to a process on Host 3 will be allowed, since both are limited to the same level. If the access controller could communicate with Host 1 in a trusted manner, this same procedure would allow a process running at Secret in Host 1 to communicate with a similar Secret process on Host 3. Processes running at each network system high, however, the could not communicate, since network system high levels are not equivalent.
b.
Hosts at Different Same LAN
Security
Levels
on the
The first WIS example (Figure 8) is a set of LANs with trusted and untrusted hosts operating at the same Network System High level. Trusted hosts can operate over a range from Network System High down to some lower level of sensitivity, depending upon their level of trust. Hosts trusted to “Al”, for example, might range from Top Secret to Confidential; hosts trusted to “B2”, from Top Secret to Secret. This network model has the significant advantage of having no explicit network security policy and, therefore, no Network Reference Monitor or Trusted Network Base. The only requirement is a trusted path across the physically protected LAN, provided by Message Authentication Checks. All 5ecurity p;licy enf~rcement is performed by the hosts themselves.
Figure
9.
Two
LANs
at
Different
System
High
Levels
==.==== =.=.=== ======= ====..
LAN TS Comp A I I I 1 I i I 1=======;===== I —— I II I t Host 121 :1
.==== ===.= . . . . . .==== ===== =.===
LAN TS Comp B I I I II
l—
=====
l—
—— I I I II !
I I
I
I
I Host I ====== I : 11 I
=======;=======
.—
I I I
;====;======
I
s
S1 I Host 131 I
;41 II I
===...
==.=.= =.=...
. ..=..
==
===== .==== ===== ===== ===== =.==.
72
Figure
10.
Two WIS Connected
LANs at Different with End-to-End
System High Encryption
Levels Devices.
I I AC/KDC I I E3 ----------------
I i I
+ ---------------
+
—---— -------I E3 TS Comp A LAN I
==
============ ;=================
TS Comp I E3 I B I LAN II
I I I I Host
I 1======1======= I i .—
I /
i===== I
I
I
I =======;======= I
—,—
I ;====;======
=====
St I 111121 I
II I II
I i Host
I
SI
—— I I I Host
131 I t :41
:
;
I I
I
II
.=.=..
=.=..=
. ...=.
........
-------
. . . . . . -----------------
The second example, Figure 10, shows two or more such LAN environments operating at different Network System High levels, connected via a wide area network such as the WIN. In this case, a network security policy is required to determine if the processes wishing to communicate are on equivaMediation at the network level is lent levels. required because the two Network System High levels are not comparable. A network policy enforcement mechanism is required to mediate requests between The E3 Access Control mechanism these LANs. performs the mediation between processes on LANs operating at different Network System High levels. The E3 system thus becomes the Network Reference Monitor or Trusted Network Base. Other situations will arise, however, for which neither of these network models will be sufficient. all untrusted hosts were In both previous cases, required to operate at the Network System High To allow untrusted hosts to operate at less leveL than the network system high, some form of trusted access control mechanism will be necessary within The LAN must mediate access the LAN itself. between security levels of the computers on the network, since they can no longer reliably deterthe level at which other comPuters are mine operating. One way this can be achieved is by installing E3 devices on the LAN. Under these circumstances, operating at any trusted and untrusted hosts security level can be attached to the LAN. The level(s) at which hosts operate is known to the E3 Trusted constitutes th Controller which Access Attempts to communicate Network Base (TNB). on different hosts must be between processes
mediated by the TNB. When a process requests a connection with a process on another host, the Access Controller checks to be sure the levels of the two are equivalent. If they are, the AC distributes the key to each E3 device, allowing the connection to be established. Depending upon the sophistication of the AC, this check can be used to enforce discretionary (need-to-know) access controls, as well as mandatory controls. The former, however, using access control lists, will be difficult to maintain on a process-by-process basis across the network. A distinct advantage of this approach is that no portion of the LAN itself need be trusted. c. Inter Service/Agency AMPE
Another example of a Level 3 system is the Inter ServicejAgency AMPE, which can use either the IPLI (Figure 11) or the more sophisticated E3 capability (Figure 7). The hosts in AMPE have Al class TCBS, and must be able to trust the integrity of security labels sent over the network; therefore, the portion of the E3 device handlimz data in the clear must also be developed to the-same Al level standard. As the IPLI is currently not built to that level, an IPLI-based solution would require reimplementation of the Red side of the IPLI to the Al level, use of a separate IFLI for each level, or use of a MAC integrity check by the trusted host prior to transmission to the IPLI. Note that if the MAC integrity measures were in place, AMPE could utilize a dedicated DDN segment without requiring IPLIs.
73
Using the IPLI solution, process-to-process access control mechanisms within the AMPE hosts provide the primary check Of information flow between AMPE?s. The host-to-host access tables of the IPLI ensure that the AMPE% have their own private subnetwork on the DDN. These tables are static in that they do not change more than on a day-today basis. This solution, with the red side integrity check, is a possible networking architecture for AMPE on the DDN.
Use of the more sophisticated E3 capability with AMPR is shown in Figure ‘7. The method by which this configuration operates has already been described. In this case, host-to-host access control is dynamic, as opposed to utilizing the static tables contained in the IPLI.
Figure Model
11.
~ S/A
AMPE
System
with
IPLIs
-
Example
of
Level
2
I i AMPE I i A
IPLI 1 I _ I -_-_i_l---i [M
IPLI
I
Network
I_
l---l_;--;-/
I I AMPE B I
I
t
I
/
I
AMPE AMPE before IPLIs Hosts are trusted place to the to the
Al
level. check on messages
Hosts must passing have built-in
integrity IPLIs. static host
access
tables.
d.
Level 4 Model - Process on a Trusted Network
Access
Control
In the Level 1 model, there was essentially no host or network access control. In Level 2, host access control was provided by the trusted computing base within the hosts, on a process-by-process basis. Network access control was still not required. In the Level 3 model, network access control could be provided by several means. In the IPLI confined to the IPLI static host case, it was access tables. The more sophisticated E3 access checking in Figure 7 provides additional flexibility in host-to-host communication control by providing a dynamic host-to-host access control table. Both the Level 2 or Level 3 network models require that labels associated with data being transferred across the network be protected from modification. This i m poses additional restraints on the type of network structure suitable for this model. In each case, either critical components of the network must be trusted not to modify label information, or some form of integrity check must be applied to the information before it enters the network.
If E3 is not used on the network, all portions of the network must be trusted (easilv . achieved with our simple wires in the Level 3 case, requiring a trusted packet switch or equivalent in the Level 3 case). If an IPLI or more sophisticated E3 of these devices is the portions used, structure able to access data in the clear (up to the point of encryption and after decryption) must be trusted not to modify the text data stream. If the network components cannot be trusted (definitely the case with today% dedicated and system high networks, and also with present versions of the IPLI), the trusted host may apply a MAC to the message before The destinaentrusting it to the network or IPLI. upon tion host would recalculate this checksum verify that the contents were not receipt and modified. One further network model (Level 4) will be involving access explored, even more extensive checking the itself. within network Here the involved actual process-to-process network is in access control checking, as shown in Figure 12. When Process A wishes to estabfish a connection with Process D, A notifies TCB1, which checks to see if it allowed, and then attempts to establish a connection with TCB2, just as in Figure 4. The E3 device intercepts this connection request and, recognizing that no such connection exists, establishes an interim connection with the AC/KDC. AC then refers to its process-to-process table, which lists individual processes and the leveh at which they operate on individual hosts.
74
Figure Example
12. of
a
Process-to-Process Level 4 140del
Network
Access
Checking
-
An
Host
1 I i ---
Eost
2
II
E3
I
;lA(S)l_~ II Ill I II B(TS)i_iTCBl II 1111
E3 ---~ Network
l=
I I I I I
I
:1---1
I
l_lc II
(c)1
—
(s)1
I
lTCBl_lD 1211
I
I ——l—l
TCB I Process 1--------I i I I A B
G
l_l
TCB2 ] Process I --------I c (c) I D (S) I . . . I Table t Host l---------i 1 (TS,S) i i
(S) (TS) . .
1 Table I Host I -------I 2 (S,c)i I i I
I UI
I
E3
I I I
—— I
I I I
I
I AC/KDC
I I t I I 1
I
I AC Table Processes
I
I -----A I
I I I I I
----_-
-
I :
(S) B (TS) c (c) D (S) . . .
Assuming that the connection is valid, the AC instructs the KDC to issue a key to the E3 devices involved, and the connection from TCB1 to TCB2 proceeds. TCB2 must now perform its own check to ensure that Process D is actually operating at the proper security level to allow the connection. Upon successful completion of this final check, the actual connection from Process A to Process D is completed. As described above, Level 4“ systems involve process-to-process access control within host systems themselves and also within the network. Considerable duplication of effort exists as these hosts and networks perform the checking required to allow specific processes to communicate. A process-to-process check by the network E3 device is not a complete check in itself. The processto-process access control tables in the AC cannot be as accurate as those within the individua’ hosts. TCB2 is still required to check the Ieve at which Process D currently operates. It is entirely possible that even though Process D may log in at the Secret level (and does so 90% of the time), in a particular instance that process may operate only at Confidential, in which case the connection cannot be allowed.
75
V.
CONCLUSIONS
This paper has presented a series of network models with increasing levels of sophistication and demands for trusted network components. The analysis used here is vital to understanding when network components must be trusted and the type of components must the trusted security policy enforce, and leads to a number of important conclusions. A. Orange Book Extensions
The discussion of the Level 2 model indicated that even when no network components require trust, that portion of the host operating system controlling process-to-process communications across the network must be included in the Trusted Computing Base. Today’s version of the Orange Book does not explicitly deal with network-related software. These additions must be made before serious consideration is given to developing trusted network evaluation criteria; indeed, as the Level 2 model shows, if host TCBS are extended to include network drivers, many valuable network configurations can be achieved without requiring any further trusted components. B. Implications of E3
In regard to the Level 3 model, it was indicated that if E3 is used (in either the IPLI or more configurasophisticated version), trusted network tions can be achieved without requiring any The E3 additional trusted network components. capability provides the network access control mechanisms (static in the IPLI case; dynamic ;n the E3). These mechanisms can enforce access control to untrusted hosts operating at a single level and to trusted hosts, as long as the extensions to their TCBS discussed above have been implemented. C. Network Security Policy
AS opposed to the relatively complex security policy enforced on trusted computer systems, (allowing read~own and write-up), the analysis of networks from the process-to-process communications indicates that the policy which must be view enforced across the network is one where only operating at equivalent sensitivity processes is levels can communicate. This simplification forced by the need for two-way communication with acknowledgments across an unreliable medium. As a result of this simplification, the policy enforcement carried out by IPLIs, E3 devices, or trusted packet switches is inherently much simpler than that of a trusted computer system.
76
SECURITY
OVERVIEW
Stephen Trusted P.O.
T.
Walker
Information SYStemS, lnC. Box 45, Glenwood, MD 21738
ABSTRACT
has recently been focused on Much attention network evaluation computer developing trusted attempting this however, a criteria. Before better understanding of ~he ‘relationship between and networks that individual trusted computers This paper provides an link them is required. overall system view of the network and trusted and untrusted computers attached to it, and how data on networks of protecting various ways of the network must be affect which portions must be trusted and what security policy enforced. By examining several network model% it will become apparent where new or additional criteria need to be developed.
trusted specfic additional necessary, and, where identification of A systematic criteria. network where new or additional criteria are needed will be presented, rather than the criteria the mselves. IL DEFINITIONS definitions common are provided reference points, for as
Before beginning, several terms used as follows: SYSTEM -
A collection TERS linked
of two or more by a NETWORK.
COMPtJ-
COMPUTER
I.
OVERVIEW NETWORK
- Any device capable of storing and information processing and, if linked by a NETWORK, of communicating with other COMPUTERS. Computers used in this manner are commonly referred to as HOSTS, as contrasted with those used in communications applications, called SWITCHES). An entity composed of any of a number of communications media (e.g., wire, switched packet network) used to link COMPUTERS and transfer information.
Following the successful introduction of DOD Trusted Computer System Evaluation Criteria (CSCSTD-001-83 [the Orange Book], much attention has been focused on developing new guidelines for computer networks. The tendency has been, however, to commence developing criteria for various network components without comprehending their role in the Trusted Network Base (the equivalent of the Trusted in the Evaluation Criteria). A Computing Base to establish an overall preferred approach is system k view of the network and any trusted and untrusted computers attached to it, thereby determining which portions of the overall system are to be trusted and which security policy is to be enforced. This paper provides a framework for undermeasures enforce m ent standing security network of our understanding of based upon enlargement individual trusted computers. It will examine how to extend access control mechanisms to stand-alone computers with network connections, and how the various ways to protect data in networks affect how much and which portions of the network must be trusted. and its implications on Each approach net work security policy, access control mechanisms ~ out of and trusted components will be examined. this will come the basis for net work extensions to present Trusted Computer System Evaluation Criteria
(Accordinz to these definitions, computers perform infer mit ion LXocessin$z tasks: networks onlv transmit inform atio-n betw~en computers. Eve; networks containing computers for switching purposes do not process or store information, except as needed to perform their intended functions. The simplest model of a network is a set of individual wires; the most complex network model should be able to be described at some level of abstraction in terms of this simple model.) TRUSTED sYsTEhf (COMPIJTER or NETWORK) One which employs sufficient hardware and soft ware integrity measures to allow its use for processing simultaneously a range of sensit ivity or classified information from CSC-STD-001-83. POLICY - The set of laws, rules, and practices regulating how an organization manages, protects, and distributes sensitive information.
SECURITY
62
CH2150-1/85/0000/N62$Ol
.oOQ 19851EEE
TRUSTED
COMPUTING BASE - All the protection mechanisms within a computer system (hardware, firmware, and software) which enforce a security policy on that computer. NETWORK BASE - AH the protection mechanisms within a network which enforce a security policy on that network. SECURITY MODE - All system (Computer or Network) equipment used exclusively by that system, and all users cleared for and having a need-to-know for all information processed by the system.
When, then, do we neea to be concerned about ed network bases and network evaluation criteria?
trust-
TRUSTED
To answer these questions we must explore a series 01’ network security models, ranging from the simplest, untrusted networks linking untrusted hosts, to complex trusted networks making security policy decisions from process control information supplied by the hosts on the network. The following network security models will be considered: Model 1. The familiar situation hosts on an untrusted Trusted net work. hosts on an of untrusted network. untrusted network
DEDICATED
Model
2.
Model SYSTEM HIGH - All equipment (Computer or Network) protected in accordance with requirements for the most classified information processed by the system. All users cleared to that level, but some not having a need-to-know for some of the information. - Some users having neither a clearance nor a need-tosecurity know for some information processed by the system, but separation of and classified material not users essentially under operating system control. having neither a Some users clearance security nor a need-toknow for some information processed by the system; separation of personnel and material accomplished by the operating system and associated system software.
3.
Trusted hosts on trusted networks, showing the use of various forms of encryption, trusted packet switches, and trusted local area networks
(IANs).
Model
4.
Sophisticated trusted networks e; ploying detailed detailed processto-process access control measures.
CONTROLLED
MULTILEVEL
After this review, the relationship between trusted components of various network configurations will become evident, as well as when and how such components should be employed. To begin, though, we must review the basic elements of process-to-process communications in a trusted computer system and what happens to them when they include communications between hosts over a network. We will first explore how such hosts communicate over a simple network consisting of individual wires between computers. Such a network has practical value, since many vendor%pecific network products are basically implemented on host computers linked by individual communications lines. it is assumed that all resourIn this analysis ces of the hosts and communications lines are protected to a system high level (i.e., hosts are physically protected and communications lines link-encrypted). It is also assumed that network support software for the host operating systems are part of the Trusted Computing Base of that system, an important area of the Orange Book criteria that needs to be developed. The next section ing system security network security physical and procedural describes the trusted operatmodel, as applied to several situations, citing requisite controls.
III.
BACKGROUND
Given a collection of trusted computers that meet some level of the Orange Book specifications, it is logical to want to connect them via some form of network to form a trusted system. When must this network be trusted? What portions of it form the trusted net work base? What are the criteria against which this TNB must be evaluated? What role does encryption play in trusted networks? This paper will establish a context in which to answer to these questions. Networks take many forms, from simple wires to complete packet switching systems, but increased complexity does not necessarily involve increased security requirements. A suitably protected wire, for example, the simplest trusted net work, needs no reference monitor, enforces no security policy, and does not require evaluation against some form of Trusted Network Evaluation Criteria. A complex system such as the Defense Data Network (DDN), encryption suitably protected with endto-end measures, also needs no reference monitor, enforces no security policy relative to the hosts attached by E3 devices, and requires no criteria evaluation.
A.
Trusted
Operating
System
Security
Policy
Model
Figure 1 depicts a single trusted computer with two processes operating on behalf of specific users. All communication between processes is controlled by the (TCB), enforcing the Bellcomputer model. In trusted LaPadule security
63
Figure
1.
Process-to-Process a Trusted Computer
Communications System
within
HOST I I I ----lProcess I A(S) I I I I l----lProcess I I B(TS) II I I I --1+1 I I Process IProcess[ 1-------1-------1 I A I I B . . . II : ‘*” Table Level Secretl I TS ! i I !
1
I I
USER A ----(SECRET)
----
iii~
---Ill --1+11 I ITCB!I I_
USER (TS)
B -----
II
process has a security level rmesent session level of the (e~g., SL[A] = ;he present security clearance For two processes to communicate, of User A). following conditions, enforced by the (TCB), be true: systems, eaual to each the Process A can read information Process B only if: from
(SL)
user level the must
highly useful however when network with tions path.
simplification two processes an inherently
is not possible, are separated by a unreliable communica-
L(A) >= SL(B)
Process A can write Process B only if: SL(A) <= SL(B)
(simple
security to
rule~
information
(*
property).
of at least B2 on the In a trusted system Trusted Computer System Evaluation Criteria, provide security specific mechanisms level labels for all active processes and objects. The TCB controls the access of all subjects to all objects, ensuring that the above rules are enforced. Within the TCB, a Process Table lists the security levels at which all active processes may operate. When one process attempts to connect with another, the TCB enforces these security rules. B. Role of Reliable Communications
In a network environment, if Process A on Host 1 (operating at Secret) were to attempt to send information to Process B on Host 2 (at Top Secret), Process A could not assume the transfer would be successful, given the unreliable nature of the network link. protocols employed sophisticated between between processes on hosts ensure reliable transfer of information over inherently unreliable communications media, but require that acknowledgment of successful transfers be sent to the originator. Such an acknowledgment in the above case would constitute a violation of the * property. The implications of this restriction on trusted computers communicating over a network will be explored in the next section.
IV.
Network
Security
Models
to A.
With these concepts in mind, it is now possible examine a variety of network security models. Level 1 Model Network Untrusted Hosts on an Untrusted
communication normally Process-to-process utilizes a two-way handshake protocol whereby the successful receiver acknowledges receipt of the information. In the case of a trusted host where security levels of the two processes are not equivalent, the acknowledgment could create an illegal path, allowing the potential transfer of sensitive information from a higher to a lower level. If Process A operates at the Secret level, and Process B at TOD Secret. A can send information to B.. but. . accordin-g to t’he security rules stated above, Process B cannot respond without violating the * property. Within a single host this is not particularly difficult to overcome. Process A can write information to Process B without enlicit acknowled~ment because the process-to-proc&+s mechanism % highly reliable. Once Process A has initiated the transfer it can proceed, confident that the transfer has occured even without acknowledgment. This
The simplest model, Level 1, involves untrusted hosts operating in Dedicated or System High Mode on an untrusted network. While typical of systems in use today and accepted in some cent exts, its inability to handle multiple levels of classified or sensitive data severely limits its utility. Since there are no trusted components anywhere in the system, there is no need for a trusted network base or for evaluation criteria. B. Level 2 Model Network - Trusted Hosts on an Untrusted
When a trusted computer system, as discurised in Figure 1, is introduced to our simple wire link network, it becomes a Level 2 model (Figure 2). The essential feature of this is that normal access control mechanisms in a B2 or higher trusted computer system are extended beyond protecting 10Cal process-to-process communications to handle process-to-process links across the network.
64
Figure
2.
Level (Both
2 Network hosts have
Security a TCB
Model evaluated
at
B2
or
greater)
Host
1
Host
2 I I
I tt
II
I
A(S) I_; I
Ill I
B(TS)i_l 1111 TCBI
I 1---I I network
I
l-I
I II
II
.----
II 1 I I
l_l II
c(s)
I II
I II
I TCB!_l 1211
D(C)
~
I
l_l
Host 1 is to operate multilevel system at trusted as a secure TS & S.
l_l
I
Host 2 is trusted to operate as a multilevel secure system at TS, S & C. (At present only S & C processes are active) .
Operating Host
System 1
Process
Tables: Host
2
t Hosts
Processes I 1-------------I A at I B at I .*. I level level S TS
I
Hosts 2 at levels . . . TS-C
I
I
Processes
I -----------------1
l-------------lCatlevelSllatTS& I Datlevel I *. I
G
l------------S1 C I . . .
I
I
I I
I
I
Note
1: TCB1 a~- i authentication spoofing from
TCB2 must have _. ~dividual codes to ensure against other hosts o-n the network.
Note
2: Processes on different hosts (or operting systems that support them) may employ cryptographic checksums on data messages before sending them to the host. These checksums are used to ensure against data modification during transit. determines whether the As illustrated, TCB2 security level of Process A equals that of Process the Bell-LaPadula policy c. This restriction of used on a single operating system is Criticai the network is unreliable (subject to because messages, etc.). outages, partitioning, lost Information sent from Process A to Process C must be acknowledged by Process C to assure A that it was received. If the Bell-LaPadula policy mf:~~ acknowledgments governed such connections, higher levels would constitute security violations. It is imperative that the two processes on different hosts operate at equal security levels. The above restriction is not a serious limitation, for if a process operating at Secret wished to contact one at Top Secret on a separate host$ it could connect across the network to a Secret host, transmitting the inforprocess on the remote mation with full acknowled~ments. Once received, the Secret process could ~ass the information to the Top Secret process without acknowledgment} as described in Figure 1.
In addition to the processes which it directly controls, the TCB within each computer now must be aware of other hosts on the network and their security levels. The active process table in each computer is augmented with a list of hosts on the network. Because host-security level information is very stable, updates of this host security table are easily accomplished by periodic manual table updates by the Security Officer. A number of examples illustrate the basic access control checking flow of this model. When Process A, operating at SECRET level, attempts to communicate with Process C, also at Secret, TCB1 receives the request and checks to be sure that A is within the range level of Host 2. If not, the denied. TCB1 passes the request is If within, identity and security level of A to TCB2, which determines if the level of A equals that of C. If it does, the connection is extended to the two TCB2 informs TCB1 that the processes. If not, connection is invalid.
65
In a second case, Process B operating at Top Secret attempts to connect with C at Secret. TCB1 determines whether or not the level of Process B is within the range of Host 2. Since it is not, TCB1 immediately rejects the request. In the third case, when Process A operating at Secret attempts to connect with D at Confidential, checks to see if the level of TCB1 once again If so, Process A is within the range of Host 2. TCB 1 passes the identity of Process A and its security level to TCB2, which checks to determine whether the level of A equals the level of D. It is not, so TCB2 informs TCB1 that the connection is invalid.
The Level 2 model represents the simplest patterned computers, trusted involving structure model communications after the process-to-process presently in use on many networks. This simplicity does not require (or permit) host operating systems to be aware of other processes using the network. A more complex model would list foreign processes (existing on remote hosts) in a local host’s processor table, allowing the local host to base its access decisions on local information, and eliminating the need to query the remote host. Difficult problems remain, however, in maintaining for such processes, because in trusted databases contrast to the stability of host security levels, individual process security levels change dynami-
Figure
3.
Level Host
2 Network
Security
Model
with
an
Untrusted
:__
:: !!E! I l_l : IF; l_l
:
: ! I
Host 3 is not trusted and operates at System High Top Secret
1“1
I I Host 1 I A(S) I_: 0s3 I I
1-
I
I Host 2
II —1 ! I -------I 1! B(TS)l_i TCB! II 1111
h
Ii .— I
I network I
I
l_l
1
L----i
;11
c(s) —1
D(C)
I
I I
! I
I
Host
to
l_l
1 is operate multilevel system at trusted as a secure TS & S.
TCBj_l 1211 l_l
\ II
Host 2 is to operate multilevel
trusted as a secure
sYstem at Tsr S & C. (only S & C processes are active). Tables: Host 2 i Hosts -_--,---__________j SllatTS& I I ..0 S1 i I
Operating Host I Processes I -------------I A at level I B at level i Host ““” 1
System
Process
Hosts -------__--______\ S ! 2 at levels TSI 3 at level I . . I
G
I
I TS&Cl TS I 1 II not any t i I I I
I Processes I_____ lCatlevel lDatlevelC13atTS I . . .
3
(Since
this host is does not contain I i I I I Hosts --------; . . .
trusted, security
its
process table level information.)
I Processes -----I -----:;
66
tally. remote check.
Even host
if
these techniques must make the
were final
employed, security
the level
System High level tion is made to connection.
of B;
Host 3. if not,
If it is, the TCB
the connecrejects the
Figure 2 assumes that both operating systems are of the same TCB class, and can trust each other% access control mechanisms. The real world will always contain systems that either are not operating trusted or have different TCB class systemsi Any network security model must deal with this situation. Figure 3, an augmented version of Figure 2, shows an untrusted host operating at a System High Top Secret level attached to the network (with the operating system labeled 0S3 rather than TCB3). The same caveats associated with Figure 2 apply here. (Note the addition of Host 3 at a single security level to the host tables in 1 and 2. The Process Table in Host 3 knows about Hosts 1 and 2, com municating with them at the Top Secret level; however, it contains no security label information, because such information cannot be trusted to be accurate or reliable.) As shown below, Hosts 1 and 2 accept connections from 3, recognizing its operation in a System High Top Secret mode; all process-toprocess communications must therefore be at the Top Secret level. A number of additional cases are illustrated by The first is when the configuration in Figure 3. operating at Top Secret, requests a Process E, connection with Process B, also operating at TOP 0S3 (not trusted and without a security Secret. level in its Process-Host tables) establishes the which checks to determine connection with TCB, whether the security level of Process B equals the
In the next case, Process A, at Secret level, requests a connection with Process F on Host 3. TCB1 determines whether the level of Process A equals the System High level of Host 3. As it does not, the TCB rejects the connection. A last case involves Process E attempting to connect with Process D on initiates a connection with the TCB, determine if the security level of D System High level of Host 3. It does TCB rejects the connection. on Host 3 Host 2. 0S3 checking to equals the not. and the
At this point we have described a network of trusted and untrusted computers communicating in useful, practical ways, with the network having no trusted components and enforcing no security policy or access control mechanisms. The next step is to understand the limitations of such a network. Figures 2 and 3 consist of host computers physically protected to a system high level (Top Secret is assumed in both cases). Processes for Host 2 currently run at the Secret and Confidential levels, but the computer itself must be operated in a Top Secret system high environment. Host 3 in Figure 3, an untrusted host, also operates at Top Secret System High. The relationship between the security levels at which hosts can operate on this simple network is shown 4. The network itself and all in Figure computers attached to it must be physically protected to the same system high level. Untrusted
Figure
4.
Trusted System
and High
Untrusted Network
Computers
on
an
Untrusted
Level
====== =.==== =.==== ===...
Top
===...
Network
===...
=====. ====== ==.=== ====
I Secret
I
I
I
I
.=====
= I ==== I
I I I
i Ill II Ill
i I I 1 II Ill T+T I
I 101 L 1s1 13[========!=== I I —1.1
I II
—. I
1:1 Icl
IBI
I
I
ITI==I====ITI==I Icl Icl I !Bi IBI I
I l_l_l
I 5 l====
Ill
I
121 i I 1==== I I i 3
Host ‘Al”
I
Secret I =======1====1
I
I Conf
11111 11111 1==1 II
II II
ITI Icl
IBI
I
1============
.===== = :
Host
I
1
l======================
Host “B2a
141============= II II II I l=============
d Host 5
2
Host “D”
TCB
=
“Al”
“C2”
67
hosts can only operate at that level, but trusted computers may operate over a range with a maximum at the network system high, depending upon the In Figure 4, for degree of trust in the system. example, Host 1 is trusted to the ‘Alw level, and over the range Top Secret to processes operate Confidential. Host 2 is trusted to the “B2” level, operating with processes at either Top Secret or Secret. Host 3 is untrusted and processes operate only at Top Secret. Host 4 operates processes over the range Secret and Confidential over the Top Secret System High Network. Since it may receive a Top Secret message from an untrusted host, 4 must operate over the full range, Top Secret to Confidential, and be trusted to the Al level. Host 5 must operate only at Top Secret because it is trusted only to the C2 level, providing only discretionary access contro~ and no mandatory labeling. Trusted highest hosts point in an untrusted network must have of their operating ranges at the
c.
Level 3 Networks
Model
-
Trusted
Hosts
on
Trusted
The network depicted in Figure 4 is still a trusted and untrusted connecting simple wire computers. As long as it is physically protected from external attack, it need not be trusted. Local area networks (LAN) and wide area networks (such as DDN), however, involve more sophistication. Figure 5 depicts derived from Figure Process Table and all Model are unchanged, Table has been added. a Level 3 network The Operating 3. the TCB checks of the but a Network Access model System Level 2 Control
the
same network system high level, since they can receive system high messages from untrusted hosts. Similarly, since untrusted hosts cannot protect security labels of information, they must operate only at system high. Note: The operating ranges shown in Figure 4 are arbitrary select ions. In an actual systems, the Designated Approving Authority or SY5tem Security Officer designates the degree of trust for each situation.
In the Level 2 Model, the untrusted network (our simple wire) established any connection requested by the hosts. In Level 3; the network authenticates each connection prior to establishing it. These checks can be performed on a host-byhost basis (the Level 3 model), or on a process-byprocess basis (Level 4, discussed later). Before proceeding, however, it is necessarY to understand various methods of protecting information on a communications network and performing the network access control measures shown in Figure 5.
Fi,gure
5.
Network
Access
Checking
-
A Level
3 Model
Host
1
Host
2 I
;IA(S)I ! II II I —1 i! B(TS)tlTCB Ill II
E3 I I Network
E3
-,,-- ,— 1
I I
c(c)
I / I I
---i I
i---l~t---t I
I i I I ‘~1 I I —— I I I AC/KDC I
I
TCB t Process I --------i IB A
I_
1 Table \ Host 1--------
! TCB 12 I_
I D(S) I
(s)
(TS)
‘
I I I i
E3
2
(S,c)l
TCB2 \ Process I --------I c (c) I D (S) ! ““”
Table i Host l---------i 1 (TS,S) 1 !
/
I
1 i
I
I
.. .
i 1
AC Table HOSt to Hostl -----______ _ I / 1 (S-TS) I 2 (C-TS) I i . . . 1 I I I
68
1.
Role
of
Cryptography
means of protecting data from The principle Compromise or communications modification in a network such as JIDN, is by end-to-end encryption (E3). With E3, the data portion of the message is encrypted prior to transmission and remains encrypted until delivered, while the address portion of the message remains in the clear. F3 usually provides a means of operating multiple communities of interest, separated cryptographically from each other, and in sonic cases operating at a higher security level than the network itself. a, IPL,I
encryption provides data protection at all times, except during a brief period in the Red side of the The address portion of the original message IPLL remains in the clear within the network switches, ensuring proper message routing. The IPLI provides a means of isolating communispecific sensitivity’ level, ties of interest at a even though the network itself may operate at a level (even unclassified). Untrusted hosts lower connected via commonly keyed IPLIs must operate at level. a specific system high security
b.
E3 with Access Distribution.
Control
and Remote
Key
The simplest form of E3, the Internet Private Line Interface illustrate; in Figure 6. (IPLI), is The IPLI and its associated cryptographic device are positioned between the host computer and the network. Groups of IPLIs form communities of interest in which all cryptographic devices share a eo.mmon key. IPLIs come in two sections: a Red or plaintext side, connected to the host computer and cryptographic device, and a Black or Ciphertext side, connected between the cryptographic device and the network. When the host requests a connection across the network, the Red side first determines the validity of the destination by checking the address in its host table. (This is the host-tohost access control mechanism required in the Level 3 Model.) E valid, the Red side passes the data portion to the KG and passes the table index number for the destination host over a special low bandwidth channel w hieh bypasses the cryptographic device. The Black side then constructs a new message header, using the index entrY listed in its host table. When the encrypted data is received from the cryptographic device, the Black side assembles a message from the new header and the encrypted text, and sends it to the netw”ork. At the destination, the process is reversed. It should be noted that
IPLIs provide a valuable means of connecting Their disadvancommunities to a common network. assignments to communities tages, however, are that of interest are static and cryptographic keys must be manually distributed and loaded at each site. h addition, hosts in a particular community cannot communicate with hosts outside that community. In effect, each has its own virtual network operating in System High or Dedicated Mode. To overcome these drawbacks, efforts have been underway for some time to build E3 systems with These would remote key distribution techniques. host-to-host, per allow process-to-process, or connection A separate individualized keying. Access Controller and Key Distribution Center (KDC) with redundant backup would be attached to the network, as shown in Figure 7. The E3 boxes contain large numbers of separate keys for use on a host or process pair basis. In the case of the host pair, when A attempts the first E3 box checks its to connect with B, tables to see if a key for such a connection exists. If so, the connection proceeds as in the the E3 box establishes a IPLI case. If not, connection with the Access Controller, and identifies the source and destination hosts for the requested connection. The Access Controller
Figure
6.
Internet
Private
Line
Interface
(IPLI)
I lAi 1
I I
I
IB
1 I I I
I ------1
0s
—1
I
I KG ID II __l_ I IRIBI e I 1 l------l l_d_l_k_l IPLI
I
I
Network
I
1--I
. .
Host
——
12 1431 I 568 1. [. I
Host
I I I I II
12 1 43 I 568 1. 1.
Tables
I ! I I I
Address
69
Figure
7.
E3
with
Remote
Key
Distribution
I I !A I
I
Host I ! I ----
E3 I Iz 1---1 Network I I I 1---1 I
E3 ZI----
1 [ Host I IBI I
I I
I
I ‘1-1
Access Control ‘Key Distrib Center I 1 & / I
E3 Authorized Host Pair Table I
[
I I I
..
A“;o B
I /
I I
d. Message
. . . .
;
Checks
decision based upon security-relevant mediates a Pair Host its Authorized in data authorization If authorized, the KIIC generates a new Table. unique key for use by these hosts in their communiThis is passed to both hosts’ E3 boxes, cations. keys. Gnce in their inciividual master encrypted this host pair key is between hosts ran proceed in place, as before. communication
Authentication
This version of E3 protection has many advanoperate dynamitages over the IPLI, for it ean cally, creating new host pair authorizations merely by making or changing an entry in the Authorized This works equally well with Host Pair Table. The latter, operating trusted or untrusted hosts. at the same system high security level, will have appropriate entries in the Authorized Host pair security different hosts at untrusted Table;
lC?VC’]S, nOt authorized to communicate, will be
protection End-to-end encryptiorr provitles against data disclosure and modification while in transit over an untrusted network. If the network is installed in a ph~ieally protected environment, (iatti disclosure is riot a as LANS frequently are, problem and simpler forms of protection against modification are possible. The Mess~ge Autl\entication Check (MAC) involves the appIicatiorl of au unforgable tag to a block of information. In such a network, the originator cwlculatc,s the tag based on the eontents of the information, and appends the tag to the information before sending it llmough an untrusted, but protected communications medium. The recipient then repeat; the tag calculation $rnd compares it with the If the two are equivalent, the originator’s tag. of confidence that recipient can have a high degree the information was not modified during transmission. ‘Ihe tag calculation is usually based on a function, with a secret key know,l, crypt ographie only to the originator and recipient. Typically, the information is passed through the encryption algorithm and after the block of information has been processed, the residual value is usually appended to the information being sent. Note: this technique k an integrity check; it does not protect information from being read while in transit. This procedure is being used on a number of systems to ensure the integrity of sensitive information. The SACDIN program will employ the National Bureau of Standards Data Encryption Standard (DES) algorithm to ~a]culate integritY checks on its messages before transmission to the IPLI devices on the DDN. The Intelligence Community is using a similar technique to protect data stored on a Iarge mainframe computer in the RECON system. National Standards Committee on X9, has published a Financial Institution Message Authentication Standard x9.9, dated April 13, 1982, defining a process ;or the computation, transmission, and validation of a Message Authentication Code (MAC) using DES. The The Financial American Services,
Autheffectively prohibited by the E3 mechanisms. orized trusted hosts will be listed in the Table, and control tl]e security levels of their individual as in links by utilizing access control mechanisms, the examples which follow. c. More Complex E3 Mechanisms
connectivity thus described provides Host pair of interest dynamic of communities authorization control access system consistent with trusted mechanisms. Nevertheless, a need frequently arises allowing for more E3 mechanisms sophisticated process-to-process or per connection access control. The basic structure remains as in Figure 5, but when A attempts to connect with B, it must identify the source and destination of its message. The access control checking mechanism is now much more complex because the Authorized Host Pair Table at this point becomes an ‘vAuthorized Process Pair Table.” Update and synchronization problems are associated with identifying remote processes These inherent with this type of access checking. and other factors associated with such mechanisms will be examined in detail later.
70
standard describes the message authentication process and issues related to key management. This standard is being widely adopted in the financial community and implementations of it on the input side of LAN interfaces may provide reasonable means of ensuring the integrity of messages passing through a LAN.
a System High net with only WW M CCS H6CIO0 hosts attached. In the future, some functional module co mput ers will be trusted, allowing limited multilevel security. Gradually the untrusted hosts will be phased out and full multi-level secure use will be possible. Figure 8 shows Message Authentication Checks applied at the Internet Protocol layer at each interface to the WIS LAN. A MAC must be calculated fOr each message entering the LAN, either in trusted host software or in a special interface box on the host or LAN. The Interface with the WIN gateway must be a special back-to-back MAC (probably using different encryption keys) to authenticate messages as they leave the LAN. A new MAC will be applied as the message enters the gateway and WIN. At the receiving site, a similar back-toback MAC authenticates into m ing messages and applies a new local MAC as it enters Site Brs LAN.
2.
End-to-End Environment
Encryption
Examples
in an Internet
The WWMCCS Information System (WIS) is ar example of end-to-end encryption in an internetwork environment (Figure 8). LANs will be installed at each WIS site to connect existing Honeywell 6000 computers, other functional module computers, and workstations. Each LAN will have a gateway connection to other LANs via the WWMCCS Intercomputer Network (WIN). As presently configured, the WIN is
Figure
6.
WIS LANs Checks.
and
WIN
with
Message
Authentication
I
I
Cus
I
I
l—l
l_l I M I Area
l—l
I_ I M I I
M =
Message Authentication Check (MAC) Device
=
I M I I H601)0 I I I--M-I II
M%
Back-to-Back
MACS
l-———
Local Ill MMM Ill l_l l_l Workstations
I
I
Net I _:: l_l I t I Gateway
I
I I
Site
A
I—1
I
I
I‘~1 I Optional E3 device
I I I I Ic1
Workstations 1 _i_
I
I
Optional
E3
device
I Gateway
1:11:11:1 II I
MMM
L
Mh
I
I I H 6000 I I
;--I I
l_l_l_ I M-1 Local I I
M
I_ I
Area Net I Site B
I I
M I
1 l—–l
I
M I
1--1
I ——
1 Cus
I
I
l_l
l_l
71
a.
WIS LANs Levels
Operating
at
Different
Security
In the above dis~ussion, all the LANs operated at the same System High security level. This configuration does not require any special trusted network components; neither the LANs nor WIN enforce a network security policy. Not all WW MCCS sites, however, will want to operate at the same security level. As systems grow in complexity and take on new functions, some will want to operate at different compartment levels. Once this happens, the system high level of the LANs will change and the simple model shown in Figure 4 (as extended through the use of M ACS) will no longer apply. Processes operating at a Secret level on a trusted -host connected to a Top Secret Compartment A LAN will still wish to to communicate with processes running at the same Secret level on a Top Secret Compartment B LAN. The Level 2 network model did not require any explicit network security policy nor enforcement mechanisms. Now, however, we need a network access defined network control mechanism, a security policy, and policy enforcement mechanisms. This new situation, with System High networks and trusted and untrusted hosts at different levels, is depicted in Figure 9. For the sake of simplicity, the two LANs are shown with only two hosts each, one running at both TS Compartmented and Secret and the other only at Secret. (It should be recalled that the host running at Secret must be capable of running at both Top Secret Compart mented and Secret, so that 4 may apply.) conditions described in Figure Processes at the TS Compart mented levels on the two LAN% may not communicate, as that would violate It should be of compartments. the separation possible (and will be expected), however, that processes running only at Secret on Hosts 2 and 3 should be able to communicate.
To achieve this level of operation, some form of network access control will be necessary to determine which processes on specific hosts may with its static host The IPLI, communicate. tables, is not sufficient, but the connection dynamic access checking system should provide the needed control. Figure 10 depicts the two LANs in 9 connected over the WIN with such E3 Figure The access controller/key distribution devices. center function provides the crucial network access across enforcing connections mechanism, control LANS Operating at different Network System High Levels. Assuming that Hosts 2 and 3 are operating only at the Secret level and that this is known to the access controller, an attempt by a process on Host 2 to connect to a process on Host 3 will be allowed, since both are limited to the same level. If the access controller could communicate with Host 1 in a trusted manner, this same procedure would allow a process running at Secret in Host 1 to communicate with a similar Secret process on Host 3. Processes running at each network system high, however, the could not communicate, since network system high levels are not equivalent.
b.
Hosts at Different Same LAN
Security
Levels
on the
The first WIS example (Figure 8) is a set of LANs with trusted and untrusted hosts operating at the same Network System High level. Trusted hosts can operate over a range from Network System High down to some lower level of sensitivity, depending upon their level of trust. Hosts trusted to “Al”, for example, might range from Top Secret to Confidential; hosts trusted to “B2”, from Top Secret to Secret. This network model has the significant advantage of having no explicit network security policy and, therefore, no Network Reference Monitor or Trusted Network Base. The only requirement is a trusted path across the physically protected LAN, provided by Message Authentication Checks. All 5ecurity p;licy enf~rcement is performed by the hosts themselves.
Figure
9.
Two
LANs
at
Different
System
High
Levels
==.==== =.=.=== ======= ====..
LAN TS Comp A I I I 1 I i I 1=======;===== I —— I II I t Host 121 :1
.==== ===.= . . . . . .==== ===== =.===
LAN TS Comp B I I I II
l—
=====
l—
—— I I I II !
I I
I
I
I Host I ====== I : 11 I
=======;=======
.—
I I I
;====;======
I
s
S1 I Host 131 I
;41 II I
===...
==.=.= =.=...
. ..=..
==
===== .==== ===== ===== ===== =.==.
72
Figure
10.
Two WIS Connected
LANs at Different with End-to-End
System High Encryption
Levels Devices.
I I AC/KDC I I E3 ----------------
I i I
+ ---------------
+
—---— -------I E3 TS Comp A LAN I
==
============ ;=================
TS Comp I E3 I B I LAN II
I I I I Host
I 1======1======= I i .—
I /
i===== I
I
I
I =======;======= I
—,—
I ;====;======
=====
St I 111121 I
II I II
I i Host
I
SI
—— I I I Host
131 I t :41
:
;
I I
I
II
.=.=..
=.=..=
. ...=.
........
-------
. . . . . . -----------------
The second example, Figure 10, shows two or more such LAN environments operating at different Network System High levels, connected via a wide area network such as the WIN. In this case, a network security policy is required to determine if the processes wishing to communicate are on equivaMediation at the network level is lent levels. required because the two Network System High levels are not comparable. A network policy enforcement mechanism is required to mediate requests between The E3 Access Control mechanism these LANs. performs the mediation between processes on LANs operating at different Network System High levels. The E3 system thus becomes the Network Reference Monitor or Trusted Network Base. Other situations will arise, however, for which neither of these network models will be sufficient. all untrusted hosts were In both previous cases, required to operate at the Network System High To allow untrusted hosts to operate at less leveL than the network system high, some form of trusted access control mechanism will be necessary within The LAN must mediate access the LAN itself. between security levels of the computers on the network, since they can no longer reliably deterthe level at which other comPuters are mine operating. One way this can be achieved is by installing E3 devices on the LAN. Under these circumstances, operating at any trusted and untrusted hosts security level can be attached to the LAN. The level(s) at which hosts operate is known to the E3 Trusted constitutes th Controller which Access Attempts to communicate Network Base (TNB). on different hosts must be between processes
mediated by the TNB. When a process requests a connection with a process on another host, the Access Controller checks to be sure the levels of the two are equivalent. If they are, the AC distributes the key to each E3 device, allowing the connection to be established. Depending upon the sophistication of the AC, this check can be used to enforce discretionary (need-to-know) access controls, as well as mandatory controls. The former, however, using access control lists, will be difficult to maintain on a process-by-process basis across the network. A distinct advantage of this approach is that no portion of the LAN itself need be trusted. c. Inter Service/Agency AMPE
Another example of a Level 3 system is the Inter ServicejAgency AMPE, which can use either the IPLI (Figure 11) or the more sophisticated E3 capability (Figure 7). The hosts in AMPE have Al class TCBS, and must be able to trust the integrity of security labels sent over the network; therefore, the portion of the E3 device handlimz data in the clear must also be developed to the-same Al level standard. As the IPLI is currently not built to that level, an IPLI-based solution would require reimplementation of the Red side of the IPLI to the Al level, use of a separate IFLI for each level, or use of a MAC integrity check by the trusted host prior to transmission to the IPLI. Note that if the MAC integrity measures were in place, AMPE could utilize a dedicated DDN segment without requiring IPLIs.
73
Using the IPLI solution, process-to-process access control mechanisms within the AMPE hosts provide the primary check Of information flow between AMPE?s. The host-to-host access tables of the IPLI ensure that the AMPE% have their own private subnetwork on the DDN. These tables are static in that they do not change more than on a day-today basis. This solution, with the red side integrity check, is a possible networking architecture for AMPE on the DDN.
Use of the more sophisticated E3 capability with AMPR is shown in Figure ‘7. The method by which this configuration operates has already been described. In this case, host-to-host access control is dynamic, as opposed to utilizing the static tables contained in the IPLI.
Figure Model
11.
~ S/A
AMPE
System
with
IPLIs
-
Example
of
Level
2
I i AMPE I i A
IPLI 1 I _ I -_-_i_l---i [M
IPLI
I
Network
I_
l---l_;--;-/
I I AMPE B I
I
t
I
/
I
AMPE AMPE before IPLIs Hosts are trusted place to the to the
Al
level. check on messages
Hosts must passing have built-in
integrity IPLIs. static host
access
tables.
d.
Level 4 Model - Process on a Trusted Network
Access
Control
In the Level 1 model, there was essentially no host or network access control. In Level 2, host access control was provided by the trusted computing base within the hosts, on a process-by-process basis. Network access control was still not required. In the Level 3 model, network access control could be provided by several means. In the IPLI confined to the IPLI static host case, it was access tables. The more sophisticated E3 access checking in Figure 7 provides additional flexibility in host-to-host communication control by providing a dynamic host-to-host access control table. Both the Level 2 or Level 3 network models require that labels associated with data being transferred across the network be protected from modification. This i m poses additional restraints on the type of network structure suitable for this model. In each case, either critical components of the network must be trusted not to modify label information, or some form of integrity check must be applied to the information before it enters the network.
If E3 is not used on the network, all portions of the network must be trusted (easilv . achieved with our simple wires in the Level 3 case, requiring a trusted packet switch or equivalent in the Level 3 case). If an IPLI or more sophisticated E3 of these devices is the portions used, structure able to access data in the clear (up to the point of encryption and after decryption) must be trusted not to modify the text data stream. If the network components cannot be trusted (definitely the case with today% dedicated and system high networks, and also with present versions of the IPLI), the trusted host may apply a MAC to the message before The destinaentrusting it to the network or IPLI. upon tion host would recalculate this checksum verify that the contents were not receipt and modified. One further network model (Level 4) will be involving access explored, even more extensive checking the itself. within network Here the involved actual process-to-process network is in access control checking, as shown in Figure 12. When Process A wishes to estabfish a connection with Process D, A notifies TCB1, which checks to see if it allowed, and then attempts to establish a connection with TCB2, just as in Figure 4. The E3 device intercepts this connection request and, recognizing that no such connection exists, establishes an interim connection with the AC/KDC. AC then refers to its process-to-process table, which lists individual processes and the leveh at which they operate on individual hosts.
74
Figure Example
12. of
a
Process-to-Process Level 4 140del
Network
Access
Checking
-
An
Host
1 I i ---
Eost
2
II
E3
I
;lA(S)l_~ II Ill I II B(TS)i_iTCBl II 1111
E3 ---~ Network
l=
I I I I I
I
:1---1
I
l_lc II
(c)1
—
(s)1
I
lTCBl_lD 1211
I
I ——l—l
TCB I Process 1--------I i I I A B
G
l_l
TCB2 ] Process I --------I c (c) I D (S) I . . . I Table t Host l---------i 1 (TS,S) i i
(S) (TS) . .
1 Table I Host I -------I 2 (S,c)i I i I
I UI
I
E3
I I I
—— I
I I I
I
I AC/KDC
I I t I I 1
I
I AC Table Processes
I
I -----A I
I I I I I
----_-
-
I :
(S) B (TS) c (c) D (S) . . .
Assuming that the connection is valid, the AC instructs the KDC to issue a key to the E3 devices involved, and the connection from TCB1 to TCB2 proceeds. TCB2 must now perform its own check to ensure that Process D is actually operating at the proper security level to allow the connection. Upon successful completion of this final check, the actual connection from Process A to Process D is completed. As described above, Level 4“ systems involve process-to-process access control within host systems themselves and also within the network. Considerable duplication of effort exists as these hosts and networks perform the checking required to allow specific processes to communicate. A process-to-process check by the network E3 device is not a complete check in itself. The processto-process access control tables in the AC cannot be as accurate as those within the individua’ hosts. TCB2 is still required to check the Ieve at which Process D currently operates. It is entirely possible that even though Process D may log in at the Secret level (and does so 90% of the time), in a particular instance that process may operate only at Confidential, in which case the connection cannot be allowed.
75
V.
CONCLUSIONS
This paper has presented a series of network models with increasing levels of sophistication and demands for trusted network components. The analysis used here is vital to understanding when network components must be trusted and the type of components must the trusted security policy enforce, and leads to a number of important conclusions. A. Orange Book Extensions
The discussion of the Level 2 model indicated that even when no network components require trust, that portion of the host operating system controlling process-to-process communications across the network must be included in the Trusted Computing Base. Today’s version of the Orange Book does not explicitly deal with network-related software. These additions must be made before serious consideration is given to developing trusted network evaluation criteria; indeed, as the Level 2 model shows, if host TCBS are extended to include network drivers, many valuable network configurations can be achieved without requiring any further trusted components. B. Implications of E3
In regard to the Level 3 model, it was indicated that if E3 is used (in either the IPLI or more configurasophisticated version), trusted network tions can be achieved without requiring any The E3 additional trusted network components. capability provides the network access control mechanisms (static in the IPLI case; dynamic ;n the E3). These mechanisms can enforce access control to untrusted hosts operating at a single level and to trusted hosts, as long as the extensions to their TCBS discussed above have been implemented. C. Network Security Policy
AS opposed to the relatively complex security policy enforced on trusted computer systems, (allowing read~own and write-up), the analysis of networks from the process-to-process communications indicates that the policy which must be view enforced across the network is one where only operating at equivalent sensitivity processes is levels can communicate. This simplification forced by the need for two-way communication with acknowledgments across an unreliable medium. As a result of this simplification, the policy enforcement carried out by IPLIs, E3 devices, or trusted packet switches is inherently much simpler than that of a trusted computer system.
76
