Network-Centric Naval Forces A Transition Strategy for Enhancing Operational Capabilities (2000) / Chapter Skim
Currently Skimming:
5 Information Assurance -- Securing the Naval Command and Information Infrastructure
5 Information Assurance -- Securing the Naval Command and Information Infrastructure
Pages 175-218
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 175... ...
Backup plans should be developed for the most likely compromise scenarios, and warfighters should be trained in these procedures. This chapter briefly sketches the magnitude of the security problem in today's systems; discusses the defense-in-depth strategy of prevention, detection, and tolerance; then, describes and assesses what the Department of the Navy is doing today for information assurance; and finally, identifies needed research and discusses some promising research programs that may produce needed technology.
|
From page 176... ...
DOD also depends on vulnerable commercial infrastructures such as telephone networks that, although highly reliable, were not designed to withstand information warfare attack. In addition, since the fleet's operational networks and the naval force business networks will of necessity be interconnected, the shore establishment will provide many attractive opportunities for penetration and disruption that can extend to the fleets and even their tactical networks, as well as their essential shore support.
|
From page 177... ...
Individual elements attacked to gain access or produce an effect may include links, nodes, people, software, and hardware. Because of the numerous connections, both sanctioned and unsanctioned, with the public Internet that are likely to exist within the NCII, penetration of even a low-level network may permit a skilled information warfare attacker to gain access to far more critical systems.
|
From page 178... ...
5.3 VULNERABILITIES OF THE NAVAL COMMAND AND INFORMATION INFRASTRUCTURE 5.3.1 Use of Commercial Products The NCII, including its protection functions, will be built largely from commercial software and hardware computing and networking components. These commercial products contain numerous security vulnerabilities, which, as they are discovered, are routinely posted to frequently accessed Web sites (e.g., bugtraq)
|
From page 179... ...
This connectivity also exposes the NCII to viruses and other information warfare weapons in data and code that enter the NCII. Also, NCII users might download arbitrary code, which could be infected with viruses or worms that could spread and cause damage within the NCII.
|
From page 180... ...
In addition, because tactical networks may be within reach of enemy forces, end instruments are subject to terminal capture. Enemy capture of a network node means that the enemy is inside a naval network.
|
From page 181... ...
And third, unanticipated interactions between the interconnected networks may result in the failure of critical functions; these interactions can be particularly difficult to diagnose and correct. 5.4 DEFENSE IN DEPTH Experience has shown that many successful attacks on DOD systems are not detected.
|
From page 182... ...
In fact, the situation is asymmetric, because a determined adversary can decide which part of the system it wants to manipulate or exploit, purchase the commercial products that are used in that part of the system, and spend many months Reconstructing these products to discover vulnerabilities that can be profitably and surreptitiously exploited. While such an approach is clearly affordable by an adversary, it is not affordable as a defense, since the defender would have to perform a costly analysis for every system component, whereas the adversary can pick and choose its focus of attack.
|
From page 183... ...
Thus, all components must be treated as vulnerable, and the systems that use these components must be designed bearing in mind that there may be security vulnerabilities in any system component. Even when security functionality is designed into commercial products and services, this security is generally weaker than that required for naval needs.
|
From page 184... ...
Because every system component, including the protection components, must be assumed to contain unknown, exploitable security vulnerabilities, a layered defense strategy must be employed. The idea here is that protections are employed to counter known and unknown security vulnerabilities in the system.
|
From page 185... ...
as well as from evaluations performed by other organizations. For example, the National Institute of Standards and Technology has established common criteria for products as well as a common evaluation methodology, and product evaluation information is available for some products.3 DARPA' s Information Assurance Science and Engineering Tools program4 is attempting to develop assurance metrics and evaluation tools for systems.
|
From page 186... ...
But red teaming is not a good way of discovering vulnerabilities. First of all, most red teams use only known, published attacks that exploit known vulnerabilities.
|
From page 187... ...
The committee strongly advocates security red teaming of both designs and implementations before new systems are put into use. Red teaming should not be thought of as a security panacea or as the primary way of achieving system security.
|
From page 188... ...
Yet this same evaluation also showed that false alarm rates are still too high, especially when multiplied across a very large system, as would be the case in network-centric operations. The evaluation also showed that detection rates and the number of attack types detected must still be increased significantly.
|
From page 189... ...
, Center for Education and Research in Information Assurance and Security (CERIAS) , Purdue University, West Lafayette, Ind., forthcoming.
|
From page 190... ...
It suggests near-term actions the Navy Department can take to begin to improve its information assurance position. Like the DOD in general as well as the country at large, within the Department of the Navy available security technologies are not being used widely enough.9 Even when these are installed, adequate procedures are needed to maintain correct and secure configurations.
|
From page 191... ...
; virus detection; some authentication in routing, switching, and domain name service; and mail guards. Security architectures are being developed to use these protections in a layered defense strategy.
|
From page 192... ...
The N/MCI will provide access to naval, joint, coalition, and public Internet sources of information and reliance on a multiplicity of databases and sources, most outside the direct control of the naval forces. Much of the system, including its protection mechanisms, will be implemented with commercial software and hardware products and services.
|
From page 193... ...
Connectivity to external networks, including the open Internet, exposes the NCII to viruses and other information warfare weapons in data and code that enter the NCII. Also, NCII users may download arbitrary code, which may be infected with viruses or worms that can spread and cause damage within the NCII.
|
From page 194... ...
Contrary to first impressions, the transition to network-centric operations will probably make traffic analysis more difficult. Current transmission security devices will likely be augmented with end-to-end encryption, which, like current network encryption system (NES)
|
From page 195... ...
DARPA is tackling a wide range of issues with its Information Assurance program, but even so it is unlikely that tactical networks will be sufficiently well-protected in the near to mid term. This should be of significant concern to the Department of the Navy.
|
From page 196... ...
Needless to say, radio LPI, LED, and AJ features may also require their own encryption mechanisms. To summarize a complex issue, while it is true that type-1 encryption is needed for the data carried through tactical networks, commercial radios (without embedded cryptos)
|
From page 197... ...
DARPA has created the Dynamic Coalitions program to develop technologies that could improve or replace commercial VPNs. This research will secure the underlying group communication technologies and provide services such as authentication and authorization that are needed for secure collaboration in a coalition environment.
|
From page 198... ...
of the Trusted Computer System Evaluation Criteria, the so-called Orange Book.ll Some vendors built products to Class B 1 (which includes labels but is not strong enough to separate classified information) , and a very few vendors built operating systems for Classes B2 and B3, which can be used for protecting classified information where some users are not cleared for the highest levels of information in the system.
|
From page 199... ...
(However, the use of commercial networks permits vulnerability to denial-of-service attacks and traffic analysis.) The idea of cryptographic separation can be extended into information repository systems.
|
From page 200... ...
Responsibility for information assurance must be made a key priority and assigned at a high level within the Navy Department. This would ensure that NRL and other naval information assurance research receive adequate resources and that the new technologies will be implemented.
|
From page 201... ...
In addition to the costs of the technology will be the costs of developing and enforcing essential policies and procedures, especially because there are currently no adequate technical solutions for many aspects of the information assurance problem. Ongoing programs for security awareness and training will also help to keep naval personnel vigilant about noticing and reporting suspicious behavior of their systems.
|
From page 202... ...
In addition, the DARPA Information Assurance program has taken many of the DARPA Information Survivability technologies in prevention, detection and response, and security management for C4I information systems and has integrated them into a security architecture that, while integrating security and survivability concepts, techniques, and mechanisms, will also provide interfaces for future security upgrades. Access control technologies that have been integrated into the architecture include encryption of message traffic and firewalls.
|
From page 203... ...
protocol Network security services Cryptographic application are not easily integrated programming interfaces into applications. Simple public-key interface Key management interfaces Authentication added to routing Encrypts IP packets Adds authentication and authorization to DNS Give programmers standard ways of adding security functionality to software Network security services IPSec key agreement protocol Multilayer security negotiation are not interoperable.
|
From page 204... ...
Group communications system supporting secure, real-time fault tolerance A distributed authorization server and policy language Propagation of access control information across enclave boundaries Detects unknown attack types on networks Allows attacks to be specified as a graph across a network, thus allowing detection of larger-scale attacks Allows coordinated detection and automated response Analyzes a system for indicators of an intrusion; explains to the system administrator what it found, what it probably means, and how to recover Establishes standard interfaces for event generators (sensors) and analysis engines (detectors)
|
From page 205... ...
Secure group and secure ring protocols StackGuard compiler Generic security wrappers Composable replaceable security modules Group communication protocols that can prevent a malicious processor from disrupting the correct delivery of messages and from conducting successful denialof-service attacks Reduces vulnerability to buffer overflow attacks; no source code changes required; executables are binarycompatible with existing operating systems and libraries Wrapper technology to augment legacy and commercial off-the-shelf components with security functionality; includes a wrapper specification language and a kernel-resident wrapper system; intercepts system calls to control privileged and nonprivileged programs; demonstrations include control of administrative privileges, access control, and encryption A tool to build security into systems by assembling security functions from a library of reusable, plugable security modules, with standard functionality and interfaces Vulnerability/resistance Vulnerability assessment tool White-box security evaluation of a product or system tool locates vulnerable points requires evaluation. in source code, using realistic attack models and taxonomies of known security flaws
|
From page 206... ...
Research is also needed in mobile code security, extending the capabilities of virtual private networks, and dependability. There is, as well, a need to develop DOD-specific solutions for areas that industry is not addressing because there are no common commercial analogues, particularly in tactical networking.
|
From page 207... ...
Both gather far more data than is necessary and omit data that may predict hostile activity. False alarms may be also reduced by adding a capability for peer-to-peer cooperation among local intrusion detectors, so that some limited assessment can be performed among a set of cooperating detectors covering a given region and events of only local concern can be suppressed from being reported to a central point.
|
From page 208... ...
Figure 5.4 shows a network of intrusion detectors and reporting centers. The reporting centers are organized roughly into layers, with the local detectors reporting into organizational security centers, which in turn report into regional reporting centers, which report into DOD and National reporting centers.
|
From page 209... ...
The Strategic Intrusion Assessment program aims to develop technologies capable of distinguishing significant patterns of events that cross geographic and administrative domains and that indicate a possible information warfare threat. It will develop a capability for peer-to-peer cooperation among detectors, including the ability for detectors to discover each other, negotiate requirements, and collaborate on diagnosis and response.
|
From page 210... ...
5.7.2 Intrusion Tolerance Intrusion tolerance aims to ensure the continued correct operation of the surviving portion of a system even when it has been partially compromised. Component technologies include the ability to rapidly recognize corrupted data and programs, intrusion detection to recognize a local attack, techniques to constrain an attacker's resource consumption so as to minimize its opportunity to deny service, resource allocation methods to assign the most important tasks to the remaining resources, and methods to automatically repair damaged processes.
|
From page 211... ...
The research will continue and build on research into artificial diversity techniques that were initially investigated in DARPA's Information Survivability program. It will also develop methods to enable member entities to detect and isolate corrupt entities.
|
From page 212... ...
This should help ensure continued availability and provide a technical basis for graceful degradation of service under successful attack, as well as help maximize the residual capacity available to legitimate users. 14This program within the Information Assurance and Survivability program suite focuses on three areas to be studied and evaluated: (1)
|
From page 213... ...
The DARPA Information Survivability program has investigated the use of wrappers for security and survivability and has funded a collection of security wrapper projects that are developing tool kits that allow a developer to automatically generate security wrappers from a set of wrapper specifications.
|
From page 214... ...
Mobile code could also be used to more easily deploy new security functionality, as well as to upgrade existing functionality. This will make it easier to evolve and maintain systems.
|
From page 215... ...
5.8 RECOMMENDATIONS While a technical solution for the information assurance problem does not seem possible in the foreseeable future, the benefits to be gained from networkcentric operations nonetheless make such operations imperative. A program of vigilance, testing, and continuing information assurance research will therefore be required.
|
From page 216... ...
In addition, all naval personnel should be made aware of and trained in information assurance. Recommendation: In designing the NCII, the Department of the Navy should use a defense-in-depth strategy to address unknown vulnerabilities.
|
From page 217... ...
Recommendation: The Secretary of the Navy, the CNO, and the CMC should assign responsibility for information assurance at a high enough level within the Navy and the Marine Corps, and with sufficient emphasis, to ensure that adequate and integrated attention is paid to all aspects of this problem in the design and operation of the NCII.
|
From page 218... ...
Recommendation: The Department of the Navy should push for research to address its critical NCII information assurance needs. Because there is a large shortfall of current security technologies relative to naval needs, the Department of the Navy must be an advocate within the DOD for long-term research in several areas not being addressed by industry, including intrusion assessment, intrusion-tolerant systems, prevention of denial of service, approaches to retrofitting legacy systems with some security and reliability functionality, mobile code security, extending the capabilities of virtual private networks, and dependability.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.