Network Security1

NETWORK SECURITY OVERVIEW

Stephen T. Walker

Trusted Information SYStemS, lnC.P.O. Box 45, Glenwood, MD 21738

Much attentiondeveloping trustedcriteria. Before

ABSTRACT

has recently been focused oncomputer network evaluation

attempting this however, abetter understanding of ~he ‘relationship betweenindividual trusted computers and networks that

link them is required. This paper provides an

overall system view of the network and trustedand untrusted computers attached to it, and howvarious ways of protecting data on networks

affect which portions of the network must betrusted and what security policy must beenforced. By examining several network model%it will become apparent where new or additionalcriteria need to be developed.

I. OVERVIEW

Following the successful introduction of DODTrusted Computer System Evaluation Criteria (CSC-STD-001-83 [the Orange Book], much attention hasbeen focused on developing new guidelines forcomputer networks. The tendency has been, however,to commence developing criteria for various networkcomponents without comprehending their role in theTrusted Network Base (the equivalent of the TrustedComputing Base in the Evaluation Criteria). Apreferred approach is to establish an overallsystem k view of the network and any trusted anduntrusted computers attached to it, thereby deter-mining which portions of the overall system are tobe trusted and which security policy is to beenforced.

This paper provides a framework for under-standing network security enforce m ent measuresbased upon enlargement of our understanding ofindividual trusted computers. It will examine howto extend access control mechanisms to stand-alonecomputers with network connections, and how thevarious ways to protect data in networks affect howmuch and which portions of the network must betrusted. Each approach and its implications onnet work security policy, access control mechanisms ~and trusted components will be examined. out ofthis will come the basis for net work extensions topresent Trusted Computer System Evaluation Criteria

and, where necessary, additional specfic trusted

network criteria. A systematic identification of

where new or additional criteria are needed will bepresented, rather than the criteria the mselves.

IL DEFINITIONS

Before beginning, definitions are provided forseveral terms used as common reference points, asfollows:

SYSTEM - A collection of two or more COMPtJ-TERS linked by a NETWORK.

COMPUTER - Any device capable of storing and

NETWORK

(Accordinz

processing information and, iflinked by a NETWORK, of communica-ting with other COMPUTERS. Compu-ters used in this manner arecommonly referred to as HOSTS, ascontrasted with those used incommunications applications, calledSWITCHES).

- An entity composed of any of anumber of communications media(e.g., wire, packet switchednetwork) used to link COMPUTERS andtransfer information.

to these definitions, computers per-form infer mit ion LXocessin$z tasks: networks onlvtransmit inform atio-n betw~en computers. Eve;networks containing computers for switching pur-poses do not process or store information, exceptas needed to perform their intended functions. Thesimplest model of a network is a set of individualwires; the most complex network model should beable to be described at some level of abstractionin terms of this simple model.)

TRUSTED

SECURITY

sYsTEhf (COMPIJTER or NETWORK) -One which employs sufficient hard-ware and soft ware integrity measuresto allow its use for processingsimultaneously a range of sensit iv-ity or classified information fromCSC-STD-001-83.

POLICY - The set of laws, rules, andpractices regulating how an organi-zation manages, protects, anddistributes sensitive information.

62

CH2150-1/85/0000/N62$Ol .oOQ 19851EEE

TRUSTED COMPUTING BASE - All the protectionmechanisms within a computer system(hardware, firmware, and software)which enforce a security policy onthat computer.

TRUSTED NETWORK BASE - AH the protectionmechanisms within a network whichenforce a security policy on thatnetwork.

DEDICATED SECURITY MODE - All system (Compu-ter or Network) equipment usedexclusively by that system, andall users cleared for and having aneed-to-know for all informationprocessed by the system.

SYSTEM HIGH - All equipment (Computer or Net-work) protected in accordance withrequirements for the most classifiedinformation processed by the system.All users cleared to that level, butsome not having a need-to-know forsome of the information.

CONTROLLED - Some users having neither asecurity clearance nor a need-to-know for some information processedby the system, but separation ofusers and classified material notessentially under operating systemcontrol.

MULTILEVEL - Some users having neither asecurity clearance nor a need-to-know for some information processedby the system; separation of person-nel and material accomplished by theoperating system and associatedsystem software.

III. BACKGROUND

Given a collection of trusted computers thatmeet some level of the Orange Book specifications,it is logical to want to connect them via some formof network to form a trusted system. When mustthis network be trusted? What portions of it formthe trusted net work base? What are the criteriaagainst which this TNB must be evaluated? Whatrole does encryption play in trusted networks? Thispaper will establish a context in which to answerto these questions.

Networks take many forms, from simple wires tocomplete packet switching systems, but increasedcomplexity does not necessarily involve increasedsecurity requirements. A suitably protected wire,for example, the simplest trusted net work, needs noreference monitor, enforces no security policy, anddoes not require evaluation against some form ofTrusted Network Evaluation Criteria. A complexsystem such as the Defense Data Network (DDN),suitably protected with end- to-end encryptionmeasures, also needs no reference monitor, enforcesno security policy relative to the hosts attachedby E3 devices, and requires no criteria evaluation.

When, then, do we neea to be concerned about trust-ed network bases and network evaluation criteria?

To answer these questions we must explore aseries 01’ network security models, ranging from thesimplest, untrusted networks linking untrustedhosts, to complex trusted networks making securitypolicy decisions from process control informationsupplied by the hosts on the network. The followingnetwork security models will be considered:

Model 1.

Model 2.

Model 3.

Model 4.

The familiar situation of untrustedhosts on an untrusted network.

Trusted hosts on an untrusted networknet work.

Trusted hosts on trusted networks,showing the use of various forms ofencryption, trusted packet switches,and trusted local area networks(IANs).

Sophisticated trusted networkse; ploying detailed detailed process-to-process access control measures.

After this review, the relationship betweentrusted components of various network configura-tions will become evident, as well as when and howsuch components should be employed. To begin,though, we must review the basic elements ofprocess-to-process communications in a trustedcomputer system and what happens to them when theyinclude communications between hosts over anetwork.

We will first explore how such hosts communi-cate over a simple network consisting of individualwires between computers. Such a network haspractical value, since many vendor%pecific networkproducts are basically implemented on host comput-ers linked by individual communications lines.

In this analysis it is assumed that all resour-ces of the hosts and communications lines areprotected to a system high level (i.e., hosts arephysically protected and communications lineslink-encrypted). It is also assumed that networksupport software for the host operating systems arepart of the Trusted Computing Base of that system,an important area of the Orange Book criteria thatneeds to be developed.

The next section describes the trusted operat-ing system security model, as applied to severalnetwork security situations, citing requisitephysical and procedural controls.

A. Trusted Operating System Security Policy Model

Figure 1 depicts a single trusted computer withtwo processes operating on behalf of specificusers. All communication between processes iscontrolled by the (TCB), enforcing the Bell-LaPadule security model. In trusted computer

63

Figure 1. Process-to-Process Communications withina Trusted Computer System

systems, eacheaual to the

HOSTI I I Process Table

IUSER A ----- ----lProcessI

(SECRET) I I A(S)I I

I 11+1---- --- IProcess[ Level !I I I 1-------1-------1

IUSER B ----- l----lProcess(TS) I I B(TS)

III I_ II

process has a security level (SL)rmesent session level of the user

iii~Ill1+11---- ---

I IIITCB!I

(e~g., SL[A] = ;he present security clearance levelof User A). For two processes to communicate, thefollowing conditions, enforced by the (TCB), mustbe true:

Process A can read information fromProcess B only if:

L(A) >= SL(B) (simple security rule~

Process A can write information toProcess B only if:

SL(A) <= SL(B) (* property).

In a trusted system of at least B2 on theTrusted Computer System Evaluation Criteria,specific mechanisms provide security level labelsfor all active processes and objects. The TCBcontrols the access of all subjects to all objects,ensuring that the above rules are enforced. Withinthe TCB, a Process Table lists the security levelsat which all active processes may operate. When oneprocess attempts to connect with another, the TCBenforces these security rules.

B. Role of Reliable Communications

Process-to-process communication normallyutilizes a two-way handshake protocol whereby thereceiver acknowledges successful receipt of theinformation. In the case of a trusted host wheresecurity levels of the two processes are not equi-valent, the acknowledgment could create an illegalpath, allowing the potential transfer of sensitiveinformation from a higher to a lower level. IfProcess A operates at the Secret level, and ProcessB at TOD Secret. A can send information to B. but.accordin-gProcess Bproperty.

Withindifficult tomation to

to t’he security. .

rules stated above,cannot respond without violating the *

a single host this is not particularlyovercome. Process A can write infor-

Process B without enlicit acknowled~-ment because the process-to-proc&+s mechanism %highly reliable. Once Process A has initiated thetransfer it can proceed, confident that the trans-fer has occured even without acknowledgment. This

highly usefulhowever whennetwork withtions path.

A I SecretlI I

B I TS!

. . . i: ‘*” I

simplification is not possible,two processes are separated by a

an inherently unreliable communica-

In a network environment, if Process A on Host1 (operating at Secret) were to attempt to sendinformation to Process B on Host 2 (at Top Secret),Process A could not assume the transfer would besuccessful, given the unreliable nature of thenetwork link. sophisticated protocols employedbetween between processes on hosts ensure reliabletransfer of information over inherently unreliablecommunications media, but require that acknowledg-ment of successful transfers be sent to the origi-nator. Such an acknowledgment in the above casewould constitute a violation of the * property.The implications of this restriction on trustedcomputers communicating over a network will beexplored in the next section.

IV. Network Security Models

With these concepts in mind, it is now possibleto examine a variety of network security models.

A. Level 1 Model - Untrusted Hosts on an UntrustedNetwork

The simplest model, Level 1, involves untrustedhosts operating in Dedicated or System High Mode onan untrusted network. While typical of systems inuse today and accepted in some cent exts, itsinability to handle multiple levels of classifiedor sensitive data severely limits its utility.Since there are no trusted components anywhere inthe system, there is no need for a trusted networkbase or for evaluation criteria.

B. Level 2 Model - Trusted Hosts on an UntrustedNetwork

When a trusted computer system, as discurised inFigure 1, is introduced to our simple wire linknetwork, it becomes a Level 2 model (Figure 2). Theessential feature of this is that normal accesscontrol mechanisms in a B2 or higher trustedcomputer system are extended beyond protecting10Cal process-to-process communications to handleprocess-to-process links across the network.

64

Figure 2. Level 2 Network Security Model(Both hosts have a TCB evaluated at B2 or greater)

Host 1 Host 2

I Itt A(S) I_; III IllI I 1----II B(TS)i_l TCBIII 1111I l_l

I II network l--I I

.----

II I1 l_l c(s) I II II IIII TCB!_l D(C) I ~1211 IIl_l I

Host 1 is trusted Host 2 is trustedto operate as a to operate as amultilevel secure multilevel securesystem at TS & S. system at TS, S & C.

(At present only S& C processes areactive) .

Operating System Process Tables:

Host 1 Host 2

I Processes I Hosts I I Processes t Hosts1-------------- -----------------1 l-------------- l------------- III A at level SI B at level TSI .*.I

Note 1: TCB1 a~-

2 at levels TS-C

. . .

i TCB2 must have _.

lCatlevelSllatTS& S1I Datlevel C I . . . II ● *.I

~dividualauthentication codes to ensure againstspoofing from other hosts o-n the network.

Note 2: Processes on different hosts (or oper-ting systems that support them) may employcryptographic checksums on data messagesbefore sending them to the host. Thesechecksums are used to ensure against datamodification during transit.

In addition to the processes which it directlycontrols, the TCB within each computer now must beaware of other hosts on the network and theirsecurity levels. The active process table in eachcomputer is augmented with a list of hosts on thenetwork. Because host-security level informationis very stable, updates of this host security tableare easily accomplished by periodic manual tableupdates by the Security Officer.

A number of examples illustrate the basicaccess control checking flow of this model. WhenProcess A, operating at SECRET level, attempts tocommunicate with Process C, also at Secret, TCB1receives the request and checks to be sure that Ais within the range level of Host 2. If not, therequest is denied. If within, TCB1 passes theidentity and security level of A to TCB2, whichdetermines if the level of A equals that of C. Ifit does, the connection is extended to the twoprocesses. If not, TCB2 informs TCB1 that theconnection is invalid.

II

As illustrated, TCB2security level of Processc. This restriction of

II

determines whether theA equals that of Processthe Bell-LaPadula policy

used on a single operating system is Criticaibecause the network is unreliable (subject tooutages, partitioning, lost messages, etc.).Information sent from Process A to Process C mustbe acknowledged by Process C to assure A that itwas received. If the Bell-LaPadula policy mf:~~governed such connections, acknowledgmentshigher levels would constitute security violations.It is imperative that the two processes on differ-ent hosts operate at equal security levels.

The above restriction is not a serious limita-tion, for if a process operating at Secret wishedto contact one at Top Secret on a separate host$ itcould connect across the network to a Secretprocess on the remote host, transmitting the infor-mation with full acknowled~ments. Once received,the Secret process could ~ass the informationthe Top Secret process without acknowledgment}described in Figure 1.

toas

65

In a second case, Process B operating at TopSecret attempts to connect with C at Secret. TCB1determines whether or not the level of Process B iswithin the range of Host 2. Since it is not, TCB1immediately rejects the request.

In the third case, when Process A operating atSecret attempts to connect with D at Confidential,TCB1 once again checks to see if the level ofProcess A is within the range of Host 2. If so,

TCB 1 passes the identity of Process A and itssecurity level to TCB2, which checks to determinewhether the level of A equals the level of D. Itis not, so TCB2 informs TCB1 that the connection isinvalid.

The Level 2 model represents the simpleststructure involving trusted computers, patterned

after the process-to-process communications model

presently in use on many networks. This simplicitydoes not require (or permit) host operating systemsto be aware of other processes using the network.A more complex model would list foreign processes(existing on remote hosts) in a local host’sprocessor table, allowing the local host to baseits access decisions on local information, andeliminating the need to query the remote host.Difficult problems remain, however, in maintainingtrusted databases for such processes, because incontrast to the stability of host security levels,individual process security levels change dynami-

Figure 3. Level 2 Network Security Model with an UntrustedHost

:__ : Host 3 is not trusted:: : : and operates at!!E! IF; System High Top SecretI l_l l_l !1“1 1- II 0s3 II I

IHost 1 I Host 2

Ih A(S) I_:II —1 I !I1! B(TS)l_i TCB!II 1111I l_l

--------

I.—II networkI

L-----1

Iil_l c(s) I I

;11 —1 I

i TCBj_l D(C) \ !1211 IIl_l I

Host 1 is trusted Host 2 is trustedto operate as a to operate as amultilevel secure multilevel securesystem at TS & S. sYstem at Tsr S & C.

(only S & C processesare active).

Operating System Process Tables:

Host 1 Host 2

I Processes I Hosts I I Processes i HostsI -------------- -------__--______\ I_____ -_--,---__________jI A at level S ! 2 at levels TS&Cl lCatlevel SllatTS& S1I B at level TSI 3 at level TS I lDatlevelC13atTS

i ““”I ● . .I

1 I . . . III

..0I

iI

Host 3 (Since this host is not trusted, its process tabledoes not contain any security level information.)

I Processes I Hosts tI ------ ------ ---------

i i:; I ; I

I . . . II I

66

tally. Even if these techniques were employed, theremote host must make the final security levelcheck.

Figure 2 assumes that both operating systemsare of the same TCB class, and can trust eachother% access control mechanisms. The real worldwill always contain systems that either are nottrusted or have different TCB class operatingsystemsi Any network security model must deal withthis situation.

Figure 3, an augmented version of Figure 2,shows an untrusted host operating at a System HighTop Secret level attached to the network (with theoperating system labeled 0S3 rather than TCB3). Thesame caveats associated with Figure 2 apply here.(Note the addition of Host 3 at a single securitylevel to the host tables in 1 and 2. The ProcessTable in Host 3 knows about Hosts 1 and 2, com muni-cating with them at the Top Secret level; however,it contains no security label information, becausesuch information cannot be trusted to be accurateor reliable.) As shown below, Hosts 1 and 2 acceptconnections from 3, recognizing its operation ina System High Top Secret mode; all process-to-process communications must therefore be at theTop Secret level.

A number of additional cases are illustrated bythe configuration in Figure 3. The first is whenProcess E, operating at Top Secret, requests aconnection with Process B, also operating at TOPSecret. 0S3 (not trusted and without a securitylevel in its Process-Host tables) establishes theconnection with TCB, which checks to determinewhether the security level of Process B equals the

System High level of Host 3. If it is, the connec-tion is made to B; if not, the TCB rejects theconnection.

In the next case, Process A, at Secret level,requests a connection with Process F on Host 3.TCB1 determines whether the level of Process Aequals the System High level of Host 3. As it doesnot, the TCB rejects the connection.

A last case involves Process E on Host 3attempting to connect with Process D on Host 2. 0S3initiates a connection with the TCB, checking todetermine if the security level of D equals theSystem High level of Host 3. It does not. and theTCB rejects the connection.

At this point we have described a network oftrusted and untrusted computers communicating inuseful, practical ways, with the network having notrusted components and enforcing no security policyor access control mechanisms. The next step is tounderstand the limitations of such a network.Figures 2 and 3 consist of host computers physical-ly protected to a system high level (Top Secret isassumed in both cases). Processes for Host 2currently run at the Secret and Confidentiallevels, but the computer itself must be operated ina Top Secret system high environment. Host 3 inFigure 3, an untrusted host, also operates at TopSecret System High.

The relationship between the security levels atwhich hosts can operate on this simple network isshown in Figure 4. The network itself and allcomputers attached to it must be physicallyprotected to the same system high level. Untrusted

Figure 4. Trusted and Untrusted Computers on an UntrustedSystem High Network

Level

====== =.==== =.==== ===... ===... ===... =====. ====== ==.=== ====Network

TopI I I I I

Secret i i II

—.Ill I 1 T+T I 1:1

I II I II I 101 L IclI Ill Ill 1s1 IBI

.===== = I ==== ITI==I====ITI==I 13[========!=== I I 5 l====

I Icl I Icl I—1.1 I l_l_lI IBI I !Bi I III Ill I 121 ITII 11111 i Icl

Secret I 11111 I IBI=======1====1 1==1 I 1============ 1==== 141=============

I II I III II I II

Conf II II.===== = : I l====================== i I l=============

Host 1 Host 2 Host 3 Host d Host 5

TCB = “Al” “B2a “D” ‘Al” “C2”

67

hosts can only operate at that level, but trustedcomputers may operate over a range with a maximumat the network system high, depending upon thedegree of trust in the system. In Figure 4, for

example, Host 1 is trusted to the ‘Alw level, andprocesses operate over the range Top Secret to

Confidential.

Host 2 is trusted to the “B2” level, operatingwith processes at either Top Secret or Secret.Host 3 is untrusted and processes operate only atTop Secret. Host 4 operates processes over therange Secret and Confidential over the Top SecretSystem High Network. Since it may receive a TopSecret message from an untrusted host, 4 must

operate over the full range, Top Secret to Confi-dential, and be trusted to the Al level. Host 5must operate only at Top Secret because it istrusted only to the C2 level, providing onlydiscretionary access contro~ and no mandatorylabeling.

Trusted hosts in an untrusted network must havethe highest point of their operating ranges at the

same network system high level, since they canreceive system high messages from untrusted hosts.Similarly, since untrusted hosts cannot protectsecurity labels of information, they must operateonly at system high.

Note: The operating ranges shown in Figure 4are arbitrary select ions. In an actual systems,the Designated Approving Authority or SY5temSecurity Officer designates the degree of trust foreach situation.

c. Level 3 Model - Trusted Hosts on Trusted

Networks

The network depicted in Figure 4 is still asimple wire connecting trusted and untrustedcomputers. As long as it is physically protectedfrom external attack, it need not be trusted. Localarea networks (LAN) and wide area networks (such asDDN), however, involve more sophistication.

Figure 5 depicts a Level 3 network modelderived from Figure 3. The Operating SystemProcess Table and allModel are unchanged,Table has been added.

the TCB checks of the Level 2but a Network Access Control

Model, the untrusted networkestablished any connection

In the Level 2(our simple wire)requested by the hosts. In Level 3; the networkauthenticates each connection prior to establishingit. These checks can be performed on a host-by-host basis (the Level 3 model), or on a process-by-process basis (Level 4, discussed later).

Before proceeding, however, it is necessarY tounderstand various methods of protecting informa-tion on a communications network and performing thenetwork access control measures shown in Figure 5.

Fi,gure 5. Network

Host 1

Access Checking - A Level 3

;IA(S)I !II III —1i! B(TS)tlTCBII IllI I_

,-- 1

E3 E3I I

TCB 1 Tablet Process \ Host II 1--------- -------- Ii AIB

(s) ‘(TS)

I . . .I

Model

Host 2

II c(c)I

I D(S)I

I

-, ,— ---i Network i---l~t---tI I ! TCB

I 12I_

iI TCB2 Table

I ‘~1 E3 \ Process i HostI I --------- l---------- /

2 (S,c)l I I c (c)I I

i 1 (TS,S) I—— I D (S) 1

I1

i I AC/KDC i ! ““” ! i

I

/I

I 1

AC TableI HOSt to Hostl------ ______ _ I

/ 1 (S-TS) I2 (C-TS) I

i . . . 1I I

68

1. Role of Cryptography

The principle means of protecting data fromCompromise or modification in a communicationsnetwork such as JIDN, is by end-to-end encryption

(E3). With E3, the data portion of the message isencrypted prior to transmission and remains encryp-ted until delivered, while the address portion ofthe message remains in the clear. F3 usuallyprovides a means of operating multiple communitiesof interest, separated cryptographically from eachother, and in sonic cases operating at a highersecurity level than the network itself.

a, IPL,I

The simplest form of E3, the Internet PrivateLine Interface (IPLI), is illustrate; in Figure 6.The IPLI and its associated cryptographic deviceare positioned between the host computer and thenetwork. Groups of IPLIs form communities ofinterest in which all cryptographic devices sharea eo.mmon key.

IPLIs come in two sections: a Red or plaintextside, connected to the host computer and crypto-graphic device, and a Black or Ciphertextside,connected between the cryptographic device and thenetwork. When the host requests a connectionacross the network, the Red side first determinesthe validity of the destination by checking theaddress in its host table. (This is the host-to-host access control mechanism required in the Level3 Model.) E valid, the Red side passes the dataportion to the KG and passes the table index numberfor the destination host over a special low band-width channel w hieh bypasses the cryptographicdevice.

The Black side then constructs a new messageheader, using the index entrY listed in its hosttable. When the encrypted data is received from thecryptographic device, the Black side assembles amessage from the new header and the encrypted text,and sends it to the netw”ork. At the destination,the process is reversed. It should be noted that

encryption provides data protection at all times,except during a brief period in the Red side of theIPLL The address portion of the original messageremains in the clear within the network switches,ensuring proper message routing.

The IPLI provides a means of isolating communi-ties of interest at a specific sensitivity’ level,even though the network itself may operate at alower level (even unclassified). Untrusted hostsconnected via commonly keyed IPLIs must operate ata specific system high security level.

b. E3 with Access Control and Remote KeyDistribution.

IPLIs provide a valuable means of connectingcommunities to a common network. Their disadvan-tages, however, are that assignments to communitiesof interest are static and cryptographic keys mustbe manually distributed and loaded at each site. haddition, hosts in a particular community cannotcommunicate with hosts outside that community. Ineffect, each has its own virtual network operatingin System High or Dedicated Mode.

To overcome these drawbacks, efforts have beenunderway for some time to build E3 systems withremote key distribution techniques. These wouldallow host-to-host, process-to-process, or perconnection individualized keying. A separateAccess Controller and Key Distribution Center (KDC)with redundant backup would be attached to thenetwork, as shown in Figure 7. The E3 boxes containlarge numbers of separate keys for use on a host orprocess pair basis.

In the case of the host pair, when A attemptsto connect with B, the first E3 box checks itstables to see if a key for such a connectionexists. If so, the connection proceeds as in theIPLI case. If not, the E3 box establishes aconnection with the Access Controller, and identi-fies the source and destination hosts for therequested connection. The Access Controller

Figure 6. Internet Private Line Interface (IPLI)

I I 1 ID I KG

lAi I II

1 I I __l_ I

I

IB

Host

I IRIBI I I

I ------1 e I 1 l------l Network 1--- . .0s I l_d_l_k_l I I

—1IPLI

——12 I 12 I1431 1 43I 568 I I 568 !1. I 1. I[. I 1. II II I

Host Address Tables

69

Figure 7. E3 with Remote Key Distribution

I I E3 E3 1 I

I Host I I I [ Host I---- Iz 1---1 Network 1---1

!A

ZI---- I

! I

I I

IBI

I I II

I‘1-1 E3I

Access 1

Control & I

‘Key Distrib /

Center I I II A“;o B /

Authorized HostPair Table

[ . . I

I . .I . . ;

mediates a decision based upon security-relevantauthorization data in its Authorized Host Pair

Table. If authorized, the KIIC generates a newunique key for use by these hosts in their communi-cations. This is passed to both hosts’ E3 boxes,encrypted in their inciividual master keys. Gnce

this host pair key is in place, communicationbetween hosts ran proceed as before.

This version of E3 protection has many advan-tages over the IPLI, for it ean operate dynami-

cally, creating new host pair authorizations merelyby making or changing an entry in the AuthorizedHost Pair Table. This works equally well withtrusted or untrusted hosts. The latter, operatingat the same system high security level, will haveappropriate entries in the Authorized Host pairTable; untrusted hosts at different security

lC?VC’]S, nOt authorized to communicate, will be

effectively prohibited by the E3 mechanisms. Auth-orized trusted hosts will be listed in the Table,and control tl]e security levels of their individuallinks by utilizing access control mechanisms, as inthe examples which follow.

c. More Complex E3 Mechanisms

Host pair connectivity thus described providesdynamic authorization of communities of interestconsistent with trusted system access control

mechanisms. Nevertheless, a need frequently arisesfor more sophisticated E3 mechanisms allowing

process-to-process or per connection access con-trol. The basic structure remains as in Figure 5,but when A attempts to connect with B, it mustidentify the source and destination of its message.The access control checking mechanism is now muchmore complex because the Authorized Host Pair Tableat this point becomes an ‘vAuthorized Process PairTable.” Update and synchronization problemsassociated with identifying remote processes are

inherent with this type of access checking. Theseand other factors associated with such mechanismswill be examined in detail later.

d. Message Authentication Checks

End-to-end encryptiorr provitles protectionagainst data disclosure and modification while intransit over an untrusted network. If the networkis installed in a ph~ieally protected environment,as LANS frequently are, (iatti disclosure is riot aproblem and simpler forms of protection againstmodification are possible. The Mess~ge Autl\entica-tion Check (MAC) involves the appIicatiorl of auunforgable tag to a block of information.

In such a network, the originator cwlculatc,sthe tag based on the eontents of the information,

and appends the tag to the information beforesending it llmough an untrusted, but protectedcommunications medium. The recipient then repeat;the tag calculation $rnd compares it

originator’s tag.with the

If the two are equivalent, therecipient can have a high degree of confidence thatthe information was not modified during transmis-sion. ‘Ihe tag calculation is usually based on acrypt ographie function, with a secret key know,l,only to the originator and recipient. Typically,the information is passed through the encryptionalgorithm and after the block of information hasbeen processed, the residual value is usuallyappended to the information being sent. Note: thistechnique k an integrity check; it does not pro-tect information from being read while in transit.

This procedure is being used on a number ofsystems to ensure the integrity of sensitiveinformation. The SACDIN program will employ theNational Bureau of Standards Data EncryptionStandard (DES) algorithm to ~a]culate integritYchecks on its messages before transmission to theIPLI devices on the DDN. The IntelligenceCommunity is using a similar technique to protectdata stored on a Iarge mainframe computer in theRECON system.

The American National Standards Committee onFinancial Services, X9, has published a FinancialInstitution Message Authentication Standarddated April 13,

x9.9,1982, defining a process ;or the

computation, transmission, and validation of aMessage Authentication Code (MAC) using DES. The

70

standard describes the message authenticationprocess and issues related to key management. Thisstandard is being widely adopted in the financialcommunity and implementations of it on the inputside of LAN interfaces may provide reasonable meansof ensuring the integrity of messages passingthrough a LAN.

2. End-to-End Encryption Examples in an InternetEnvironment

The WWMCCS Information System (WIS) is arexample of end-to-end encryption in an internetworkenvironment (Figure 8). LANs will be installed ateach WIS site to connect existing Honeywell 6000computers, other functional module computers, andworkstations. Each LAN will have a gateway connec-tion to other LANs via the WWMCCS IntercomputerNetwork (WIN). As presently configured, the WIN is

a System High net with only WWM CCS H6CIO0 hostsattached. In the future, some functional moduleco mput ers will be trusted, allowing limited multi-level security. Gradually the untrusted hosts willbe phased out and full multi-level secure use willbe possible.

Figure 8 shows Message Authentication Checksapplied at the Internet Protocol layer at eachinterface to the WIS LAN. A MAC must be calculatedfOr each message entering the LAN, either intrusted host software or in a special interface boxon the host or LAN. The Interface with the WINgateway must be a special back-to-back MAC (proba-bly using different encryption keys) to authenti-cate messages as they leave the LAN. A new MACwill be applied as the message enters the gatewayand WIN. At the receiving site, a similar back-to-back MAC authenticates into m ing messages andapplies a new local MAC as it enters Site Brs LAN.

Figure 6. WIS LANs and WIN with Message AuthenticationChecks.

I Cus I l—l l—l M = Message Authentication

I I l_l I_ I Check (MAC) DeviceI I IM M M M%

= Back-to-Back MACS

I I II I l-——— II H601)0 I--M-I Local Area Net II

Site AII I

Ill IMMMIll _::

l_l l_l l_l I I Gatewayt II—1

Workstations II

I‘~1 Optional E3 deviceI

I II I

II

Ic1 Optional E3 device1

Workstations _i_I Gateway

1:11:11:1 LI II I

MMM Mh

l_l_l_ I_I I II H 6000 ;--- M-1 Local Area Net I Site B

I I I II I I I I

M M MI—— I I

1 Cus 1 l—–l 1--1I I l_l l_l

71

a. WIS LANs Operating at Different SecurityLevels

In the above dis~ussion, all the LANs operatedat the same System High security level. Thisconfiguration does not require any special trustednetwork components; neither the LANs nor WINenforce a network security policy.

Not all WWMCCS sites, however, will want tooperate at the same security level. As systemsgrow in complexity and take on new functions, somewill want to operate at different compartmentlevels. Once this happens, the system high level

of the LANs will change and the simple model shownin Figure 4 (as extended through the use of M ACS)will no longer apply. Processes operating at aSecret level on a trusted -host connected to a TopSecret Compartment A LAN will still wish to tocommunicate with processes running at the sameSecret level on a Top Secret Compartment B LAN.

The Level 2 network model did not require anyexplicit network security policy nor enforcementmechanisms. Now, however, we need a network accesscontrol mechanism, a defined network securitypolicy, and policy enforcement mechanisms. Thisnew situation, with System High networks andtrusted and untrusted hosts at different levels, isdepicted in Figure 9.

For the sake of simplicity, the two LANs areshown with only two hosts each, one running at both

TS Compartmented and Secret and the other only atSecret. (It should be recalled that the hostrunning at Secret must be capable of running atboth Top Secret Compart mented and Secret, so thatconditions described in Figure 4 may apply.)

Processes at the TS Compart mented levels on the twoLAN% may not communicate, as that would violatethe separation of compartments. It should be

possible (and will be expected), however, thatprocesses running only at Secret on Hosts 2 and 3should be able to communicate.

To achieve this level of operation, some formof network access control will be necessary todetermine which processes on specific hosts maycommunicate. The IPLI, with its static host

connection tables, is not sufficient, but thedynamic access checking system should provide theneeded control. Figure 10 depicts the two LANs inFigure 9 connected over the WIN with such E3devices. The access controller/key distributioncenter function provides the crucial network accesscontrol mechanism, enforcing connections acrossLANS Operating at different Network System High

Levels.

Assuming that Hosts 2 and 3 are operating onlyat the Secret level and that this is known to theaccess controller, an attempt by a process on Host2 to connect to a process on Host 3 will beallowed, since both are limited to the same level.If the access controller could communicate withHost 1 in a trusted manner, this same procedurewould allow a process running at Secret in Host 1to communicate with a similar Secret process onHost 3. Processes running at each network systemhigh, however, could not communicate, since thenetwork system high levels are not equivalent.

b. Hosts at Different Security Levels on theSame LAN

The first WIS example (Figure 8) is a set ofLANs with trusted and untrusted hosts operating atthe same Network System High level. Trusted hostscan operate over a range from Network System Highdown to some lower level of sensitivity, dependingupon their level of trust. Hosts trusted to “Al”,for example, might range from Top Secret to Confi-dential; hosts trusted to “B2”, from Top Secret toSecret. This network model has the significantadvantage of having no explicit network securitypolicy and, therefore, no Network Reference Monitoror Trusted Network Base. The only requirement is atrusted path across the physically protected LAN,provided by Message Authentication Checks. All5ecurity p;licy enf~rcement is performed by thehosts themselves.

Figure 9. Two LANs at Different System High Levels

==.==== =.=.=== ======= ====..

LAN ITS

Comp A I I1

l—

l— I iI Host I

===== ====== 1=======;=====II I I——

s II I: I t Host I11 121I :1 I

===... ==.=.= =.=... . ..=.. ==

.==== ===.= . . . . . .==== ===== =.===

LAN IITS

Comp B I II I——I I I

=======;======= ;====;======I.— I

S1 II !I Host I I131 ;41I II I

===== .==== ===== ===== ===== =.==.

72

Figure 10. Two WIS LANs at DifferentConnected with End-to-End

System High LevelsEncryption Devices.

I II AC/KDC iI I

IE3

+---------------- --------------- +

—---— -------- ==

IE3 LAN I

TSComp A I I

II /

I Host I===== 1======1======= i=====

I i I.—St II I

I I i Host I111121I II I

.=.=.. =.=..= . ...=. . . . . . . . .

The second example, Figure 10, shows two ormore such LAN environments operating at differentNetwork System High levels, connected via a widearea network such as the WIN. In this case, anetwork security policy is required to determine ifthe processes wishing to communicate are on equiva-lent levels. Mediation at the network level is

required because the two Network System High levelsare not comparable. A network policy enforcement

mechanism is required to mediate requests betweenthese LANs. The E3 Access Control mechanismperforms the mediation between processes on LANsoperating at different Network System High levels.The E3 system thus becomes the Network ReferenceMonitor or Trusted Network Base.

Other situations will arise, however, for whichneither of these network models will be sufficient.In both previous cases, all untrusted hosts wererequired to operate at the Network System HighleveL To allow untrusted hosts to operate at lessthan the network system high, some form of trustedaccess control mechanism will be necessary withinthe LAN itself. The LAN must mediate accessbetween security levels of the computers on thenetwork, since they can no longer reliably deter-mine the level at which other comPuters areoperating.

One way this can be achieved is by installingE3 devices on the LAN. Under these circumstances,trusted and untrusted hosts operating at anysecurity level can be attached to the LAN. Thelevel(s) at which hosts operate is known to the E3Access Controller which constitutes th Trusted

Network Base (TNB). Attempts to communicate

between processes on different hosts must be

============ ;=================IE3 LAN II

TS IComp B I I

I —,—I I I

=======;======= ;====;======I——

SI : ;II Host t I131 :41I II I

------- . . . . . . -----------------

mediated by the TNB. When a process requests aconnection with a process on another host, theAccess Controller checks to be sure the levels ofthe two are equivalent. If they are, the AC distri-butes the key to each E3 device, allowing theconnection to be established.

Depending upon the sophistication of the AC,this check can be used to enforce discretionary

(need-to-know) access controls, as well asmandatory controls. The former, however, usingaccess control lists, will be difficult to maintainon a process-by-process basis across the network.A distinct advantage of this approach is that noportion of the LAN itself need be trusted.

c. Inter Service/Agency AMPE

Another example of a Level 3 system is theInter ServicejAgency AMPE, which can use either theIPLI (Figure 11) or the more sophisticated E3capability (Figure 7). The hosts in AMPE have Alclass TCBS, and must be able to trust the integrityof security labels sent over the network; there-fore, the portion of the E3 device handlimz data inthe clear must also be developed to the-same Allevel standard.

As the IPLI is currently not built to thatlevel, an IPLI-based solution would require re-implementation of the Red side of the IPLI to theAl level, use of a separate IFLI for each level, oruse of a MAC integrity check by the trusted hostprior to transmission to the IPLI. Note that ifthe MAC integrity measures were in place, AMPEcould utilize a dedicated DDN segment withoutrequiring IPLIs.

73

Using the IPLI solution, process-to-process Use of the more sophisticated E3 capabilityaccess control mechanisms within the AMPE hosts

provide the primary check Of information flowwith AMPR is shown in Figure ‘7. The method by

between AMPE?s.which this configuration operates has

The host-to-host access tables ofalready

the IPLI ensure that the AMPE% have their ownbeen described. In this case, host-to-host accesscontrol is dynamic,

private subnetwork on the DDN. These tables areas opposed to utilizing the

static tables contained in the IPLI.static in that they do not change more than on aday-today basis. This solution, with the red sideintegrity check, is a possible networking architec-ture for AMPE on the DDN.

Figure 11. ~ S/AModel

AMPE System with IPLIs - Example of Level 2

I 1 IPLIi AMPE I _

IPLI I II I_ I AMPE t

I I -_-_i_l---i Network l---l_;--;-/

i A [M I B /I I

AMPE Hosts are trusted to the Al level.

AMPE Hosts must place integritybefore passing to the IPLIs.

IPLIs have built-in static host

check on messages

access tables.

d. Level 4 Model - Process Access Controlon a Trusted Network

In the Level 1 model, there was essentially nohost or network access control. In Level 2, hostaccess control was provided by the trusted comput-ing base within the hosts, on a process-by-processbasis. Network access control was still notrequired.

In the Level 3 model, network access controlcould be provided by several means. In the IPLIcase, it was confined to the IPLI static hostaccess tables. The more sophisticated E3 accesschecking in Figure 7 provides additional flexibil-ity in host-to-host communication control by pro-viding a dynamic host-to-host access control table.

Both the Level 2 or Level 3 network modelsrequire that labels associated with data beingtransferred across the network be protected frommodification. This i mposes additional restraintson the type of network structure suitable for thismodel. In each case, either critical components ofthe network must be trusted not to modify labelinformation, or some form of integrity check mustbe applied to the information before it enters thenetwork.

If E3 is not used on the network, all portionsof the network must be trusted (easilv achieved.with our simple wires in the Level 3 case, requir-ing a trusted packet switch or equivalent in theLevel 3 case). If an IPLI or more sophisticated E3structure is used, the portions of these devicesable to access data in the clear (up to the pointof encryption and after decryption) must be trustednot to modify the text data stream. If the networkcomponents cannot be trusted (definitely the casewith today% dedicated and system high networks,and also with present versions of the IPLI), thetrusted host may apply a MAC to the message beforeentrusting it to the network or IPLI. The destina-tion host would recalculate this checksum uponreceipt and verify that the contents were notmodified.

One further network model (Level 4) will beexplored, involving even more extensive access

checking within the network itself. Here thenetwork is involved in actual process-to-processaccess control checking, as shown in Figure 12.

When Process A wishes to estabfish a connectionwith Process D, A notifies TCB1, which checks tosee if it allowed, and then attempts to establish aconnection with TCB2, just as in Figure 4. The E3device intercepts this connection request and,recognizing that no such connection exists, estab-lishes an interim connection with the AC/KDC.AC then refers to its process-to-process table,which lists individual processes and the leveh atwhich they operate on individual hosts.

74

Figure 12. Process-to-Process Network AccessExample of a Level 4 140del

Host 1

Checking - An

Eost 2

I;lA(S)l_~ i E3II IllI --- l=II B(TS)i_iTCBl

II 1111I——l—l

TCB 1 TableI Process I Host I1 I--------- --------

I A (S) I 2 (S,c)ii B (TS) I II ● . . i II I I

I

---~ NetworkI

IIII

IUI E3III——

I II AC/KDC II I

AC TableI ProcessesI ------ ----_- -

I

I A (S) :I B (TS)I c (c)I D (S)I . . .I

IIl_lc (c)1

I II IE3

:1---1 —lTCBl_lD (s)11211 Il_l

ITCB2 Table

] Process t HostI --------- l---------- II c (c) i 1 (TS,S) tI D (S) i II . . . II i 1

Assuming that the connection is valid, the ACinstructs the KDC to issue a key to the E3 devicesinvolved, and the connection from TCB1 to TCB2proceeds. TCB2 must now perform its own check toensure that Process D is actually operating at theproper security level to allow the connection.Upon successful completion of this final check, theactual connection from Process A to Process D iscompleted.

As described above, Level 4“ systems involveprocess-to-process access control within hostsystems themselves and also within the network.Considerable duplication of effort exists as thesehosts and networks perform the checking requiredto allow specific processes to communicate. Aprocess-to-process check by the network E3 deviceis not a complete check in itself. The process-to-process access control tables in the AC cannotbe as accurate as those within the individua’hosts. TCB2 is still required to check the Ieveat which Process D currently operates. It isentirely possible that even though Process D maylog in at the Secret level (and does so 90% of thetime), in a particular instance that process mayoperate only at Confidential, in which case theconnection cannot be allowed.

75

V. CONCLUSIONS

This paper has presented a series of networkmodels with increasing levels of sophistication anddemands for trusted network components. Theanalysis used here is vital to understanding whennetwork components must be trusted and the type ofsecurity policy the trusted components mustenforce, and leads to a number of importantconclusions.

A. Orange Book Extensions

The discussion of the Level 2 model indicatedthat even when no network components require trust,that portion of the host operating system control-ling process-to-process communications across thenetwork must be included in the Trusted ComputingBase. Today’s version of the Orange Book does notexplicitly deal with network-related software.These additions must be made before serious consid-eration is given to developing trusted networkevaluation criteria; indeed, as the Level 2 modelshows, if host TCBS are extended to include networkdrivers, many valuable network configurations canbe achieved without requiring any further trustedcomponents.

B. Implications of E3

In regard to the Level 3 model, it was indicat-ed that if E3 is used (in either the IPLI or moresophisticated version), trusted network configura-tions can be achieved without requiring anyadditional trusted network components. The E3capability provides the network access controlmechanisms (static in the IPLI case; dynamic ;n theE3). These mechanisms can enforce access controlto untrusted hosts operating at a single level andto trusted hosts, as long as the extensions totheir TCBS discussed above have been implemented.

C. Network Security Policy

AS opposed to the relatively complex securitypolicy enforced on trusted computer systems,(allowing read~own and write-up), the analysis ofnetworks from the process-to-process communicationsview indicates that the policy which must beenforced across the network is one where onlyprocesses operating at equivalent sensitivitylevels can communicate. This simplification isforced by the need for two-way communication withacknowledgments across an unreliable medium. As aresult of this simplification, the policy enforce-ment carried out by IPLIs, E3 devices, or trustedpacket switches is inherently much simpler thanthat of a trusted computer system.

76