home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
coloredbooks
/
RedBookv2.sit.hqx
/
Red Book v2
Wrap
Text File
|
1997-11-17
|
122KB
|
3,437 lines
TRUSTED NETWORK INTERPRETATION ENVIRONMENTS GUIDELINE
NCSC-TG-11
Library No. 5-235,465
Version 1
TRUSTED NETWORK INTERPRETATION ENVIRONMENTS GUIDELINE
FOREWORD
The National Computer Security Center is issuing the Trusted
Network Interpretation Environments Guideline as part of our Technical
Guidelines Program, through which the "Rainbow Series"
is produced. The Technical Guidelines Program ensures that the
features of the Trusted Computer Systems Evaluation Criteria (DOD
5200.28-STD) are discussed in detail and that guidance is provided
for meeting each requirement. The National Computer Security Center,
through its Trusted Product Evaluation Program, analyses the security
features of commercially produced and supported computer systems.
Together, these programs ensure that organisations are capable
of protecting their important data with trusted computer systems.
The Trusted Network Interpretation Environments Guideline is a
companion to the Trusted Network Interpretation of the. Trusted
Computer System Evaluation Criteria (NCSC-TG-O5), published 31
July 1987. The Trusted Network Interpretation Environments Guideline
provides insight into the issues relevant when integrating, operating,
and maintaining trusted computer networks. This document identifies
the minimum security protection required in different network
environments such that network certifiers, integrators, and accreditors
can determine what protection mechanisms and assurances are mmimally
required in specific network environments.
This document parallels Computer Security Requirements - Guidance
for Applying the Department of Defense Trusted Computer System
Evaluation Criteria in Specific Environments (CDC-STD-O3-85) and
its technical rationale (CSC-STD-04-85). It also provides a descriptive
presentation of the security issues that exist in networked computer
systems as the networked computer system environment is inherently
more complex and requires additional protection considerations
over stand-alone computer systems.
As the Director, National Computer Security Center, I invite your
suggestions for revising this document. We plan to review this
document as the need arises.
• PATRICK R. GALLAGHER JR.
1 August 1990
• Director
• National Computer Security Center
ACKNOWLEDGMENTS
The National Computer Security Center extends special recognition
and acknowledgment for their contributions to this document to
Dr. Marshall D. Abrams, Renee Child, Annabelle Lee, Dr. Jonathan
K. Millen, Samuel I. Schaen, and Dr. Martin W. Schwartz, of The
MITRE Corporation, as authors; Richard Wilmer, also of The MITRE
Corporation, as technical editor; and to Alfred Arsenault, David
Chizmadia, id Rick Siebenaler of the National Computer Security
Center, who managed the effort ad participated in the development.
Special thanks are extended to the many members of the computer
security community who enthusiastically gave their time and expertise
in reviewing the material and providing valuable comments and
suggested changes. Special thanks are extended to James P. Anderson
of James P. Anderson Co., Donald L. Brinkley of Gemini Computers,
Inc., Dr. Eric Roskos of The Institute for Defense Analysis, Dr.
Tien Tao of Gemini Computers, Inc., and Dr. John M. Vasak of The
MITRE Corporation for their extensive suggestions and recommendations.
1 Introduction
This Trusted Network Interpretation (TNI) Environments Guideline
(TNIEG) addresses many issues in determining the security protection
required in different network environments. It complements the
TNI, just as the Trusted Computer System Evaluation Criteria (TCSEC)
Environments Guideline [1] complements the TCSEC. The TNI interprets
the TCSEC for networks; it contains all of the criteria in the
TCSEC, adding interpretation and rationale to applying trust technology
to network systems. In the same way that the TCSEC Environments
Guideline provides gnidance on applying the TCSEC, this TNIEG
provides gnidance on the use of the TNI. The TCSEC and its Environments
Guideline constitute the foundation on which the TNI and TNIEG
add network applicability.
1.1 Background
The National Computer Security Center (NCSC) is responsible for
establishing and maintaining technical standards and criteria
for the evaluation of trusted computer systems. As part of this
responsibility, the NCSC is developing guidance on how new security
technology should be used. Two objectives of this guidance are:
• Establishing a metric for categorizing systems according
to the security protection they provide, and
• Identifying the minimum security protection required
in different environments.
The TCSEC [2] helps to satisfy the first objective by categorizing
computer systems into hierarchical classes based on evaluation
of their security features and assurances. The TCSEC Environments
Guideline [1] helps to satisfy the second objective by identifying
the minimum classes appropriate for systems in different risk
environments. These two documents, however, apply to stand-alone
corn puter systems.
The TNI [3] satisfies the first objective by interpreting the
TCSEC for networks.
The TNI also provides guidance for selecting and specifying other
security services (e.g., communications integrity, denial of service,
transmission security). The TNIEG is the first step toward addressing
the second objective.
TNI Environments Guideline
Introduction
1.2 Trusted Network Technology Publications
The NCSC has decided to provide guidance concerning security in
networks and distributed Automated Information Systems (AISs)1
in a series of publications. The subject area is collectively
identified as Trusted Network Technology (TNT). The TNI is the
first TNT publication. This TNIEG is the second TNT publication.
It contains the best guidance that is available at this time;
as technology advances and more experience is gained in implementing
trusted networks, more specific guidance will be provided. This
TNIEG provides elaboration and clarification on the TNI. Guidance
concerning Interconnected AIS which initially appeared in the
TNI, Appendix C, has been revised and incorporated into this document
(see Section 6 and Appendix A). This document does not address
all of the security issues that are excluded from the TNI. Other
topics, such as composing a trusted system from evaluated components,
will be discussed in future TNT publications.
1.3 Purpose
The overall purpose of this TNIEG is to assist program managers,
integrators, certifiers, and Accreditors with identifying the
minimum security protection needed for different trusted computer
network environments. For brevity, this audience is referred to
as security managers. Not all questions can be answered at this
time. The NCSC invites suggestions for topics to be addressed
in future TNT publications.
This guideline is not a tutorial on security and networking; it
is assumed that the reader will have some background in both areas.
Suggested background references are identified in Appendix B.
This guideline is designed to be self contained; a fair amount
of background information that can be found in the TNI is also
included here. The interested reader may consult the TNI and other
documents referenced in this guideline for further detail.
1.4 Scope
This document describes an environmental assessment process that
helps determine the minimum level of trust recommended for a specific
network operational environment. The primary focus of this document
(and also of the TNI) is on the AIS 1Definitions of terms particularly
important to this document are given in Section 2.
TNI Environments Guideline
Introduction
hardware, firmware, and software aspects of security; therefore,
neither this guideline nor the TNI address all the security requirements
that may be imposed on a network. Depending on the particular
environment, communications security (COMSEC), emanations security
(TEMPEST), physical security, personnel security, administrative
security, and other information security (INFOSEC) measures or
safeguards are also required. This document applies to networks
that are entrusted with the processing of information, regardless
of whether that information is classified, sensitive, or otherwise
relevant to national security.
1.5 Structure of the Document
Section 2 of this document defines terms and Section 3 discusses
Network Security Architecture and Design. Section 4 guides security
managers in applying Part I of the TNI; Section 5 does the same
for Part II. Section 6 addresses security issues that arise when
AIS are interconnected. Appendix A discusses the Cascade Condition
in greater detail; Appendix B provides tutorial and background
references on network security; and Appendix C discusses encryption
and encryption mechanisms.
2 Terminology
Many of the terms used in the TNI are drawn from diverse specialization
areas.
Their special meaning in context may differ from common English
usage. In this section we explain how such terms are used in the
TNI and how these definitions have been refined in this document.
Terms are printed in boldface when they are defined.
2.1 Automated Information System
An AIS is defined in DODD 5200.28 as "an assembly of computer
hardware, software, and/or firmware configured to collect, create,
communicate, compute, disseminate, process, store, and/or control
data or information" [4]. This is both a broad definition
and a new one, since DODD 5200.28 was published after the TNI.
The TNI states that "automatic data processing (ADP) systems,
referred to in this [TNI] document as Automated Information System
(AIS)...", and equates AIS and ADP. We will use the DODD
5200.28 definition since it is broader and more authoritative.
We also note that DODD 5200.28 tends to pluralize AIS as AISs
while the TNI considers AIS to be a collective noun. We have
followed the latter convention.
2.2 Network Trusted Computing Base
The Network Trusted Computing Base (NTCB) is the totality of protection
mechanisms within a network system2-including hardware, firmware,
and software-the combination of which is responsible for enforcing
a security policy. The NTCB is the network generalization of the
trusted computing base (TCB). An NTCB Partition is the totality
of mechanisms within a single network subsystem3 for enforcing
the network policy, as allocated to that subsystem; it is the
part of the NTCB within a single network subsystem.
The distinction between a system and a subsystem is a matter of
the viewpoint of the ob-server. One observer's system may be another
observer's subsystem. For example, the ven-dor of a local area
network may regard his product as a system, while the customer's
network architect may consider it to be a subsystem along with
hosts, workstations, etc. ~e THI uses component in the definition
of NTCB Partition. We use subsystem to be con-sistent in this
document.
TNI Environments Guideline
Terminology
2.3 System and Component
The terms system ad component need to be related to each
other.
Unfortunately, the TNI is not completely consistent in its use
of these terms. We will first cite the relevant sections from
the TNI; then we will reconcile them as used in this guideline.
As discussed below, we define the relationship as follows: A component
is a physical unit contained within a system.
2.3.1 TNI Introduction (definition not used in TNIEG)
The TNI Introduction states (emphasis added):
A network system is the entire collection of hardware, firmware,
and software necessary to provide a desired functionality. A component
is any part of a system that, taken by itself, provides all or
a portion of the total functionality required of a system. A component
is recursively defined to be an individual unit, not useful to
further subdivide, or a collection of components up to and including
the entire system.
2.3.2 TNI - Appendix A (definition not used in TNIEG)
Appendix A of the TNI presents the view:
a trusted network represents a composition of trusted components....
The approach to evaluation of a network suggested by this view
is to partition the system into components, rate each component
to determine its security-relevant characteristics, and then evaluate
the composition of the components to arrive at an overall rating
class for the network. This approach ... allows for the evaluation
of components which in and of themselves do not support all the
policies required by the TCSEC, ... contribute[s] to the overall
evaluation of any network which uses them and allows for the reuse
of the evaluated component in different networks without the need
for a re-evaluation of the component.
Appendix A goes on to state that:
The set of policy-related features to be supported by the c'omponent
need not be the complete set required for a stand-alone system:
features not supplied by one component for the system are supplied
by another.
2.3.3 Discussion
We see a difference between the Introduction and Appendix A of
the TNI. We
will use the definition of component as an individual unit that
does not provide acomplete set of end-user services. As a consequence,
a subsystem can operate on its own and a component will require
an external connection to perform a useful function.
TNI Environments Guideline
Terminology
Appendix C of the TNI uses component, as follows, where we would
use subsystem:
Any AIS that is connected to other AIS must enforce an "Interconnection
Rule" that limits the sensitivity levels of information that
it may send or receive. Using the component connection view, each
component responsible for maintaining the separation of multiple
levels of information must decide locally whether or not information
ca be sent or received.
A component may support all the policy and accountability requirements:
M, D, I, ad A4; however, as defined above, this is not applicable
to determining whether an individual unit is a component. A component
which supports some part of the security policy contains an NTCB
partition. In the extreme, a component may not have any security-relevant
function; in this case it doesn't support any TCSEC policy and
doesn't contain an NTCB partition.
2.3.4 Definitions
To summarize the previous discussions, following are definitions
for component ad system/subsystem.
• Component: An individual physical unit that does not
provide a complete set of end-user services.
• System/suhsystem: A collection of hardware, firmware,
and software necessary configured to collect, create, communicate,
compute, disseminate, process, store, and/or control data ad information
[4].
2.4 Evaluation
NCSC-evaluation refers specifically to the process in which the
NCSC determines whether a commercial-off-the-shelf (COTS) product
satisfies the TCSE~C. Application of the TCSEC to a particular
product may be assisted by an interpretation guideline such as
the TNI [5]. In such a case, the guideline clarifies the meaing
of the TCSEC's language with regard to a particular type of product,
but in no case circumvents or grants exception to the requirements
of the TCSEC. The purpose of an NCSC-evaluation is as follows:
4M:datory access control, discretionary access control, identification
and authentication, and audit, respectively.
TNI Environments Guideline
Terminology
The primary goal of the NCSC is to encourage the widespread availability
of trusted computer systems. This goal is realized, in large measure,
through the NCSC's Commercial Product Evaluation Program. This
program is focused on the technical evaluation of the protection
capabilities of off-the-shelf, commercially produced and supported
systems that meet the computer security needs of government departments
and agencies. This product evaluation culminates in the publication
of an Evaluated Products List (EPL) report... [6].
An NCSC~valuation places a product in one of four divisions: D,
C, B, or A.
Division D is for systems that have been evaluated but fail to
meet the requirements for a higher NCSC~valuation rating. Division
C has two classes: C1 and C2, which require discretionary (need-to-know)
protection. Division B has three classes: B1, B2, and B3, which
require support for sensitivity labels and increasing robustness
of system architecture. Division A has only class Al, which requires
additional assurance through formal verification methods.
2.5 Certification
Certification is defined as "the technical evaluation of
a system's security features, made as part of and in support of
the approval/accreditation process, that establishes the extent
to which a particular system's design and implementation meet
a set of specified security requirements" [7]. In this definition,
the word evaluation is used in the generic sense and should not
be confused with NCSC valuation. The primary distinction is that
certification is an evaluation with respect to specified requirements,
ad NCSC~valuation is an evaluation against the TCSEC (and the
TNI).
Certification is conducted in support of the accreditation decision.
For most systems, the hardware, system software, applications
software, communications equipment, and the operational facility
must be configured and tested during certification. Certification
should be performed by technical personnel independent of the
development organization, according to an acceptable methodology.
Certification should identify the level of security protection
with regard to a procedure, program, or system. Certification
results in the issuance of the Certification Statement, which
states whether system security requirements are met, describes
all known remaining vulnerabilities, and advises the Accreditor
relative to the accreditation decision. If requirements are not
met, the Certification Statement lists problem areas and identifies
suggested solutions (if known). A certification documentation
package, called the Certification Report of Findings, submitted
to the Accreditor includes the Certification Statement, certification
analysis, resuils of Security Test and Evaluation, id results
of Operational Test and Evaluation.
2.6 Accreditation
Accreditation is "the managerial authorization and approval
granted to an ADP system or network to process sensitive data
in an operational environment, made on the basis of a certification
by designated technical personnel..." [3]. Accreditation
is a management decision to operate a system or network employing
specific safeguards, against a defined threat, at an acceptable
level of risk, under a stated operational concept, with stated
interconnections, in a specific operational environment, with
a specific security mode of operation. Other terms have been used
to identify the formal managerial approval for operation; in this
document we use the term Accreditation. FIPS PUB 102 defines
Accrediting Officials as "the agency officials who have authority
to accept an application's security safeguards and issue an accreditation
statement that records that decision. The Accrediting Officials
must also possess authority to allocate resources to achieve acceptable
security and to remedy security deficiencies" [7]. The ultimate
responsibility for system security rests with the Accreditor.
DODD 5200.28 employs the term Designated Approving Authority (DAA)
to refer to the same officials or officers [4].
All AIS must be accredited before they may process or use sensitive
or classified information, unless a written waiver is granted
by the Accreditor. Accreditation is based on a technical investigation
and a formal review of the certification Report of Findings. Before
authorizing an AIS to operate, the Accreditor must ensure that
satisfactory security measures have been installed and that any
residual risk is within acceptable limits. Often, the Accreditor
must weigh the technical shortcomings of an AIS against operational
necessity. Lacking other ways to accomplish an operational mission,
the Accreditor may determine that it is preferable to accept a
residual security risk than to preclude the mission. To ensure
that the accreditation goals and objectives are adequately met,
the Accreditor must be involved throughout the system life cycle.
2.7 Two Types of Networks
A network may be defined as either an interconnection of accredited
AIS or as a Unified Network. When it is not necessary to differentiate
in this guideline, the term network is used.
2.7.1 Unified Networks
The TNI defines a Network Single Trusted System while DODD 5200.28
Enclosure (5) defines a Unified Network; this TNIEG conforms to
the latter usage.
The section of Enclosure (5) that addresses Unified Networks is
brief and instructive5:
Some networks may be accredited as a whole without prior accreditation
of their component AIS. It is necessary to treat a network as
unified when some of its AIS subsystems are so specialized or
dependent on other subsystems of the network for security support
that individual accreditation of such subsystems is not possible
or meaningful with respect to secure network operation. In order
to be accredited, a Unified Network shall possess a coherent network
architecture and design, and it should be developed with an attention
to security requirements, mechanisms, and assurances commensurate
with the range of sensitivity of information for which it is to
be accredited.
The recommended approach for accrediting a Unified Network is
to apply Enclosure 4 to the entire network to derive an
evaluation class. Requirements to meet that evaluation class
then are obtained from an applicable interpretation of DoD 5200.28-STD
[the TCSEC], such as NCSC-TG~05 [the TNI].
2.7.2 Interconnected Accredited AIS
Enclosure (5) of DODD 5200.28 also discusses Interconnected Accredited
AIS:
If a network consists of previously accredited AIS, a Memorandum
of Agreement6 [MOA] is required between the DAA of each DOD Component
AIS and the DAA responsible for the network ... The network DAA
must ensure that interface restrictions and limitations are observed
for connections between DOD Component AIS. ... In particular,
connections between accredited AIS must be consistent with the
mode of operation of each AIS, the specific sensitivity level
or range of sensitivity levels for which each AIS own and a component
will require an external connection to perform a useful function
is accredited, any additional interface constraints associated
with the particular interface device used for the connection,
and any other restrictions required by the MOA
---------------------------
5 As mentioned in the introduction and the definitions, this TNIEG
differs from DODD 5200.28 and the TNI in the usage of AIS and
the definition of component. This quotation has been slightly
edited to conform to the usage in this guideline. she content
of a Memorandum of Agreement is discussed in Section 3.2
2.8 Network Security Architecture and Design
Network Security Architecture and Design (NSAD) applies to all
networks. The NSAD identifies how the NTCB is partitioned and
how the trusted system requirements are met. Security engineering,
including the development of the NSAD, is a specialty area within
systems engineering. The security engineer is responsible for
ensuring that the system being built meets the security requirements
of the organization. The security engineer ensures that the AIS
security conforms to applicable regulations and policy, and implements
the system security requirements [8].
The security policy includes the set of laws, rules, and practices
that govern how an organization manages, protects, and distributes
sensitive information (including classified information). The
overall security policy is addressed in a family of related documents
consisting of a system security policy, a security policy model,
and security requirements. The system security policy is developed
first, followed by the other two. A system security policy interprets
and applies regulations to systems. The security policy model
defines subjects and objects and the accesses between the two.
The security requirements document identifies evaluatable user
requirements for a secure system.
The security architecture is that part of the system architecture
that describes the required security services and features. The
security architecture shows how the required level of assurance
for the system is to be met. A mapping of security requirements
to functional elements is documented in the security architecture;
therefore, the securily architecture is used to document security
design decisions.
2.9 Protocol Layer Approach
This guideline discusses networks in terms of the Open System
Interconnection (0SI) reference model [9] because that model provides
a well-understood terminology and is used in the TNI. This guideline,
however, is independent of the actual protocol reference model
used.
274-353 0 - 90 - 2 : QL 3
TNI Environments Guideline
Terminology
An NTCB implementation need not include all protocol layers.
The precise security services and their granularity will depend
on the highest protocol layer at which an NTCB partition is implemented.7
For example, in a Unified Network where layer 3 (the network
layer) is the highest layer that implements the NTCB, the network
will be able to enforce mandatory access control (MAC) and discretionary
access control (DAC) decisions on the granularity of network addresses8.
The network system being evaluated knows only about the range
of classifications that the host (or other network) is permitted
to handle and the hosts (or other networks) that are permitted
to communicate with each other. Finer distinctions must be made
by the hosts (or other networks) involved. When a trusted network
provides all seven layers, the network is aware of and enforces
MAC and DAC at the granularity of individual users.
A network device might not provide a complete set of end-user
services through layer 7. Products that do not provide all system
services through layer 7 may be NCSC-evaluated as components and
subsequently used with other components to compose a network.
2.10 Part II Security Services
The terms functionality, strength of mechanism, and assurance
are used to rate TNI Part II services. Their meanings in that
context are described below.
Functionality refers to the objective and approach of a security
service; it includes features, mechanism, and performance. Alternative
approaches to achieving the desired functionality may be more
suitable in different applications environments.
Strength of'mechanism refers to how well a specific approach may
be expected to achieve its objectives. In some cases the selection
of parameters, such as number of bits used in a checksum or the
number of permutations used in an encryption algorithm, can significantly
affect strength of mechanism. Wiih regard to inadvertent threats,
strength refers to the ability to operate correctly during natural
disasters, emergencies, operator errors, and accidents. Inadvertent
threats are particularly
7 Since the publication of the TNI, the policy environment has
changed. "User", as defined in DODD 5200.28, ad peer.entity,
as defined in the 051 reference model, are comparable. Therefore,
the TNIEG applies to all layers of the 051 architecture.
8 A network address refers to either a host or another network.
TNI Environments Guideline
Terminology
critical to prevention of denial of service. As an example, for
communications line outages, strength of mechanism may refer to
the number of alternate routes that may be used to bypass the
outage. The misdelivery of messages is an example of an inadvertent
threat that may disclose information to unauthorized individuals.
Encryption can be used to prevent the unintended recipient from
seeing the information.
Assurance refers to a basis for believing that the functionality
will be achieved; it includes tamper resistance, verifiability,
and resistance against circumvention or bypass. Assurance is
generally based on analysis involving theory, testing, software
engineering, validation and verification, and related approaches.
The analysis may be formal or informal.
3 Network Security Architecture and Design (NSAD)
Every network should have a Network Security Architecture and
Design (NSAD). This section helps the security manager in establishing
the NSAD for the network.
The NSAD, produced as part of the risk management process, documents
the security services. As mentioned in Section 1, the primary
focus of this TNIEG is on the AIS aspects of security. Depending
on the particular environment, communications security (COMSEC),
emanations security (TEMPEST), physical security, personnel security,
administrative security, and other information security (INFOSEC)
measures or safeguards are also incorporated in the NSAD. An NSAD
results from a series of tradeoffs among cost, effectiveness,
technical risk, mission requirements, and risk management.
While the architecture part of the NSAD may be somewhat abstract,
the design part should be quite concrete. The design maps the
selected security services to system functional elements9. Next,
these functional elements are assigned to components and subsystems.
3.1 Composing an NSAD
The security manager is responsible for ensuring that an NSAD
is defined that applies to all the components or subsystems that
constitute the network. The NSAD for a network must address the
applicable security-relevant policies and may incorporate the
NSADs of its constituent components or subsystems. In some cases,
such as when a component provides part of the functionality of
the network (e.g., a local area network (LAN) providing 051 layer
three communication services), the NSAD of the component may be
incorporated with little or no change into the NSAD for the network.
The component NSAD will probably require some modification to
address the applicable policy and environment constraints.
A typical network configuration will include multiple vendor's
products. When the network is created, the security manager must
reconcile the diverse NSADs of the constituents into a coherent
NSAD for the configured network and identify any
9 Sections 4 and 5 of this document should guide the security
manager in selecting those securi-ty services and safeguards that
are appropriate for the given operational environment.
TNI Environments Guideline Network Security Architecture
and Design
restrictions or new security services and assurance that must
be added. The NSAD must implement national, service, and command
policies for the environment in which the network will operate.
The same process applies when previously accredited AIS are to
be interconnected to support the exchange of information.
In contrast to the networks described above, when a network is
created from scratch, the NSAD may be established before any devices
are selected and may be included as part of the criteria for selecting
the network devices.
Note that the network may include components that are not security-relevant
and, therefore, do not have a component NSAD. The design decisions
that result in the inclusion of non-security-relevant components
are documented in the NSAD.
AIS may be combined into a network under conditions of a hierarchical
relationship of their security managers. In this case the NSAD
of the subordinate system must conform to the governing NSAD.
For example, when a host computer connects to a common user network,
the host computer must conform to the NSAD established by the
security manager of the common user network, who has a responsibility
to the security managers of all other connected AIS to maintain
the network's trustworthiness. As discussed below, this conformance
is recorded in a Memorandum of Agreement (MOA).
AIS whose security managers are not hierarchically related may
also be combined to form a network. In this case, the security
managers come to agreement on the NSAD for the network; this agreement
is also recorded in an MOA.
3.2 Memorandum of Agreement
If a network consists of previously accredited AIS, a MOA is required
between the Accreditors for each subsystem. This MOA is part of
the documentation of the NSAD. The MOA discusses the accreditation
requirements for each subsystem that is to be interconnected to
form the network [4], i.e., defines all the terms and conditions
of the security arrangements that will govern the operation of
the network [10]. The objective of the MOA is to document the
interconnection requirements and identify any requirements that
may be necessary to provide overall security safeguards for the
entire network. This network includes all the interconnected subsystems,
the communications devices, the usei-s, and the data stored in
the subsystem
[10]. A Memorandum of Record (MOR) is used when the subsystems
have the same Accreditor. A comprehensive M0A10 could constitute
the entire NSAD for a network; alternatively, the MOA could contain
high level agreements, with the details spelled out in supporting
documents. Following is a list of suggestions for the contents
of the MOA and supporting documents. The items towards the top
of the list are more likely to occur in the MOA; those towards
the end of the list are more likely to occur in supporting documents.
• A general description of the information that will
be transmitted to the network by each subsystem
• A summary discussion of the trusted behavior that is
expected from each subsystem
• The details of the overall security plan for the network
and the assignment of responsibility for producing and accepting
the plan
• A description of the overall network security policy
• A description of additional security training and assignment
of training responsibility
• Specification of the security parameters that are to
be transmitted between communicating subsystems
• A discussion of security details that are relevant
to the exchange of information among the subsystems.
• A description of the user community, including the
lowest clearance of any user who will have access to the network
• Any special considerations for dial-up connections
to any subsystem in the network, including potential security
threats and the safeguards that will be used.
• A description of the security protections provided
by the data communications, both local to a subsystem and between
communicating subsystem
________________
10 In this guideline, NOA is used to identify the agreement between
Accreditors and includes the NOR.
TNI Environments Guideline Network Security Architecture
and Design
• A description of the information that each subsystem
will log in the audit trail, and how the audit trail tasks will
be divided among the subsystems
• A description of the information security services
to be offered to the network by each subsystem, including:
• The types of processing provided by each subsystem,
e.g., file query, individual user, general processing
• The modes of operation of all the subsystems, e.g.,
dedicated, system high, multilevel
• The sensitivity levels processed on all subsystems
4 TNI Part I Security Requirements
This section assists the security manager in determining the recommended
minimum security requirements based on TNI Part I and Appendix
A, which interprets the TCSEC for networks.
The procedure for determining the minimum security requirements
for a network parallels the procedure for a stand-alone system,
whereby the highest classification of data and the lowest clearance
among system users are used in computing a risk index. The risk
index is used to determine which NCSC~vaIuation rating is required
of the system to provide adequate security. To emphasize, these
are the minimum requirements. The TCSEC Environments Guideline
does not address environmental factors such as the number of users
and the percentage of users at different classification levels.
These factors may become more significant in a network environment.
Communications security risk in a network is addressed by the
National Security Agency (NSA) and other cognizant organizations
and results in a set of recommendations for the appropriate equipment
or security procedures. Other factors, such as the number of connections,
the physical distance between devices, the number of subsystems,
the presence of encryption, and the possible presence of intervening
systems between the resources being used and the ultimate user
may result in more or less stringent requirements.
4.1 Risk Management
Risk management is a methodology used to identify, measure, and
control events which adversely affect security; it involves cost-benefit
analyses to ensure appropriate cost~ffectiveness of security safeguards.
A risk management program is mandated by Enclosure (3) of DODD
5200.28.
The literature on risk management is quite extensive. It is not
the ;Purpose of this document to survey the field. The interested
reader is referred to FIPS PUB 65 [11]. The literature is constantly
growing; a recent high-level introduction to general concepts
and terminology can be found in Bell [12] and in the Proceedings
of the First Invitational Workshop on Computer Security Risk Management
[13].
DODD 5200.28 Enclosure (4) mandates the use of a methodology,
extracted from
the TCSEC Environments Guideline, to determine the recommended
evaluation class
TNI Environments Guideline TNI Part I Security
Requirements
(or requirements of an evaluation class) based on a specific environment.
Enclosure (5) of the Directive also recommends this method to
determine minimum computer-based requirements in a network. This
guideline also uses that method. Use of a different method requires
prior approval of the Assistant Secretary of Defense (ASD) Command,
Control, Communications, and Intelligence (C31).
DODD 5200.28 Enclosure (4) contains six major steps in the risk
assessment procedure. These steps are listed below. DODD 5200.28
Enclosure (4) applies in all steps.
Step 1. Determine system security mode of operation.
Step 2. Determine minimum user clearance or authorization rating.
Step 3. Determine maximum data sensitivity rating.
Step 4. Determine risk index.
Step 5. Determine minimum security evaluation class for computer-based
controls.
Step 6. Determine adjustments to computer security evaluation
class required.
An elaboration of step six given in Migues [14], involving a detailed
analysis of both environmental and architectural risk factors,
is based on Landwehr and Lubbes [15]. It presents a method which
incorporates analysis of the applications environment. This analysis
includes such factors as whether the system allows programming,
or whether it is restricted to a limited set of applications.
This more detailed information supports a finer determination
of the level of trust required.
4.2 Determination of Network Risk
To apply the TCSEC Environments Guideline guidance, the security
manager must determine the following:
• minimum clearance or authorization of the network usefs
(see Table 1 11),
TNI Environments Guideline TNI Part I Security
Requirements
Table 1
Rating Scale for Minimum User Clearance ~m1n)
Minimum User Clearance Rmin
Uncleared OR Not Authorized (U) 0
Not Cleared but Authorized Access 1
to Sensitive
Confidential
Secret(S) 3
Top Secret (TS) and/or current 4
Background Investigation (BI)
TS and/or current Special 5
Background Investigation (SBI)
One Category (IC) 6
Multiple Categories (MC) 7
• maximum sensitivity of data processed by the network
(see Table 2) (the TCSEC Environments Guideline distinguishes
between an open system and a closed system based on whether application
development was done by cleared or uncleared users; the distinction
was dropped in DODD 5200.28 and is not used here either).
• The number derived from Table 1 is used for Rmin; the one
derived from Table 2
is used for Rmax. A risk index for the network is calculated
using the following formula:
Risk Index = Rmax - Rmin
TNI Environments Guideline TNI Part I Security
Requirements
• Table 2
• Rating Scale for Maximum Data Sensitivity ffm:)
Maximum
Sensitivity
Rating
Maximum Data
Rating
Ratings without (Rmax) Sensitivity (Rmax)
categories with categories
1,2
Unclassified U 0 N/A 3
Not Classified 2
but 1 N
with one or more
Categories
Sensitive N
Confidential C 3
2 C
with one or more
Cate ories
Secret (S) 4
3 S with
one or more
Categones
only one Category
containing S
S with two or 5
more Categories
containin S
Top Secret (TS) 6
5 5 TS
with one or more
Categories
only one Category
containing S or
TS
TS with two or 7
more Categories
containin S or TS
1 Where the number of categories is large or where a highly sensitive
category is involved, a higher rat-ing might be warranted.
2 The only categories of concern are those for which some users
are not authorized access. When counting the number of categories,
count all categories regardless of the sensitivity level associated
with the data. If a category is associated with more than one
sensitivity level, it is only counted at the highest level. Systems
in which all data are in the same category are treated as without
categories.
3 Unclassified data by definition may not contain categories.
4 Examples of N data include financial, proprietary, privacy,
and mission-sensitive data. In some situa-tions (e.g., those involving
extremely large financial sums or critical mission-sensitive data),
a higher rat-ing may be warranted. This table prescribes minimum
ratings.
5 The rating increment between the Secret and Top Secret data
sensitivity levels is greater than the in-crement between other
adjacent levels. This difference derives from the fact that the
loss of Top Secret data causes EXCEPTIONALLY GRAVE damage to U.S.
national security, whereas the loss of Secret data causes SERIOUS
damage.
THI Environments Guideline TNI Part I Security
Requirements
• Table 3
• Security Risk Index
Risk Index Security Mode Minimum Security Class
4
0 Dedicated No Minimum Class 1 2
0 System High C2 2
1 Multilevel Partitioned B1 3
2 Multilevel Partitioned B2
3 Multilevel B3
4 Multilevel A1
5 Multilevel *
6 Multilevel *
7 Multilevel *
1 Although there is no prescribed minimum class, the integrity
and denial of service requirements of many systems warrant at
least class C2 protection.
2 Automated markings on output must not be relied on to be accurate
unless at least class B1 is used.
3 Where an AI$ handles classified or compartmented data and some
users do not have at least a Confi-dential clearance, or when
there are more than two types of compartmented information being
handled, at least a class B2 is required.
4 The asterisk (*) indicates that computer protection for environments
with that risk index is considered to be beyond the state of current
computer security technology.
5 Most embedded systems and desk top computers operate in the
dedicated mode.
Table 3 12 is used, along with the Risk Index calculated above,
to determine a minimum NCSC-evaluation rating for the system.
Note that some terms that appear m the TCSEC Environments Guideline
are no longer defined in DODD 5200.28. (Limited Access Mode,
and Compartmented Mode fall under the heading of Partitioned Mode.
Controlled Mode comes under the heading Multilevel. The prevt.ou:sly
used terms referred to the equivalent of the BI and B2 evaluation
classes. In DODD 5200.28, Partitioned Mode is used in place of
Compartmented Mode.)
____________________
12 Table 3 is adapted from the TCSEC Environments Guideline
5 TNI Part II Security Requirements
This section contains a discussion of TNI Part II which describes
qualitative evaluations of security services in terms of functionality,
strength of mechanism, and assurance. Part II of the TNI describes
additional security concerns and services that arise in conjunction
with networks, but that do not normally arise in stand-alone computers.
Part II of the TNI focuses on those threats that occur between
end systems (hosts) on the network. These security services include
protection against compromise, denial of service, and unauthorized
modification. In discussing these services, the TNI borrows heavily
from the International Standards Organization (150) 051 Basic
Reference Model [9] and Security Architecture [16]. The services
discussed are closely related to those found in the latter reference.
The TNI goes beyond the 051 Security Architecture in several respects.
First, the 051 document does not address the relative strengths
of different mechanisms nor the assurances that they operate as
intended. Second, the protection against denial of service threats
is not specifically addressed by 051 but is an important consideration
in the TNI.
5.1 Relationship of TNI Part II Services to Part I and Appendix
A
• The Part II services are not as well understood as the features
in TN1 Part I. The fact that Part 11 services have not been supported
by equally well developed theories and detailed evaluation criteria
should not be interpreted to imply that their security problems
do not have to be evaluated as rigorously as TNI Part I and Appendix
A services. Some Part II services may not be part of the NTCB.
For example, to make the NTCB as small as possible, some of the
protocol software may be outside the NTCB. Therefore, the protocol-based
protection against denial of service is likely to be outside the
NTCB. Nonetheless, it must rely on some of the fundamental NTCB
assurances since the protocols invoke portions of the subsystem's
operating system.
• It is important to recognize that many Part II security services
depend on (embedded) AIS. These AIS should be evaluated using
Part I and Appendix A of the TNI. Encryption systems, for example,
are highly dependent upon AIS; they are addressed in Appendix
B of the TNI and Appendix C of this guideline. Appendix C presents
some considerations concerned with applying Tables 1, 2, and 3
to encryption systems.
25
TNI Environments Guideline TNI PartII Security
Requirements
For security services that do not depend strongly on AIS, a qualitative
evaluation approach is used. For functionality, a question and
answer format is presented in Section 5.4.3. For strength of mechanism
and assurance, the concept of a risk index is used in Sections
5.4.1 and 5.4.2.
5.2 Specification and Evaluation of Security Services
Specifying and evaluating Part II security services is quite different
from a TNI Part I evaluation even though both parts are concerned
with the same three aspects of security services or capabilities:
functionality, strength of mechanism, and assurance. For clarity
these terms are defined as follows: Functionality refers to the
objective and approach of a security service. Sirength of mechanism
refers to how well a specific approach may be expected to achieve
its objectives. Assurance refers to a basis for believing that
the functionality will be achieved.
5.3 Evaluation Ratings
• Part II evaluations are qualitative, as compared with the
hierarchically~rdered ratings (e.g., C1, C2, ...) from the TCSEC.
The results of a Part II evaluation for offered services are generally
summarized using the terms none, minimum, fair, and good. For
some services, functionality is summarized using none or present
because gradations are not meaningful. Theterm none is used to
mean the security service fails to distinguish the strength of
mechanism. The term not offered is used when a security service
is not offered. For example, if a certain network did not include
non-repudiation as one of its security services, that network
would be rated not offered with respect to non-repudiation. Table
4 represents the evaluation structure of PartII as a matrix. It
identifies a set of security services. It also shows the possible
evaluation ranges for each service in terms of its functionality,
strength of mechanism, and assurance.
5.4 Selecting Security Services
Part II enumerates representative security services that an organization
may choose to employ in a specific situation. Not all security
services will be equally important for a specific environment,
nor will their relative importance be the same
TNI Environments Guideline TNI Part II Security
Requirements
• Table 4
• Evaluation Structure for Network Security Services
Network Security Criterion Evaluation
Service
Communications None present
Integrity
Functionality
Authentication None good
Strength
Assurance None good
Communications None good
Field Integrity
Functionality
Strength None good
Assurance None good
Non-repudiation None present
Functionality
Strength Denial of None good
Service
Continuity of None good
Operations
Functionality
Strength None good
Assurance None good
Protocol Based None good
Protection
Functionality
Strength None good
Assurance None good
Network None present
Management
"Functionality
Strength None good
Compromise None present
Protection Data
Confidentiality
Functionality
Strength
Sensitivity level
Assurance None good
Traffic Flow None present
Confidentiality
Functionality
Strength Sensitivity level
Assurance None good
Selective Routing None present
Functionality
Strength None good
Assurance None good
among different environments. Selecting security services is a
management decision, with assistance provided by this guideline.
Ordinarily, the security manager would first determine whether
a particular service is required and what functionality is needed
(if there are distinctions) through a series of questions provided
in Section 5.4.3. A separate set of questions is provided for
each service shown in Table 4.
Once the functionality has been determined, the strength of mechanism
and appropriate level of assurance must be determined. The process
is similar to the determination of Part I risk in Section 4 of
this guideline. Since the strength of mechanism and assurance
determination do not differ for the various services, these topics
are addressed first.
5.4.1 Strength of Mechanism
Determination of strength of mechanism for each service has two
components. The inadvertent threat and the malicious threat should
be analyzed separately. In many cases, the malicious threat will
dominate the inadvertent threat; malicious users can often duplicate
the circumstances of an inadvertent threat. The required strength
of mechanism is determined using a risk index similar to that
used in PartI.
For inadvertent threats, traditional risk management techniques
are used. While some countermeasures may be the same for inadvertent
and malicious threats, others may be effective only against the
former. The security manager must determine the likelihood of
a particular threat, the dollar cost of a countermeasure, and
the residual risk if the countermeasure is put into effect. The
manager concerned with these inadvertent threats is referred to
the references on risk assessment previously cited.
For malicious threats, we consider the most sensitive information
contained on the system and the lowest clearance of user who can
gain physical access to some device in the system, including access
to wireless transmissions. Some devices in the system may be physically
protected in buildings that require a clearance for admittance.
Other devices in the system, such as long-haul transmission lines,
may have no physical protection.
Protection of the information in the network system is a combination
of physical, administrative, procedural, and technical protections.
The TNIlis concerned only with the AIS hardware, firmware, software,
and configuration management protections. Various service or
agency regulations describe methods for implementing the other
protections.
The various devices in the system must be considered separately;
for each device,
the risk index will be based on the most sensitive information
on the network system and the minimum clearance to gain physical
access to the device. Note that this is
different from the Part I risk index calculation (where the lowest
cleared user is of concern). For some devices in the system (e.g.,
the communications media), the clearance of individuals with physical
access may be lower than that for authorized users. For convenience,
all the necessary tables are included here. Table 5, Minimum Clearance
for Physical Access, is identical to Table 1. For each device
in the system, the lowest clearance of individuals with physical
access to that device is used. Table 6 for Maximum Data Sensitivity
is identical to Table 2.
• Table 5
• Minimum Clearance for Physical Access
Minimum User Clearance Rmin
Uncleared OR Not Authorized (U) 0
Not Cleared but Authorized Access 1
to Sensitive
Unclassified Information (N)
Confidential 2
Secret (S) 3
Top Secret (TS) and/or current 4
Background
Investigation (BI)
TS and/or current Special 5
Background
Investigation (SBI)
One Category (IC) 6
Multiple `Categories (MC) 7
Table 6
• Maximum Data Sensitivity
Maximum Sensitivity Rating Maximum Data
Rating
Ratings without (Rmax) Sensitivity
(Rmax)
Categories with Categoriesi,1 2
Unclassified U 0 N/A 3
Not Classified but 1 N with one or more Categories
2
Sensitive N 4
Confidential C 2 C with one or more Cate ories
3
Secret (S) 3 5 with one or more Categories
4
only one Category containing
5
S with two or more Categories
5
containin S
Top Secret (TS) 5 5 TS with one or more Categories
6
only one Category containing
5 or TS
T5 with two or more Categories
7
containin S or TS
1 Where the number of categories is large or where a highly sensitive
category is involved, a higher rat-ing might be warranted.
2 The only categories of concern are those for which some users
are not authorized access. When counting the number of categories,
count all categories regardless of the sensitivity level associated
with the data. If a category is associated with more than one
sensitivity level, it is only counted at the highest level. Systems
in which all data are in the same category are treated as without
categories.
3 Unclassified data by definition may not contam categories.
4 Examples of N data include financial, proprietary, privacy,
and mission-sensitive data. In some situa-tions (e.g., those involving
extremely large financial sums or critical mission-sensitive data),
a higher rat-ing may be warranted. This table prescribes minimum
ratings.
5 The rating increment between the Secret and Top Secret data
sensitivity l~els is greater than the in-crement between other
adjacent levels. This difference derives from the fact that the
loss of Top Secret data causes EXCEPTIONALLY GRAVE damage to U.S.
national security, whereas the loss of Secret data causes SERIOUS
damage.
Table 7 now gives the strength of mechanism requirement based
on the risk index
calculated as
Risk Index = Rmax - Rmin
• Table 7
• Minimum Strength of Mechanism Requirement
Risk Strength of
• None
• 1 Minimum
• 2 Fair
>2 Good
5.4.2 Assurance
Assurance is a very important concept in the TCSEC and TNI. This
section discusses the need for assurance and the ways in which
it may be achieved.
One salient property of trusted systems is the reliance on a TCB.
Similarly, trusted network systems rely on an NTCB. In addition
to its other responsibilities, the NTCB prevents unauthorized
modification to objects within the network system. In particular,
the NTCB maintains the integrity of the programs which provide
security services, thus ensuring that their assurance is continued.
The NTCB provides an execution environment that is extremely
valuable in enhancing the assurance of security services. Discretionary
and mandatory access controls can be employed to segregate unrelated
services. Thus, service implementation that is complex and error-prone
or obtained from an unevaluated supplier can be prevented from
degrading the assurance of other services implemented in the same
device. Furthermore, an NTcB ensures that the basic protection
of the security and integrity information entrusted to the network
is not diluted by various supporting security services.
The relationship of the risk index to the required assurance is
expressed in Table 8.
TNI Environments Guideline TNI PartII Security
Requirements
Table 8
Minimum Assurance Requirements
Risk Part II
Index Assurance Rating
• None
• 1 Minimum
• 2 Fair
• >2 Good
Assurance of the design and implementation of PartII mechanisms
is also related to the assurance requirements in Part I because
service integrity depends on protection by the NTCB or TCBs. Table
9 expresses this dependency. The second column identifies the
minimum Part I evaluation which supports the Part II assurance
requirement. Note that Table 9 is applicable only to those PartII
services not strongly dependent on AIS; the AIS implementing those
services can be directly evaluated under PartI and Appendix A
of the TNI.
Note that the Evaluation Class calculation in Part I will not
necessarily be the same as the Minimum Part I Evaluation in Table
9. This is because the Rmin for Part II may be different from
that of Part I since the Part II protections are oriented towards
outsiders (those with physical access) rather than towards users.
Depending on the particular environment, either the Part I requirement
or the Part II requirement may dominate. The latter would be the
case if a system were operated in the system high mode-where all
users were cleared to see the most sensitive information-but the
network was exposed to lower clearance individuals.
5.4.3 Functionality
This section asks questions about each of the security servi'ces
contained in PartII of the TNI. These questions are designed
to help the security manager identify the functionality required
for each security service. The questions should be answered in
sequence, unless the answer to one question contains an instruction
to skip ahead.
Authentication
• 1. Is there a requirement to determine what individual, process
or device is at the other end of a network communication? If yes,
document this requirement.
• Table 9
• Part II Assurance Rating
PartII Minimum PartI
Assurance Rating Evaluation
Minimum CI
Fair C2
Good B2
If no, skip to Communications Field Integrity.
• 2. Do you have a requirement to identify and authenticate
the specific hardware device at the distant end-point involved
in the network communication? If yes, then you have a functionality
requirement for authentication. This functionality may be implemented
at one or more protocol layer. For example, a specific control
character, ENQ (enquiry or who-are-you) may be used to return
immediately a stored terminal identifier.
• 3. Do you have a requirement to identify and authenticate
the location of the hardware at the distant end-point or in any
intermediate system involved in the network communication?
• If yes, then you have a functionality requirement for authentication
at protocol layer 2, the Link Layer or layer 3, the Network Layer.
• 4. Do you have a requirement to identify and authenticate
the specific operating system or control program at the distant
end-point or in any intermediate system involved in the network
communication?
• If yes, then you have a functionality requirement for authentication
at protocol layer 4, the Transport Layer.
• 5. Do you have a requirement to identify and authenticate
the subject (process/domain pair) at the distant end-point involved
in the network communication?
• If yes, then you have a functionality requirement for authentication
at protocol layer 4 or above.
• 6. Do you have a requirement to identify ad authenticate the
application or user at the distant end-point involved in the network
communication? If yes, then you have a functionality requirement
for authentication above protocol layer 7, the Applications Layer.
The Applications Layer provides an interface to the application.
Authentication information may pass over this interface. Authentication
of a user is addressed in Part I of the TNI. Application process
authentication is outside the scope of the 05I Security Architecture,
but does fall within the scope of TNI PartII Security Services.
Have you chosen to use some mechanism other than encryption to
provide authentication? If so, your strength of mechanism is shown
in Table 7. If your authentication mechanism is encryption based,
see the appropriate encryption authority (e.g., NSA). Even if
encryption is used, some supporting processes may need to satisfy
the strength of mechanism shown in Table 7 (depending on the architecture).
For example, a database that relates encryption keys to specific
users may need to be trusted.
Communications Field Integrity
• 1. Do you have a requirement to protect communication against
unauthorized modification? If no, skip to Non-Repudiation.
• 2. Are your protection requirements the same for all parts
of the information communicated?
• If no, then you should identify the separate parts and answer
the rest of the questions in this section separately for each
part. Each part is known as a field.
• There are two major fields: protocol-information, whherein
the network is informed of the destination of the information
and any special services required; and user-rlata. Not every protocol
data unit (PDU) contains user-data, but protocol-information is
necessary. Each of these fields may be divided into additional
fields; depending on your application, protection requirements
for fields may differ.
• 3. Do you have a requirement for detecting unauthorized modification
to part or allofaPDU?
• If yes, you have a requirement for at least minimum functionality.
• 4. Do you have a requirement for detecting any of the following
forms of message stream modification: insertion, deletion, or
replay?
• If yes, you have a requirement for at least fair functionality.
In addition, your functionality must be incorporated in a connection
oriented protocol.
• 5. Do you require that, if message stream modification is
detected, recovery (correction) should be attempted?
• If yes, you have a requirement for good functionality. In
addition, you must implement integrity in a reliable transport
(layer 4) mechanism.
Non-repudiation
• 1. Do you have a requirement to be able to prove (to a third
party) that a specific message transfer actually occurred? If
no, skip to Denial of Service.
• 2. Do you have a requirement for proving that a specific message
was sent?
• Specific message means that the identity of the subject sending
the message, the host computer and/or mail agent/server, time
and date, and contents are all uniquely and unalterably identified.
• If yes, then you have a functionality requirement for non-repudiation
with proof of origin.
• 3. Do you have a requirement for proving that a specific message
was received?
• Specific message means that the identity of the subject to
which the message was delivered, the host computer and/or mail
agent/server, time and date, and contents are all uniquely and
unalterably identified.
• If yes, then you have a functionality requirement for non-repudiation
with proof of delivery.
Denial of Service
• 1. Do you have a requirement to assure the availability of
communications service or to determine when a Denial of Service
(DOS) condition exists? A DOS condition is defined to exist whenever
throughput falls below a pre~stablished threshold, or when access
to a remote entity is unavailable, or when resources are not available
to users on an equitable basis. For a DOS condition to occur,
the user must have priority to access the system or resources.
If no, skip to Data Confidentiality.
• 2. Do you have a requirement to detect conditions that would
degrade service below a pre-selected minimum and to report such
degradation to the network operators?
• If yes, you have a requirement for at least minimum denial
of service functionality.
• 3. Could failure of the system to operate for several minutes
lead to personal injury or large financial loss?
• If yes, you have a requirement for at least fair denial of
service functionality.
• 4. Do you have a requirement for service resiliency that would
continue-perhaps in a degraded or prioritized mode-in the event
of equipment failure and/or unauthorized actions?
• If yes, you have a requirement for at least fair denial of
service functionality.
• 5. Could failure of your system to operate for several minutes
lead to loss of life?
• If yes, you have a requirement for good denial of service
functionality.
• 6. Do you have a requirement for automatic adaptation upon
detection of a denial~fservice condition?
• If yes, you have a requirement for good denial of service
functionality.
Protocol Based DOS Protection
• 1. Do you want advanced knowledge of unavailability of service?
• If no, skip to Network Management.
• If yes, do you want to implement alternatives?
If yes, you should employ this alternative basis and skip to Network
Management.
• 2. In general, ordinary protocol mechanisms don't provide
protection against malicious attacks or bizarre errors. Do you
have a requirement to detect a DOS condition which cannot be met
by the protocols used as part of normal communications?
• If no, you do not have a functional requirement for protocol-based
DOS protection and should skip to Network Management.
• 3. The TNI suggests the following protocol-based mechanisms:
• a. Measure the transmission rate between peer entities under
conditions of input queuing, and compare the measured transmission
rate with a rate previously identified as the minimum acceptable;
• b. Employ a request-response polling mechanism, such as "are-you-there"
and "here-I-am" messages, to verify that an open path
exists between peer entities.
If you have identified any additional mechanisms, include them
in your list of required mechanisms.
Network Management
• 1. Do you have a requirement for (at least) detecting a denial
of service condition that affects more than a single instance
of communication or attempted communication?
• If no, skip to Data Confidentiality.
• If yes, you have a functional requirement for network management
denial of service protection.
Data Confidentiality
• 1. Do you have a requirement to protect any part of transmitted
data from disclosure to unauthorized persons? If no, skip to
Traffic Flow Confidentiality.
• 2. Is your requirement for confidentiality limited to selected
field of user~ata within a PDU?
• If no, then you require confidentiality for the entire data
portion of each PDU.
• Continue with Traffic Flow Confidentiality.
• 3. Is there a reason to encrypt only selected fields (e.g.,
cost savings, legal requirements)?
• If yes, you require selected field confidentiality. If no,
you require full confidentiality on the data portion of each PDU.
Traffic Flow Confidentiality
• 1. Do you have a requirement to prevent analysis of message
length, frequency, ad protocol components (such as addresses)
to prevent information disclosure through inference (traffic analysis)?
• If no, skip to Selective Routing.
• If yes, you have a functional requirement for traffic flow
confidentiality.
Selective Routing
• 1. Do you have a requirement to choose or avoid specific networks,
links, relays, or other devices for any reason at any time?
• If yes, you have a functional requirement for selective routing.
6 Interconnecting AIS
The definition of Interconnected Accredited AIS recognizes that
parts of a network may be independently created, managed, and
accredited. AIS in different security domains 13 generally operate
under different security policies, consequently, it is difficult
to combine them into a Unified Network. For example, AIS operated
by the U.S. DOD and NATO cannot be combined into a Unified Network,
since they enforce different policies and do not have a common
authority.
Interconnecting systems that support different security domains
(e.g., classified, sensitive unclassified) adds additional complexity.
Exchange of information among these different security domains
requires identification of the markings and protection given to
information when transmitted to another domain. For example,
several evolving approaches to the protection of sensitive unclassified
information [17] consider "that sensitive information is
not part of the same hierarchy as classified information".
There are technical criteria for judging the trustworthiness of
Interconnected Accredited AIS: an Interconnection Rule, which
ensures that information conveyed between subsystems is labeled
properly, and risk factors such as propagation of local risk and
the cascading problem. These criteria are examined in some detail
below.
6.1 Agreement Between Accreditors
Interconnection of AIS between security domains requires a documented
agreement identifying the interconnection requirements and all
safeguards. This agreement will have many similarities to the
MOA discussed in Section 3.2. It will probably have to reconcile
different security policies and philosophies of protection, identifying
the conditions under which specified classes of information can
be exchanged among domains. In addition to the information included
in> the MOA, this agreement between managers of different security
domains should address the mappings of policy and countermeasures
between the domains. In many ways this agreement takes on the
character of an NSAD for the agreed upon information exchange
between domains.
________________________
13 A security domain is a collection of A[$ under the control
of a single administrator that en-forces or operates under a specified
policy. There can be sub-domains, (e.g., Army and Air Force are
sub-domains under the Department of Defense.)
6.1.1 Accreditation Range
An accreditation designates a system's mode of operation and range
of data sensitivity' levels. The accreditation range reflects
the Accreditor's judgment on the subsystem's ability to exchange
information within an acceptable level of risk, with respect to
its network connections, and in accord with the designated sensitivity
levels.
The range must be a single level in the case of a system high
or dedicated device14.
If the accreditation range comprises more than a single level,
the system is trusted to reliably segregate data by level within
its accreditation range, and label it accurately for transmission
over multilevel interfaces. The accreditation range will be specified
in the MOA. The accreditation range is used in determining whether
communication between systems is permitted.
• Figure 1
• Information Levels and Accreditation Ranges
TS
S-C
S
C
C2 Evaluation Class
B3
S Accreditation Range
TS-C
SH Operating Mode
MLS
As shown in Figure 1, an AIS may contain information at levels
that are below its accreditation range. For example, a C2 host
which contsuns Secret (S) and Confidential information,
is not trusted to segregate this confidential and Secret information.
Therefore, it is accredited to operate in system high (SH) mode
at Secret (the highest sensitivity level of information on the
system), and its accreditation range is the single level Secret.
All exported information must be labeled with the system high
sensitivity label until there is a manual review to assign the
information a lower 14 Often in the discussion it is not appropriate
to distinguish between a component and a sub-system; in that case
we use the term device.
classification level. In contrast, a B3 multilevel secure (MLS)
host, which contains Top Secret (TS), Secret, and Confidential
information could be assigned an accreditation range equal to
the entire set of levels processed. In this case, the label of
the exported data is equal to the actual level of the exported
data, unless unclassified data is to be exported.
Figure 2 illustrates the accreditation ranges of two interconnected
subsystems.
Although Subsystem Y is able to separate its three levels of information,
it may exchange information with Subsystem X only at the S and
C levels.
• Figure 2
• Accreditation Ranges of Two Interconnected Sub systems
Subsystem X Subsystem
Y
TS
S ------------------------------- S
C ------------------------------- C
Class B1 Class B3
In a network, an accreditation range bounds the sensitivity levels
of information that may be sent (exported) to or received (imported)
from each interconnected subsystem15. For example, if a network
consists of only dedicated and system high subsystems, each subsystem
will be assigned single-valued accreditation ranges (i.e., an
accreditation range consisting of one sensitivity level).
When the same communications channel processes information at;different
levels, the data must be labeled through some protocol agreed
upon by the communicating systems.
______________
15 Note that information exported or imported to a subsystem having
a single-level accredita-tion range is implicillylabeled at that
level. It is also possible for a subsystem with a mul-tilevel
accreditation range to employ network interface devices with single-level
ports, in which case the data transferred over such ports is also
implicitly labeled.
DODD 5200.28 Enclosure (5) also addresses AI5 that have not been
accredited:
Untrusted, unaccredited AIS ... may be components of a network....
Only unclassified information, which does not include sensitive
unclassified information, may be sent to ad from untrvsted, unaccredited
AIS.
This trvst requirement is satisfied by restricting the accreditation
rage of the untrusted, unaccredited AIS to Unclassified (U).
6.1.2 Device Range
A network subsystem is typically connected to another subsystem
through some kind of 1/0 network interface or device (see Figures
3~) ad the same device may provide connection to multiple subsystems.
Although a 1/0 device is part of a subsystem, it may be designated
to process a more restricted set of sensitivity levels than the
accreditation rage of the subsystem as a whole. This leads to
the concept of a device range. Each 1/0 device in a subsystem
that is used to communicate with other subsystems in the network
must have a device rage. The device rage may be single level,
or it may be a set of levels (in which case the device is referred
to as multilevel), and it must be included within the subsystem
accreditation range. The TCSEC states that "systems that
have been evaluated at classes B2 ad above must support minimum
ad maximum security labels for all multilevel 1/0 devices".
The purpose of device labels is to document the constraints placed
on the security levels of information authorized for the devices.
Each physically attached multilevel system (if any) has a minimum
ad maximum sensitivity level associated with it. A B1 or higher
system interconnected to a second system must ensure that both
imported and exported information is contained within appropriate
sensitivity levels.
6.1.3 Information Transfer Restrictions
The following points summarize the discussion on the restrictions
imposed on information transfer between interconnected devices.
Information exported or imported using a single-level device is
labeled implicitly by the security level of the device. As shown
in Figure 3, any information transferred between the single-level
(S) devices on Subsystems X and Y is implicitly labeled S.
• Figure 3
• Implicit Labeling
Subsystem X Subsystem Y
Information exported from one multilevel device and imported at
another multilevel device must be labeled through an agreed-upon
protocol, unless it is labeled implicitly by using a communications
link that always carries a single level. For instance, in Figure
4, Secret and Confidential information may be transferred between
the multilevel devices.
• Figure 4
• Protocol Labeling
Subsystem X Subsystem Y
• Figure5
• Compatibility Labeling
Subsystem X Subsystem Y
Information exported at a given security level can be sent only
to a importing device whose device rage contains that level or
a higher level. In Figure 5, Subsystem X is allowed to export
only Secret information to Subsystem Y's multilevel device. Subsystem
Y is allowed to export Secret ad Confidential information to Subsystem
X, because the device rage Subsystem X is TS-S. If the importing
device rage dominates the exported level, the information is implicitly
or explicitly relabeled upon receipt at a higher level within
the importing device range.
• Figure 6
• Relabeling
Subsystem X Subsystem Y
In Figure 6, Subsystem Y relabels information imported from Subsystem
X. The information transfer restrictions also permit one-way communication
(i.e., no acknowledgments) from one device to aother whose rages
have no level in common, as long as each level in the sending
device rage is dominated by some level in the receiving device
rage. It is never permitted to send information at a given level
to a device whose rage does not contain a dominating level.
In most interconnected subsystems, the bidirectional flow of information
is permitted. In this environment, the sensitivity level of any
transmitted message must be within the accreditation range of
both the sending and receiving systems. In some networks, an
additional restriction on information flow may be unidirectional
communications. This restriction may enhance security. The following
discussions refer to Figure 7.
• Figure 7
• Bidirectional and Unidirectional Information Flow
Subsystem X
Subsystem Y
TS (C or U)
C
U
SH (TS) Subsystem Z
MLS (C-U)
TS
S
C
MLS (TS-C)
The system high mode is usually assigned to AIS that are unevaluated
or are NCSC~valuated in class C. These AIS do not employ explicit
labels because they cannot be trusted to differentiate between
sensitivity levels. All information within these AIS is implicitly
labeled. When exported on a single level channel, by default the
information is labeled implicitly by the level of the channel.
Human-readable output must be labeled at the system high level;
it may be manually downgraded by an authorized reviewer.
Explicit labels are required on a multilevel channel. In order
to export explicit labels, Subsystem X would normally be expected
to be NCSC-evaluated at BI or above, or employ an 1/0 device,
such as those shown in Figure 6, NCSC~valuated at BI or above.
Also, Subsystem X or the 1/0 device should be used as specified
in Section 4 of this guideline. Lacking such NCSC~valuation, the
MOA between the Accreditors would have to specifically address
these labels.
Subsystem X can import a message from Subsystem Y, but cannot
acknowledge receipt of that message, because an exported acknowledgment
(labeled TS) cannot be imported by Subsystem Y, which can only
receive C or U information. Transmitting an acknowledgment from
Subsystem X to Subsystem Y would constitute a write-down (i.e.,
writing information at a lower sensitivity level-generally a security
violation.)
Subsystems Y and Z can exchange information at C since this level
is in the accreditation range of each subsystem. When only unidirectional
communication (no acknowledgment) is utilized between two subsystems,
write up is permitted if each sensitivity level in the source
subsystem is dominated by a sensitivity level in the destination
subsystem. The receiving subsystem must change the sensitivity
level of the message when the message is received. For instance,
U information sent from Subsystem Y will be labeled C by Subsystem
Z.
6.2 Interconnection Rule
The Interconnection Rule states that each device in the network
must be separately accredited to operate in an approved security
mode of operation and with a specific accreditation range. The
device is accredited to participate in the network at those levels
and only those levels. This means that information exported at
a given sensitivity level can be sent only to an importing device
whose accreditation range contains that level or a higher level.
Information is relabeled, implicitly or explicitly, upon reception
at a higher level within the importing device accreditation range
only if the original level is not in that range.
According to the Interconnection Rule, a multilevel network may
contain devices with different operating modes: dedicated, system
high, partitioned, and multilevel. Also the devices may differ
in the sensitivity levels and categories which they process, and
the formal access approvals of their users (some users may not
have access to all information).
Figure 7 illustrates the flexibility of the Interconnection Rule.
For example, the interconnection Rule will allow, with certain
restrictions, a multilevel subsystem to communicate with a single-level
subsystem and with another multilevel subsystem (and
the two MLS subsystems may have different accreditation ranges).
It also allows for one-way communication to a higher-level system.
It is intended to be a non-restricting rule and yet ensure that
each system receives only information that it can properly mark
and handle. Interconnection in the context of the Interconnection
Rule means only direct connections, that is, without any intermediate
accredited subsystem.
The Interconnection Rule alone does not guarantee that classified
information will not be exposed to greater risks in a network
than in a stand-alone environment. One problem in networks that
is dealt with at some length below is the cascading problem.
• Figure 8
• A Complex Interconnection
Subsystem X Subsystem Y
6.2.1 A Complex Example
The Interconnection Rule and device range allow for some rather
challenging situations. Consider, for example, the connection
depicted in Figure 8. The system on the left processes TS information
of two types: categories A and P (where P is the union of categories
C and D, P = C U D). The system on the right processes the categories
C and Q (where Q is the union of categories A and B, Q = A U B).
The two devices have no sensitivity levels in common. Yet this
is a legitimate connection as long as only TS ,A and TS ,C information
is transferred. Any information sent must be relabeled upon receipt.
Information in category A is relabeled Q when received on the
right, ad information in category C is relabeled P when received
on the left 6.3 Risk Factors
There are two global considerations that affect the interconnection
of systems.
The first is called propagation of local risk and the second is
the cascading problem. Before discussing these considerations,
the concepts of subsystem connection view and global network view
need to be introduced.
As discussed in the previous section, any subsystem that is connected
to other subsystems must enforce the Interconnection Rule. Using
the subsystem connection
view, each subsystem responsible for maintaining the separation
of multiple levels of information must decide locally whether
or not information can be sent or received. This view, then,
does not require a subsystem to know the accreditation ranges
of all other subsystems on the network; only of those with which
it can communicate without an intermediary.
The Interconnection Rule applies to communication between any
two (or more) accredited systems. However, even when the Interconnection
Rule is followed, there may be other potential security problems
that will require the implementation of additional constraints
on the network. In order to address these problems, it is necessary
to adopt a global view of the network. This view requires a knowledge
of the accreditation ranges of all the subsystems in the network.
That is, it is no longer determinable locally whether or not a
constraint is being satisfied. These accreditation ranges are
taken into account when determining whether or not a subsystem
should be allowed to connect to the network. In this way, the
potential damage that can occur when information is compromised
or modified can be limited to an acceptable level.
Two global concerns are discussed below. One concern is the propagation
of local risk; the other is the cascading problem.
6.3.1 Propagation of Local Risk
The term Propagation of Local Risk comes from the notion of jeopardizing
the security of a system as a result of weaknesses in other systems
to which it may be connected. Table 3 in Section 4 recommends
minimum classes of trusted systems for specific environments.
Unfortunately, in many cases, operational needs have led to the
accreditation of systems for multilevel operation that would not
meet the requirements of the recommended class. While this increased
risk may be accepted by the Accreditor of a particular system,
connection of such a system to a network exposes users of all
other subsystems in the network to the additional risk. Consequently,
when an unevaluated system, or one that does not meet the class
recommended for its accreditation, is proposed for connection
to a network, constraints should be considered, such as one-way
connections, manual review of transmissions, cryptographic
isolation, or other measures to limit the risk it introduces.
In the special case of a common user network such as DDN, it may
be necessary to provide communications capabilities among systems
that do not conform to the security requirements established by
the network Accreditor (i.e., a system meeting no security requirements
may be connected to a network.) One common way to provide network
service to these non~onforming systems while still protecting
the other, conforming, systems would be to segregate the non-conforming
systems into closed communities that could not directly communicate
with conforming systems. This approach is discussed in detail
in the Defense Data Network Security Architecture [18].
6.3.2 The Cascading Problem
One of the problems that the Interconnection Rule does not address
is the cascading problem, discussed in Appendix C of the INI.
The cascading problem exists when an attacker can take advantage
of network connections to reduce the nominal system resistance
against leaking information across a range of sensitivity levels.
Most multilevel systems, evaluated or not, are vulnerable to some
risk that information can be leaked from a higher to a lower level
supported on the system. The accreditation range of a subsystem
represents a judgment that the risk is acceptable for that range
of classifications. The size of the range is one indication of
the attractiveness of the system as a target, so larger ranges
call for more care in system design and management. In particular,
Section 4 of this guideline discusses computation of a risk index
calculation based on the accreditation range, and recommends a
minimum evaluation class for a given risk index.
The cascading problem results from the observation that subsystems
may be connected in such a way that the network covers a larger
sensitivity level range than the individual systems are accredited
to handle. Depending on the actual topology of the interconnection
and the characteristics of the installations, the arnount of effort
required for an attacker to take advantage of residual vnlnerabilities
may be less than what is required for the network sensitivity
range.
To see how this is possible, consider two systems, each of which
is accredited to handle two adjacent classifications of information,
as shown in Figure 9. Subsystem A processes Secret and Top Secret
information, and all users are cleared to at least the Secret
level. Subsystem B processes Confidential and Secret information,
and all users are cleared to at least the Confidential level.
The network as a whole has three levels of information. However,
the leakage resistance of the network is only that offered by
two systems qualified for only two levels. To make Top Secret
information available to Confidential users, an attacker might
attempt to:
• 1. Install a Trojan horse in Subsystem A to leak some Top
Secret information to Secret
• 2. Send that information across the network link to Subsystem
B
• 3. Install a Trojan horse in Subsystem B to leak the original
Top Secret information, now labeled Secret, to Confidential.
The path from Top Secret in Subsystem A to Confidential in Subsystem
B is referred to as a cascading path, with three steps. Step 1
is from TS to S in Subsystem A, Step 2 is the network link, and
Step 3 is from S to C in Subsystem B. Steps (1) and (3), the downgrading
steps, offer resistance commensurate with strictly smaller ranges.
Step (2), the network link, offers no additional resistance,
given that the two Trojan horses have been written and installed.
• Figure 9
• Cascading Problem
Subsystem A
TS Subsystem
B
S S
C
The question is, whether subverting two systems qualified for
two levels of information is as hard as defeating one system qualified
for three levels of information. In some cases it might be.
Lee [19] gives an argument that if two systems have probabilistically
independent flaw sources, "...the resistance to threat of
a cascade of two B2 systems is approximately the same as, or even
better than, that of a B3 system."
But Lee also remarks that demonstrating effective independence
of flaw sources m a practical case is not easy, and that two systems
may have the same or equivalent flaws, particularly if their TCBs
are the same, or are separate implementations of a single flawed
design. Exploitation of the flaws on two or more systems does
present additional resistance to the attacker, but it should be
kept in mind that physical access to all interconnected systems
is not necessary to send untrusted software to them, as our experience
with viruses shows unmistakably.
6.3.2.1 Tests for Cascading.
For a relatively large and complex interconnection of systems,
it might not be obvious whether a cascading problem exists. Appendix
C of the TNI includes three approaches, with different degrees
of complexity and precision, for recognizing a potential cascading
problem. These range from a simple test that is rather pessimistic,
called the nesting condition, to a complex procedure. Appendix
A of this TNIEG reviews the nesting condition, and presents additional
information concerning tests for the cascading problem.
• Whichever test for cascading is employed, its result is to
focus attention on certain subsystems and their network connections
that might potentially be subject to a cascading threat. The
next step is to determine whether the systems involved are actually
vulnerable to the multiple coordinated attack that is necessary
for cascading, ad, if so, to consider countermeasures.
6.3.2.2 Solutions.
• There are several ways to tackle a cascading problem. Since
cascading depends on cooperative action by malicious software
on the participating subsystems, one approach is to institute
configuration controls to prevent installation of unscrvtinized
software, or perhaps isolating it from network usage.
• Another solution is to use a more trusted subsystem at appropriate
nodes in the network, so that an attacker will be forced to overcome
a protection mechanism commensurate with the seriousness of the
potential compromise. In Figure 9, for example, if either subsystem
A or subsystem B is NCSC-evaluated at class B3, which is sufficient
according to Table 3 in Section 4 of this guideline for a rangd
of Top Secret to Confidential, then the attacker is presented
with an acceptable level of difficulty.
A cascading threat can also be interdicted by eliminating certain
network connections, to break paths by which an attacker could
compromise information with insufficient resistance. This solution
is practical only when the links to be eliminated are not needed
for operational reasons. Sometimes end-to-end encryption can be
used to address a cascading threat while preserving necessary
connectivity, by reducing the level of information available to
intermediate systems on a communication path.
APPENDIX A
Tests for the Cascading Problem
The cascading problem was discussed in Section 6. This appendix
reviews the approaches presented in Appendix C of the TNI for
testing whether a cascading problem exists in an interconnection
of accredited subsystems. Three criteria are given there: the
nesting condition, the cascade condition, and a heuristic procedure.
The nesting condition is a simple but pessimistic test that can,
in some cases, dismiss the possibility of a cascading problem.
When it fails, there is not necessarily a cascading problem; other,
more accurate, tests should then be applied to confirm and locate
it. This appendix first summarizes the nesting condition, and
then discusses other approaches briefly. A forthcoming report
will provide further guidance on computational approaches
for the cascading problem.
A.l Nesting Condition
The nesting condition is evaluated solely on the basis of the
accreditation ranges of the subsystems. In the form given both
here and in the TNI, it is applicable only when all sensitivity
levels are totally ordered - that is, if they can be placed in
order such that each one is higher than the one before it. This
is true, in particular, if they are pure classifications, with
no categories or compartments.
The nesting condition is satisfied, by definition, if the accreditation
ranges of each pair of subsystems are either disjoint or nested.
A pair of accreditation ranges is disjoint if they have no levels
in common. They are nested if one range is included (as a subset)
in the other. All possible pairs (not just those of adjacent subsystems)
must be considered, but some pairs may be nested while others
are disjoint.
If the nesting condition is satisfied, there is no cascading problem.
Because the nesting condition does not take into account which
network subsystems are actually connected to one another, it can
sometimes give a pessimistic result, i.e., there are cases when
the nesting condition fails, but there is actually no cascading
problem.
• Figure A-I
• Accreditation Ranges of Two Interconnected Sub systems
Subsystem Y
Class B1
Example 1: Consider the situation illustrated in Figure A-I.
The accreditation range of Subsystem X is nested within that of
Subsystem Y (i.e., C-S is completely contained within C-TS). Therefore,
the nesting condition is satisfied, and there is no cascading
problem.
• Figure A-2
• Cascading Problem
Subsystem A
TS Subsystem
B
S S
C
Example 2: Consider the situation illustrated in Figure A-2. The
accreditation ranges of Subsystem A and Subsystem B are not disjoint;
neither is one completely contained within the other. Therefore,
the nesting condition fails, ad a cascading problem is possible.
Note, however, that the nesting condition would still fail even
if the two subsystems were not connected to one another, yet in
that case there would be no cascading problem.
The situation is more complex when sensitivity levels are drawn
from a partially ordered set, so that the accreditation ranges
of some subsystems have sensitivity levels that are incomparable.
Two sensitivity levels are incomparable when neither is greater
than or equal to the other. Sensitivity levels with category
sets are, in general, incomparable. An extended form of the nesting
condition has been devised that applies to partially ordered sensitivity
level sets . [20] A.2 Other Approaches Appendix C of the TNI
contains two other criteria for the cascading problem: the cascade
condition, which is a mathematical characterization of the problem,
and a heuristic procedure. These criteria have been superseded
by improved methods since the publication of the TNI. The new
approach is described in a separate report, in order to give adequate
scope to the presentation of background and context necessary
to apply it appropriately.
The need for a new approach arose from a recognition of the limitations
of the existing criteria. The cascade condition is accurate but
it is not, in itself, a computational procedure. It is limited
by its assumption that all of the interconnected subsystems have
been given evaluation classes. The heuristic procedure is believed
to provide a conservative approximate test for cascading, but
only when applied to interconnections in which all communication
paths are two-way, i.e., capable of both sending and receiving.
A simpler procedure is now available.
APPENDIX B
Background References
Neither the TNI nor this TNIEG contain tutorial information on
security and networking; it is assumed that the reader will have
some background in both areas. There is considerable literature
available. Following are some references that provide background
and related information concerning security in networks:
• 1 M. D. Abrams and H. J. Podell, Computer and Network Security,
a Tutorial, IEEE Computer Society Press 1987.
• 2 D. W. Davies and W. L. Price, Security for Computer Networks,
John Wiley & Sons 1984.
• 3 D. E. Denning, Cryptography and Data Security, Addison-Wesley
1983.
• 4 M. Gasser, Building a Secure Computer System, Van Nostrand
Reinhold Company 1988.
• 5 International Standards Organization, Information Processing
Systems - Open System Interconnection - Basic Reference Model,
15 October 1984. International Standard 7498.
• Part 2: Security Architecture, February 1989.1507498-2-1988(E).
• 6 Charles P. Pfleeger, Security in Computing, Prentice-Hall
1989.
• 7 Andrew S. Tanenbaurn, Computer Networks, Second Edition,
Prentice-Hall 1988.
APPENDIX C
Encryption
May networks today use or plan to use encryption as a fundamental
mechanism for providing security services. The encryption devices
provide a security perimeter at the protocol layer at which they
provide service (typically the Network or Transport Layer). This
section presents some information on how an encryption system
can be part of the NSAD. It discusses MAC and DAC, use of encryption
to reduce the number of AIS, and the risk index of the encryption
system.
C.1 Use of Encryption
As indicated in the TNI, an encryption mechanism is evaluated
differently than other mechanisms. Evaluating encryption mechanisms
has a long history predating the TNI. Evaluation of an encryption
mechanism is part of COMSEC. Generally, encryption mechanisms
receive a rating of the highest level of classified information
which may be protected using that mechanism. Therefore, the only
rating applicable to an encryption mechanism is the classification
level of the information that is to be protected. This classification
level also establishes the requirement.
In general, organizations using the TNI and this document select
their encryption mechanisms from a list provided by an organization
which is responsible for evaluating such mechanisms. In many cases,
that organization is the NSA.
A more complicated situation exists when encryption is employed
above the Link Protocol Layer, layer 2. At layers 3 and 4 the
protocols are concerned with the end systems or intermediate devices
(e.g., hosts, network switches) that the links connect. Higher
layers are concerned with other peer entities. Traditionally,
encryption applied above layer 2 has been termed end-to-end encryption,
or E3.
An E3 system may be provided as (part of) an NTCB. When the E3
system is integral to the NTCB, the use of the E3 system requires
evaluation under the TCSEC with interpretations in the TNI. The
evaluation must consider (1) the accreditation rage of the user
interface, (2) the risk index for the bypass in the E3 device,
and (3) the risk index between the highest sensitivity data ad
the lowest clearance of user on the network.
Depending on the design, devices of an E3system may satisfy all
requirements for a system evaluated under PartI of the TNI. MAC
may be provided either explicitly or implicitly. Explicit MAC
is provided if the packets sent by the encryption device include
a security label. Implicit MAC is provided if the security level
must be inferred from the encryption key used to protect the data.
All data protected by that key must be classified at a single
security level.
DAC is often provided in an E3 system as well. Typically, keys
for exchanging data are provided to the E3 devices only after
DAC has been applied. The encryption devices can provide identification
ad authentication. While identification is generally done explicitly
(by transmitting an identifier), authentication can be done implicitly
(i.e., by the use of a unique key). The encryption devices may
perform certain types of auditing as well. Typically, a device
collects information and forwards it to another device for storage.
Information collected may include: connections established, connections
refused, packets with inappropriate labels, ad misrouted packets.
The granularity provided by these E3 mechanisms is determined
by the protocol layer at which the service is offered.
• Figure C-1
• Typical Interconnected AIS
AIS 1 AIS 2 AIS 3 AIS 4 AIS 5 AIS 6
AIS 7
In a typical network there will be a number of AIS. For example,
two hosts are often attached to separate local networks connected
by a wide area network (WAN). As shown in Figure C-1, the path
between the hosts (without E3) may involve 7 separate interconnected
AIS.
TNI Environments Guideline
Encryption
E3 can help reduce the number of AIS. By placing E3 devices between
each host and the LAN to which it is connected ad incorporating
suitable key distribution components, the LANs and WAN collapse
into a single network system and the path now traverses only three
AIS, as shown in Figure C-2. AIS 2 provides security services
to the hosts, therefore, it may be part of the NTCB.
• Figure C-2
• Using End-to-End Encryption to Reduce Number of AIS
AIS1 AIS 2
AIS 3
There may be a hierarchy of trusted system views. For example,
E3 may be provided at protocol layers 3,4, and 7. Depending on
the architecture, the layers of E3 could constitute a single NTCB
or each could be a separate NTCB. In the latter case, the devices
supporting different layers would be part of different AIS and
the interconnection rules would be applied between higher and
lower protocol layers.
In general, an AIS at a higher protocol layer encompasses more
devices than one at a lower protocol layer. The granularity of
services offered is also finer at the higher protocol layer.
In a situation where the higher protocol layer encryption system
also has a higher evaluation class, the lower protocol layers
might be considered less trusted just as current E3 designs treat
the subnetwork as untrusted. Continuing the analogy, just as certain
physical security requirements are imposed on the untrusted suLbnetwork,
the higher protocol layer encryption might rely on characteristics
of the lower protocol layers.
However, one may be faced with a dilemma that the higherprotocollayer
E3 system has a lower security evaluation than the lower-protocol-layer
trusted system.
For example, a WAN with E3 at layer 3 might be evaluated Al. The
system might also provide E3 at layer 4, but an NTCB that includes
layer 4 might. only be rated B2. In this case, treating the subsystems
constituting the separate layers as separate AIS and using the
Interconnection Rule to accredit the network as a whole could
prove advantageous, as illustrated in Figure C-3.
• Figure C-3
• Separate Layers Treated as Separate AIS
B2 B2
(N-C) (N-C)
0SI Layer 3 Network
B2 B2
(S-TS) (S-TS)
C.2 Encryption Mechanisms
In a trvsted AIS, the recommended evaluation class is determined
using a risk index based on the highest data classification and
the lowest user clearance. In considering an E3 subsystem in a
network, three separate indexes must be considered [21]:
• 1. The subscriber's range of sensitivity levels. The cleartext
side of the encryption subsystem must be sufficiently trusted
to maintain separation among the cleartext data streams sent and
received by the subscriber attached to the encryption subsystem.
A risk index is based on the highest and lowest sensitivity levels
sent or received by the subscriber through this encryption subsystem.
2. The bypass. In an E3 system, protocol control information must
be sent around the encryption unit through a bypass. The software
and hardware to mimplement the bypass must be trusted not to send
user data through the bypass. A risk index can be computed based
on the difference between the sensitivity level of the cleartext
information and the sensitivity level of the untrusted subsystems
of the network.
• 3. The range of sensitivity levels across the network. This
risk index is concerned with the difference between the highest
level of information on any host attached to the network and the
lowest clearance of a user that could potentially get access to
that information. Depending on the characteristics of the network,
this risk index could be larger than either
• 1. or 2. above. The worst case scenario occurs when some users
have lower clearances than the level at which the network backbone
is physically protected. For example, there are currently plans
to allow some uncleared users on the DISNET segment of the DDN
[22] which will be physically protected at the Secret level. In
that case, the risk index for the bypass works the opposite of
the normal case: the ciphertext side will be the higher of the
two ratings.
• The subsystem which performs access control and key distribution
must
also be concerned with this risk range since improper key distribution
could lead to compromise across the entire network. An erroneous
distribution could potentially permit the lowest cleared user
to access the highest classification of information.
LIST OF REFERENCES
• 1. Department of Defense Computer Security Center, Computer
Security Requirements - Guidance for Applying the Department
of Defense Trusted Computer System Evaluation Criteria in Specific
Environments, 25 June 1985. CSC-STD~03-85
• 2. Department of Defense, Department of Defense Trusted Computer
System Evaluation Criteria, 15 August 1983. Department of Defense
5200.28-STD
• 3. National Computer Security Center, Trusted Network Interpretation
of the Trusted Computer System Evaluation Criteria, Version 1,
July 1987. NCSC-TG-
• 005
• 4. Department of Defense, Security Requirements for Automative
Data Processing (ADP) Systems, March 1988. Department of Defense
Directive 5200.28
• 5. National Computer Security Center, Trusted Product Evaluation,
A Guide for Vendors, draft 1 March 1988 (or most recent edition).
NCSCTG~02, Version-
• 6. National Security Agency, Information Security Products
and Services Catalogue, (quarterly updates).
• 7. National Institute of Standards and Technology, United
States Department of Commerce, Guideline for Computer Security
Certification and Accreditation, 27
• September 1983. FIPS PUB 102
• 8. V. A. Ashby, Thomas Gregg, and Annabelle Lee, "Security
Approach for Rapid Prototyping in Multilevel Secure Systems,"
Fifth Annual Computer Security Applications Conference, December
1989.
• 9. International Standards Organization, Information processing
systems - Open Systems Interconnection - Basic Reference
Model, 15 October 1984.
• International Standard 7498
• 10. Defense Intelligence Agency, Security Manual for the Uniform
Protection of Intelligence Processed in Automated Information
Systems and Networks (U), Supplement to Director of Central Intelligence
Directive (DCID) 1/16 (U), SECRET, 19 July 1988.
• 11. National Institute of Standards and Technology, United
States Department of Commerce, Guideline for Automatic Data Processing
Risk Analysis, August
• 1979. FIPS PUB 65
• 12. T. E. Bell, "Managing Murphy's Law: Engineering a
Minimum-Risk System," IEEE Specrtum, pp. 2i27, June 1989.
• 13. National Computer Security Center, Proceedings of the
1988 Computer Security Risk Management Model Builders Workshop,
Fort Meade, MD, May 1988.
• 14. Sammy Migues, "A Guide to Effective Risk Management,"
Third Aerospace Computer Security Conference Proceedings, December
1987.
• 15. Carl E. Laudwehr and H.O. Lubbes, An Approach to Determining
Computer Security Requirements for Navy Systems, 13 May 1987.
• 16. International Standards Organization, Information Processing
Systems - Open Systems Interconnection - Basic Reference Model
- Part 2: Security Architecture, October 1988. International
Standard 7498-2-1988(E)
• 17. Ingrid M. Olson, Eugene F. Troy, Milan S. Kuchta, and
Brian W. McKenney, "Disclosure Protection of Sensitive Information,"
13th National Computer Security Conference Proceedings, 1A October
1990.
• 18. Robert W. Shirey, "Defense Data Network Security
Architecture," Computer Communication Review, April 1990.
• 19. T. M. P. Lee, "Statistical Models of Trvst: TCB's
vs. People," IEEE Symposium on Security and Privacy, 1989.
• 20. Jonathan K. Millen and Martin W. Schwartz, "The Cascading
Problem for Interconnected Networks," Fourth Aerospace Computer
Security Applications Conference Proceedings, December 1988.
• 21. R. W. Shirey and S.I. Schaen, "ARCHWAY Program Preliminary
Planning," MTR~7W00093~2, The MITRE Corporation, December
1987. Not currently in the public domain.
• 22. G. R. Mundy and R. W. Shirey, "Defense Data
Network Security Architecture," MILCOM `87 Proceedings,
21 October 1987.
ACRONYMS
ADP Automatic Data Processing
AIS Automated Information System
ASD Assistant Secretary of Defense
AUTODIN Automated Digital Network
BI Background Investigation
C Confidential
C&A Certification and Accreditation
COMPUSEC Computer Security
COMSEC Communications Security
COTS Commercial~ffThe-Shelf
CPU Central Processing Unit
CBS Central Security Service
CI Command, Control, Communications, and Intelligence
CSSI Computer Security Subsystem Interpretation
DAA Designated Approving Authority
DAC Discretionary Access Control
DCA Defense Communications Agency
DDN Defense Data Network
DIA Defense Intelligence Agency
DISNET Defense Integrated Secure Network
DOD Department of Defense
DODD Department of Defense Directive
DOS Denial of Service
E3 End-to~nd Encryption
ENQ Enquiry
EPL Evaluated Products List
FIPS PUB Federal Information Processing Standards Publication
GOSIP Government 05I Profile
I&A Identification and Authentication
INFO SEC Information Security
IPC Inter-Process Communication
150 International Standards Organization
1550 Information System Security Officer
JCS Joint Chiefs of Staff
LAN Local Area Network
MAC Mandatory Access Control
MLS Multilevel Secure
MOA Memorandum of Agreement
MOR Memorandum of Record
N Not Classified but Sensitive
NACS National Communications Security Instruction
NCSC National Computer Security Center
NDI Non-Development Item
NIU Network Interface Unit
NSA National Security Agency
NSAD Network Security Architecture and Design
NSAP Network Service Access Point
NTCB Network Trusted Computing Base
0SI Open System Interconnection
OT&E Operational Test and Evaluation
PDS Protected Distribution System
PDU Protocol Data Unit (a.k.a. packet, datagram)
POSIX Portable Operating System Interface for Computer Environments
RFP Request for Proposal
RI Risk Index
S SECRET
SBI Special Background Investigation
SCI Special Compartmented Information
SDNS Secure Data Network System
SH System High
SlOPESI Single Integrated Operational Plan-Extremely Sensitive
Information
ST&E Security Test and Evaluation
STS Single Trusted System
TCB Trusted Computing Base
TCP/IP Transmission Control Protocol/Internet Protocol
TCSEC Trusted Computer System Evaluation Criteria $
TEMPEST (Not an acronym)
TNI Trusted Network Interpretation
TNIEG TNI Environments Guideline
TS TOP SECRET
TSAP Transport Service Access Point
WAN Wide Area Network
U.S. GOVERNMENT PRINTING OFFICE : 1990 O - 274-353 : QL 3
n