Post on 02-Jan-2016
description
Practical IS security design in accordance with Common Criteria
Security and Protection of Information 2005
František VOSEJPKAS.ICZ a.s.June 5, 2005
2
Introduction
usage of Common Criteria (CC)compliance with Higher Level Security Policy
legal requirements / principles (CZ Act #148/98)organization security requirements
Life Cycle Definition of the entire IS (planning, development, implementation, approval, operation, further development and withdrawal)
solution of respective Security Areas (personal security, physical security, cryptographic information protection, administrative security and organizational measures)
Certification / Approval to operate
The security design of an IS handling classified information requires:
3
Preliminary/Expert IS Security Design and Risk Analysis
Identify the scope of the ISan existing IS or newly designed IS(with preliminary or expert security architecture)
The IS architecture should be based onUser Operational RequirementsSecurity Requirements
Risk Analysis (assets, threats, vulnerabilities, countermeasures, …)
4
Dep-GCI-CSOff-line variantNon-certified IS
MFA-R-DADistribution agent
MFA-R-CGCSP II MicroCzechMS Strong CSP
ODBCdocuments + metadata
X400 / smtp
MFA-R-SSBSecurity SeparationBlock
httpsmessages
MFA-R-ROOTCAOff-lineRoot CA
Dep-R-SSBSecurity SeparationBlock
Dep-GCI-CSCommunicationstation
https
Dep-R-CGCrypto GatewayCSP II MicroCzech
https
Dep-R-DADistributionAgent
Dep-R-CGCrypto GatewayCSP II MicroCzech
ODBC
Node WorkingStations
Dep-R ISOn-line variantCertified IS
Dep-L ISNon-certified IS
Dep-R-DADistributionAgent
https
https
Dep-L-DADistributionAgent
Dep-R ISOff-line variantCertified IS
Dep-L-CGCrypto GatewayMS Strong CSP
MFA-DCDomain controllersIssuing CA
Dep-L-CG acts as PushingAgent between Dep-R-SSB
and MFA-R-SSB
https, smtp,odbc/jdbc https
ODBC
Encrypteddata
Air-gaptransmission
EU ExtranetIS MFA-R,
BDomdomain
Dep-L IS,internal domain
Dep-R IS,internal domain
IS MFA-REU-Extranet-CZ-MFA node
( centre )
https, smtp,odbc/jdbc
Bor
der p
rote
ctio
n de
vice
s of
E
U-E
x-C
Z-D
ep-R
nod
e
Bor
der
prot
ectio
n d
evi
ces
ofE
U-E
x-C
Z-D
ep-R
nod
e
Bor
der p
rote
ctio
n de
vice
s of
E
U-E
x-C
Z-D
ep-L
nod
e
Firewall
Legend:
Dep Department / MinistryR classification RestrictedL classification LimitedCG Crypto GatewayDA Distribution AgentSSB Security (Policy) Splitting BlockCSP Crypto Service Provider
Governmentcommunication
infrastructure (GCI)
Example
5
IS Security Design
The “IS Security Design” as such must include the necessary security requirements and be eligible for evaluation. This implies:
the IS Security Design is made within the structure prescribed for the Security Target by CC;
the Design follows the risk analysis results;
threats must be covered by the CC requirements and additional higher level security policy requirements;
separate security requirements for the TCB and border devices;
for each security technology determine a consistent range of security functional and security assurance requirements;
necessary IT products conforming to the set requirements may be chosen on the market or developed.
6
Security Objective Description IS Border
O.I&A user’s unique Identification
and Authentication prior to
granting access …
Yes Yes
O.RESIDUAL_INFO … Yes
O.DOMAIN_SEPARATION
… Yes
O.INFORMATION_FLOW
… Yes
O.SELF_PROTECT_NODE
… Yes
O.DEFENCE_IN_DEPTH … Yes Yes
O.ANTIVIR … Yes Yes
etc.
IT Security Objectives
Assumptions, Organizational Security Policies, Threats to Security…
IS Description - Security Objectives
7
Non-IT Security Objectives
Security Objective Description
O.INSTALLATION Procedures for delivery, installation, administration and operation must be established. …
O.VERIFICATION Ensure that security implementation is verified …
prior to the approval to operate classified information O.IS_LIVE_CYCLE The IS life cycle stages and rules are established for
both the IS operator and supplier’s environments O.TRUST_APL_SW
Only trusted application SW, free from malicious codes and causing no failures, will be installed
etc.
IS Description - Security Objectives
8
Objectives of IS Security Environment
Security Objective Description
OE.PHYSICAL_SEC All the personnel responsible for the IS must ensure that the security-critical components of the IS are protected against a physical attack …
OE.PERSONAL_SEC The personal security requirements must be met (i.e. CZ Act #148/1998)
OE.DOCUMENT_SEC
Departmental administrative security is pursued according to NSA Directive #137/2003
OE.NO_EVIL_USERS etc.
OE.INCIDENT_REACT
etc.
etc.
IS Description - Security Objectives
9
IS Security Functional Requirements (SFR)
IS Security Functional Requirements
CC ID Functional component
Security audit (FAU)
FAU_GEN.1 … see CC
FAU_GEN.2 … see CC
etc.
Extended functional requirements (FEX)
FEX_RPL.1 Secure data replication between the distributed IS components
FEX_WAR.1 Warning to the user about the legal implications of unauthorized system use
FEX_ANV.1 Antivirus protection
etc.
10
IS Security Functional Requirements (SFR)
IS Internal Security Environment RequirementsClass ID Functional component
Physical Security (FPH)FPH_SAR.1 Assets being placed in a security areaFPH_SAR.2 Servers and interface devices separated from usersFPH_SAR.3 Cryptographic devices separated from the other assets
Personnel Security (FPE)FPE_CLE.1 Personal Clearance CertificateFPE_ASS.1 Need-to-Know assignmentFPE_ASS.2 Assignment for the role in IS managementFPE_ASS.3 External Organization and Contractor assignment
Document Security (FDS) …Border Protection (FBP) …Organizational Measures (FOR) …
11
IS Security Assurance Requirements (SAR)The security assurance requirements should be established differently for each IT product:
TCB - EAL3 suffices for IT in an IS with “system-high” security mode of operation;
Antivirus – selected on the basis of practical operational experience, i.e. reliability and good performance in terms of prevention, detection and remediation;
Border – EAL is required for border security devices and components depending on the level of the ISs being interconnected (EAL4 for Restricted and Limited levels);
Crypto – The products used for cryptographic protection of classified information requires appropriate NSA certificate;
Good and strong commercial crypto device or SW suffice for cryptographic protection of the LIMITED information.
12
IS Specification Summary
IS Security Functions- Locations of Security Mechanisms on HW components
Computer DomainW2K
AV
AT
DA
CG
CD
SSB
Working Station All X X
DC Server All X
Servers (Apl, DB)
All X X X
DA Server All X X
R-CG Server Restrict X X X X
L-CG Server Limited X X X
SSB All X
CS - Comm. station
WAN X XX – Security mechanism is located on the computer
13
IS Specification Summary
- Allocation of Functional Requirements to Security Mechanisms
CC IDor Extended
IDW2K AV AT DA CG CD
SSB
Env
FAU_GEN.1 X X X X X X X
FAU_GEN.2 X X X X
FAU_SAA.2 X X
etc.
FEX_RPL.1 X
FEX_VAR.1 X
FEX_ANV.1 X
etc.
FPH_SAR.1 X
etc., … X
14
IS Specification Summary
Measures for realization of IS Security Assurance Requirements
EAL3 requirements are applied to W2K (actually W2K complies with EAL4 Augmented)
EAL3 requirements are applied to the IS environment
EAL4 requirements are applied to the DA, CG and SSB special SW
The additional requirements are applied to the certified crypto-device and a commercial crypto-device
- Security Assurance Requirements mapping(the same way as Functional Requirements in the previous chart)
15
Rationale
all threats and organizational policies have been covered by at least one IT, non-IT or environment Security Objective, and these are sufficient to deal with them;all Security Objectives (for IT, non-IT and environment) have been covered by the Security Functional Requirements (SFR) and the Security Assurance Requirements (SAR);the SFR and the SAR are capable of covering the requirements for overall IS security. The rationale includes commercial certified and non-certified components, newly developed components and those for the cryptographic protection;
The rationale demonstrates the completeness of the security target implementation.
The last section provides a review of Vulnerabilities and the level of Residual Threats which they are exposed to.
16
Selection and Development of Products for IS
Selection of commercial productsthe Security Target and a Certificatethe certificate is not required for products with lower demands for guarantees (reliable products verified by practice)
Development of new productson the basis of written document “Requirements for Product Development”
IS implementation requires products which comply with the above specified SFR and SAR
The Certification Authority issues a certificate for the entire IS on the basis of the test results and the evaluation of all the IS security components.
17
Conclusion
The solution presented in this article suggests possible procedures in using the Common Criteria when designing a complex IS.
This procedure makes it possible to break down the overall security requirements into partial domains and technologies and shows the way to the development of necessary secure IT products.
Thank you for attention
František VOSEJPKACIS Security consultantS.ICZ a.s.E-mail: frantisek.vosejpka@i.cz