Tech trendnotes


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Tech trendnotes

  1. 1. Tech Trend NotesPreview of Tomorrow’s Information TechnologiesVolume: 9 Edition: 4 Fall 2000 Page 3 High-Reflectance, Real T ime Dielectric Mirrors Intrusion Detection Page 12 Page 16 Focus - Page 22 Pointers - Page 32 Technology Forecasts - Page 28 Calendar of Events - Page 41
  2. 2. NetTop Commercial Technology in High Assurance Applications By Robert Meushaw and Donald SimardIntroduction of familiar COTS technology to our identify several investigated applica- users, but they believed that we tions, and suggest future capabilities. The decade of the nineties has would not be able to influence thebeen particularly challenging for the security of COTS technology for User RequirementsNational Security Agencys high assurance applications. TheInformation Assurance mission. The board challenged the Information The ISSO’s customers have longgradual but accelerating changeover Assurance Research Office to initi- identified shortcomings with thefrom government produced tech- ate a project to develop architectures security technology that was avail-nologies to commercial products and that would allow COTS technology able to them. One significant con-services has seriously eroded our to be used safely in high assurance cern is that their workspaces areability to protect information applications. cluttered with computer equipmentprocessed by the national security to support access to multiple net-community. Numerous government A Tiger Team was assembled for works of differing sensitivity.programs intended to produce high a one-year effort to develop an archi- Dealing with this duplication ofassurance data systems and worksta- tectural approach to allow the safe equipment has long been a problem,tion platforms have been largely use of COTS in sensitive since there is no single system thatunsuccessful, and the buying power Government applications. The user can support all of their access needs.of the government has not com- should see a familiar interface, e.g., A second concern is that governmentmanded the attention of the IT Microsoft Windows Operating developed security solutions haveindustry. The historical flow of tech- System (OS) and off-the-shelf appli- often been incompatible with othernology from government to industri- cation software, but achieve the standards-based IT products, whichal and home users has largely been assurance needed for DoD use. The has significantly complicated thereversed. We often find technologies NSAAB suggested that one or more interfacing and upgrading of systemthat are more sophisticated in our government-off-the-shelf (GOTS) components. The cost and complexi-homes earlier than in our govern- components be included, preferably ty of network management is also ament workspaces. The shortcomings as plug-ins; and their removal should steadily growing issue, particularlyof our information assurance tech- allow the system to be used as a nor- in times of declining resources andnologies are further evidenced by the mal COTS machine. The notion of a mounting security concerns over theshift of R&D resources away from "Vault" was introduced as an outsourcing of support. Our cus-protection and into detection and Internet accessible, protected enclave tomers also need the ability to moveresponse initiatives. that would provide high assurance data across isolated networks in services to connected user machines. order to perform their daily tasks, To address these issues, during and the techniques to make suchthe summer of 1999 the NSA The results of the Tiger Team transfers efficient and safe. Finally,Advisory Board (NSAAB) reviewed effort are a proof-of-concept archi- the increased importance placed onthe Information Systems Security tecture and a set of components that coalition operations brings new chal-Organizations (ISSO) commercial- are referred to as NetTop. The lenges for technology to securelyoff-the-shelf (COTS) strategy. The remainder of this article will support these operations. The archi-board acknowledged the need to describe the concept and technical tecture of the NetTop prototype sug-provide the functionality and the feel approach used in the architecture, gests a near-term approach that can Fall 2000 Research & Advanced Technology Publication 1
  3. 3. provide a useful and practical set ofcapabilities to satisfy these needs.An Initial Capability To begin the development of theNetTop architecture, a modest, initialcapability was sought. Opportunely, Figure 1 - Typical Virtual Private Network Client Configurationthe ISSOs System Solutions Groupidentified an Internet-based version Recycling Technology tion software could be executed inof the Remote Access Security VMs running more current OS ver-Program (RASP) system as an The requirement that NetTop sions.excellent prospect. The RASP pro- users see a familiar COTS computervides secure remote access to a host desktop environment was taken as a Commodity VMMscomputer over a dial-up connection, fundamental precept of the architec-and includes a laptop computer and ture. One consequence of this During the NetTop design discus-a specially developed encrypting approach is that for high assurance sions, we identified a new commer-modem to protect the communica- applications, the end-user environ- cial product, VMware, that providedtions link. Many customers have ment must be presumed to be a practical VMM capability. Therequested a similar capability for untrustworthy, and the NetTop archi- VMware product is a spin-off ofremote network connectivity, but tecture must protect against poten- DARPA-sponsored research atusing Internet connections through a tially hostile behavior. Stanford University, and is generallylocal Internet Service Provider (ISP), used for providing a safe test envi-i.e., use the public data network In order to place limitations upon ronment for OS and networkingrather than the public voice network. a potentially malicious component, software.The ability to provide a secure, we explored the concept of encapsu-remote connection over the Internet lation to constrain the behavior of There were several novel capabil-to a secure enclave was selected as the end-user operating system and ities of VMware that made it attrac-the initial NetTop goal. application software. The method tive for use in NetTop. First, it was selected for encapsulating the OS designed for efficient operation on An architecture that can achieve was based upon a 30-year-old tech- Intel x86 platforms rather than onthis capability has been known for nology, Virtual Machine Monitors large mainframe computers, whichsome time. It typically includes an (VMM). VMM technology was made it suitable for use on common-end-user workstation, an in-line designed and developed in the era of place personal computers, worksta-encryptor, and possibly a filtering large IBM mainframe computers, tions, and laptops. Next, VMwarerouter or firewall to connect to the and was intended to help extend the operates on top of an underlyingInternet. Commercially, such solu- life of legacy software, when host OS rather than directly on thetions are knows as Virtual Private improved hardware or OS software system hardware. VMMs that runNetworks (VPN). Figure 1 depicts a was released. In essence, a VMM directly on hardware have been stud-typical VPN client configuration. was a software system that ran ied previously under ProjectThis system configuration would directly on the computer hardware, Neptune for their use in securingprovide the required functionality, and allowed multiple operating sys- systems. A Neptune type of VMMbut it would be cumbersome and tems to be installed on top of it. By would face the enormous challengeexpensive for a mobile user. running older OS versions in some of keeping pace with changes in the virtual machines, legacy software underlying hardware platform. could be run, while newer applica- VMware takes advantage of the host 2 Research & Advanced Technology Publication Tech Trend Notes
  4. 4. OSs need to track these changes.This is a much more practicalapproach, and would be particularlyimportant to produce a GOTS VMMfor NetTop. Lastly, VMware pro-vides an abstraction for "virtualEthernet hubs." This capabilityallows virtual machines to be inter-connected in a fashion that is wellunderstood by network designersand administrators.A Network on a Desktop Figure 2 - Simple NetTop System Configuration Using VMware, the initialNetTop system was constructed Any of the individual virtual desired technology, including dial-using a powerful laptop computer. machines can be replaced or upgrad- up, Ethernet, ATM, wireless, etc.The operating system chosen for the ed with standards-based compo-host OS was Redhat Linux Version nents. The interconnection of the vir- The basic NetTop configuration6.2. Three virtual machines net- tual machines is based upon familiar provides the same functionality asworked by two virtual hubs were TCP/IP networking. Finally, a single three separate hardware platforms.installed on top of the host OS, pro- platform replaces several traditional Each virtualized component shouldviding an in-line configuration of components, thereby reducing hard- operate identically to its real-worldthree machines comprising (1) an ware and maintenance costs. An counterpart with "bug for bug com-end-user Windows NT machine, (2) important side benefit is that the patibility." The simple NetTop con-an encrypting machine using IPSec, architecture makes no assumptions figuration was successfully connect-and (3) a Filtering Router (FR) about the communications technolo- ed across the Internet to a simulated,machine. Both the VPN and FR gy used to connect the external net- secure enclave on an unclassifiedwere hosted on VMs running the work. The user is free to select the NSA network, using both dial-upLinux operating system. Figure 2displays the initial NetTop prototypeconfiguration. The initial NetTop configurationdemonstrates a number of importantcapabilities. It encapsulates theunmodified, end-user Windowsoperating system in a VM. Animportant characteristic of thisapproach is that the encryption canbe provided as an in-line functionthat cannot be bypassed by mali-cious actions of the end-user OS orapplication software. Rudimentaryprotection from network attacks isprovided through a filtering router. Figure 3 - NetTop Logical Configuration Fall 2000 Research & Advanced Technology Publication 3
  5. 5. network connections are already physically isolated, encrypted com- munication tunnels are not needed. This type of NetTop configuration may be appropriate to replace multi- ple end user workstations, when sep- arate communications infrastructures are already available. Thin-Client VMs While the VMs described so far have been fully configured Windows or Linux systems, there is nothing Figure 4 - NetTop Multiple Security Level Configuration preventing a VM from being a "thinand cable modem connections. Such ality. The second version of the client." In fact, there may be reasonsa configuration could have all of the NetTop prototype included another why a thin-client would be prefer-capabilities of a locally connected Windows NT machine connected able. For example, if the Windowsmachine, including the ability to directly to the filtering router as NT in Figure 4 was installed as aconnect to the Internet, if permitted shown in Figure 4. This machine "display only" thin-client, all classi-within the enclave. Figure 3 illus- allows a user to access the Internet fied files could be kept on a remotetrates a NetTop logical configura- directly. This extended prototype server in a protected enclave. Thistion. suggests a powerful feature of the configuration increases assurance, NetTop architecture - the ability to since the NetTop device containsMultiple Security Levels replace multiple end-user worksta- minimal sensitive information. tions within a single, hardware plat- A natural extension to the first form. In theory, multiple user con- Assuranceprototype was the addition of other nections to networks of differingVMs to provide increased function- sensitivity could be provided using Despite the functional and cost multiple VPNs. This envi- advantages that the NetTop architec- ronment provides ture described above may offer to Multiple (single) Security some users, its usefulness will Level (MSL) capability depend upon its ability to withstand rather than true Multi- determined attacks from the external Level Security, but still network and from malicious end- addresses an important user software. The most sensitive customer need. applications may require additional protection against compromising Another configuration system failures. While NetTop for a MSL system is attempts to deal with insecurities shown in Figure 5, where that may be caused by user errors, two isolated VM worksta- no attempt has been made to thwart tions are connected to two malicious insiders. As a practical different networks matter, it should only be necessary through two network to demonstrate that a NetTop config- Figure 5 - NetTop Dual Network MSL Configuration interface cards. Since the uration provides the same degree of 4 Research & Advanced Technology Publication Tech Trend Notes
  6. 6. security as the separate networkcomponents that it replaces. If thiscan be achieved, then the basicarchitectural approach is validated. A number of approaches havebeen identified to increase the assur-ance of the NetTop architecture. Thecritical aspect of the architecture thatmust be validated is the ability of theVMM/Host OS combination to suf-ficiently isolate the various NetTopcomponents. Our approach to deal-ing with security in the underlyinghost is to use a Trusted Linux OS Figure 6 - NetTop Improved Assurance Configurationprototype that has been developedunder the IAROs OS Security Another critical component of the developed to limit failure effects byresearch program. Trusted Linux underlying host platform is the severing external NetTop communi-incorporates flexible access control BIOS function that controls the ini- cations.mechanisms. In order to bolster the tial boot-up process, and its ability toinherent isolation provided by the arrive at a secure initial state. In order to make an effectiveVMM, a tailored security policy has Vulnerabilities in the BIOS have argument for the correct operationbeen developed for the Trusted long been identified as the "Achilles of a failure checking mechanism,Linux host. The VMM/Trusted heel" of computer systems. Work hardware and software must beLinux combination will be evaluated presently underway to develop a completely independent of the sys-further during an internal "red team" robust, trusted BIOS should be tem being checked. A Dallasexercise to assess the degree of iso- incorporated into any high assurance Semiconductor Tiny InterNetlation it provides. NetTop system. Interface (TINI) embeddable com- puter was networked to the in-line The Trusted Linux prototype is Failure Checking Network Encryptor machine, andalso envisioned for use as the guest was programmed to use a simpleOS in the VPN and Filtering Router Even a minimal NetTop configu- network "ping" to the VPNVMs. It is likely that a substantially ration will be an extremely complex machine as a health check. If noreduced Trusted Linux OS could be hardware and software system. It response was received, the Internetconfigured to support each VM. In will not likely be amenable to the connection was interrupted. A moreeach case, specific security policies forms of failure analysis historically robust health check could include aneed to be tailored to support the used for NSA high assurance sys- more complex set of tests to gainlimited functionality of each tems. While it might seem that sig- increased assurance that the NetTopmachine. The particular encryption nificant failures in a NetTop device device is working properly. Theand filtering router products selected would result in complete system tests could includecould be from National Information shutdown, sensitive applications challenge/response exchanges withAssurance Partnership approved lists will require more rigorous assur- a Failure Detection Server in theor specially developed GOTS com- ance arguments. Lacking failure protected enclave. A dead-manponents. detection support in the workstation switch of this type may be suitable platform, an approach using a type for a GOTS plug-in component for of "dead mans switch" has been high assurance applications. The Fall 2000 Research & Advanced Technology Publication 5
  7. 7. maintained and monitored for sus- picious activity. Figure 8 depicts the protocol exchange between the Regrade Server and two hosts of different security levels. A trusted user token is employed in a chal- lenge/response exchange with the trusted server in order to safeguard against untrusted OS behavior. Coalition Support The paradigm of virtual machines creates abstractions of Figure 7 - Dead-Man Switch Architecture physical computers. Each VM is composed of a set of files thatfailure detection approach is shown capability includes a protocol for embody a hardware/software sys-in Figure 7. performing the regrade operation, tem. This set of files can be copied as well as a "Regrade Server" that from one physical machine toMoving Data Safely provides a trusted network service. another. Given the portability of By making the regrade operation a VMs, there is no inherent reason Many organizations require the centralized service, a number of why a VM, or set of VMs, couldability to move information advantages are gained. First, consis- not be electronically transferred. Itbetween networks of differing secu- tency in the regrade operation can is possible for a NetTop device tority levels. A common operation be achieved. Second, it would be become a member of a coalition byinvolves downgrading information possible to develop and enforce a downloading an appropriately con-from highly classified to lower clas- regrade policy that specified the figured VM over a secured commu-sified systems, but increasingly, conditions under which each user nications channel. The set of VMsinformation is imported from the could perform regrade operations. in each coalition would constitute aInternet into classified systems. In The regrade operation could include VPN, and would not be able tothe first case, it is essential that "sanitization" functions to deter the communicate directly with VMs inclassified information not be com- transfer of covert or malicious con- other coalitions. Cross-coalitionpromised, while in the second, a tent. Finally, an audit log could be communication is performed usingprimary concern is the protection ofthe classified host from maliciouscontent. The VMware product includes acapability to copy and paste databetween VMs via a clipboard. Thisfeature does not include sufficientsafeguards for use in a high assur-ance NetTop system. In order toprovide a more trusted copy/pastefunction, a new capability, dubbed a"Regrader," was developed. This Figure 8 - Regrade Server Protocol 6 Research & Advanced Technology Publication Tech Trend Notes
  8. 8. a variation of the RegradeServer previously described.For some coalitions, it mightbe useful to distribute applica-tion specific VMs, such as asecure Voice-over-IP machine.A centralized CoalitionManagement Server could beused to manage the configura-tion and distribution of VMsto coalition members. Theessence of NetTops coalitionsupport is its ability to distrib-ute virtual systems electroni-cally. Figure 9 displays ahypothetical situation in Figure 9 - NetTop Coalition Conceptwhich four organizations par-ticipate in four data coalitions and During normal operation, all disk puter used in the prototype includestwo voice coalitions. A simple capa- files, including temporary files, are a 500 MHz Pentium III processorbility to demonstrate electronic dis- stored encrypted on the hard disk. and 384 MB of memory. Thetribution of VMs is under develop- VMware VMM is surprisinglyment. The hardware virtualization pro- modest in its affect upon the per- vided by the VMM also provides a formance of a VM, and only aAdditional Capabilities capability to alter the operation of slight degradation is noticed. As the hard disks seen by each VM. In more VMs are introduced, more A number of useful capabilities one mode, all changes made to a serious performance degradation isare included in the prototypes that VMs hard disk are discarded when noticed, but can be minimized withwere not described in the NetTop it is powered down. This may be additional memory. The 384-MBoverview. The entire file system on useful in the operation of the IPSec configuration of the NetTop proto-the hard disk is encrypted in order and FR machines by preventing type shown in Figure 4 was suffi-to protect against compromise if the permanent changes to the system if cient to support the Linux host andmachine is lost or stolen. The a successful attack did occur. Any four guest VMs - two Windows NT"International Patch" for Linux was changes would be lost when the machines for the end-user terminalsinstalled, which provides software VM was restarted, which would and two Linux machines for the in-encryption capabilities and services force an adversary to repeat the line Network Encryptor andunder the control of the Trusted attack. Filtering Router. Overall, the per-Linux host OS. The hard disk formance of the NetTop prototypeencryption is transparent to all Performance is quite satisfactory, and easilyVMs. Additionally, this disk keeps pace with a high-speed, cableencryption cannot be corrupted or Real-world performance deter- modem connection. Continuingbypassed by an VM. A process was mines any technologys acceptance. enhancements in hardware perform-developed that uses a floppy disk NetTops architecture includes a lot ance will only improve its perform-and a user entered PIN to "boot- of functionality in a single hard- ance.strap" the decryption and loading of ware platform, yet the performancesystem files from the hard disk. is quite acceptable. The laptop com- Fall 2000 Research & Advanced Technology Publication 7
  9. 9. Future Development · IPSec modifications for NetTop Conclusion protocols The NetTop proof-of-concept has · User friendly interfaces The Information Assurancedemonstrated an architecture that Research Office has responded toappears to have significant promise The set of capabilities identified the NSA Advisory Boards challengefor information assurance applica- as NetTop extensions - Failure with the NetTop proof-of-concept.tions. In its current form, however, it Detection Server, Regrade Server, The novel architecture builds uponis unsuitable for widespread use and and Coalition Management Server - COTS technology, fortifies it withrequires considerable refinement. suggests an expansion of the security GOTS components, and provides aOur research has uncovered a num- services typically considered as part combination with the potential to beber of shortcomings in current tech- of a Security Management securely used for sensitive applica-nology that need to be addressed. Infrastructure. The integration of tions. It also addresses other impor-Additionally, important topics still these services with traditional key tant concerns, and provides a frame-must be investigated. Areas requir- and certificate management services work for useful extensions. NetToping further development are: may deserve a separate investigation depends heavily upon the isolation to develop a concept for a more capabilities provided by the Trusted· Identification & Authentication comprehensive security infrastruc- Linux/VMM combination. The Architecture ture. robustness of the approach still· Biometric activation technique requires a comprehensive security· Key & certificate management Development of the NetTop pro- evaluation. TTN· Filtering Router management totype is continuing. Some of the· Un-spoofable labels for MSL concepts previously described Donald Simard is the Technical windows including a Regrade Server, thin- Director for the System and Network· Trusted VM switching mechanism clients, and coalition support will be Attack Center and has been with the· Installation & configuration wizards integrated as each is developed. Agency since 1979. The majority of his work has been in the Information Systems Security Organization. He is a Master in the INFOSEC Technical Track and has a Masters Degree in Computer Science. Robert Meushaw is Technical Director for the Information Assurance Research Office. He joined the Agency in 1973 with BS and MS degrees in Electrical A very simple NetTop configuration with only one user Virtual Machine can provide Engineering. Mr. Meushaw had a very useful feature - media encryption - which could not otherwise be done with a long career in the Information a high-level of confidence. Since the host operating system does not run Systems Security Organization applications software, it is protected from virus attacks and other malicious software prior to his current position. He that might corrupt the user VM. With the media encryption function embedded in the host OS, all of the files on the hard disk can be encrypted transparently to the is a Master in the Computer user OS. The user OS cannot bypass the cryptography that is protecting the media. Systems Technical Track. 8 Research & Advanced Technology Publication Tech Trend Notes