October 3, 2003 1

Partnerships for VoIP SecurityPartnerships for VoIP SecurityVoIP Protection ProfilesVoIP Protection Profiles

David Smith

Co-Chair, DoD VoIP Information Assurance Working Group

NSA Information Assurance Directorate,Information Assurance Solutions Group

(410) 854-7302

E-mail: drsmit5@missi.ncsc.mil

October 3, 2003 2

AgendaAgenda

DoD IA Policies Common Criteria

– Protection Profiles & Security Targets

Information Assurance Technical Framework (IATF) and Forum

VoIP IA Initiatives– Protection Profile(s)– IATF

October 3, 2003 3

DoD IA PoliciesDoD IA Policies

DoDI 8500.1 & 8500.2NSTISSP 11

By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products shall be limited only to those which have been evaluated and validated in accordance with either:

•International Common Criteria

•NSA/NIST National Information Assurance Partnership (NIAP) Evaluation and Validation Program

•NIST FIPS Validation Program

October 3, 2003 4

Common Criteria (CC)Common Criteria (CC) Internationally Recognized Security

Criteria Security requirements specification

language Security functionality & assurance Provides basis for validating conformance

to specification (e.g. PP or ST) by independent third party (e.g. NIAP lab)

October 3, 2003 5

Protection Profiles vs. Protection Profiles vs. Security TargetSecurity Target Protection Profile - Customer

– Statement in CC language of security and assurance requirements (“I need”)

– For DoD, NSA writes the protection profiles

Security Target - Vendor– Vendor claim in CC language of security and

assurance requirements met (“I provide”)

Target of Evaluation

October 3, 2003 6

RobustnessRobustness

Basic = Best Commercial Practice Medium = Better than most current

commercial High= Usually Government Developed Robustness is the combination of

appropriate security requirements and assurance levels.– Imperative that Evaluation Report be read to

understand the IA quality. EAL doesn’t equate to Robustness level

October 3, 2003 7

National Information Assurance National Information Assurance Partnership (NIAP)Partnership (NIAP)

NSA/NIST Partnership US Focal Point for Common Criteria Manage & Maintain Process

– Common Criteria Evaluation and Validation Scheme

– Protection Profile Registry– Evaluated Products Registry– List of Certified Commercial Evaluation Labs

http://niap.nist.gov/

October 3, 2003 8

Information Assurance Technical Information Assurance Technical Framework (IATF)Framework (IATF)

A Technical Security Guidance Document– Unclassified– Evolving– Publicly available on IATF Web Site

UNCLASSIFIED

http://www.iatf.net

October 3, 2003 9

IATF BenefitsIATF Benefits

Helps U.S. Government users become Helps U.S. Government users become wiser consumers of implementing wiser consumers of implementing security solutionssecurity solutions

Assists U.S. industry in understanding Assists U.S. industry in understanding the government’s needs and the nature the government’s needs and the nature of the desired solutions to these needsof the desired solutions to these needs

Focuses investment resources on the Focuses investment resources on the security technology gapssecurity technology gaps

UNCLASSIFIED

October 3, 2003 10

Information Assurance Technical Information Assurance Technical Framework Forum (IATFF)Framework Forum (IATFF)

NSA-sponsored forum to foster dialog NSA-sponsored forum to foster dialog among U.S. Government agencies, among U.S. Government agencies, U.S. Industry, and U.S. AcademiaU.S. Industry, and U.S. Academia

Sessions approximately every 6 weeksSessions approximately every 6 weeks

Held at the Johns Hopkins Applied Held at the Johns Hopkins Applied Physics Lab, Laurel, MDPhysics Lab, Laurel, MD

UNCLASSIFIED

October 3, 2003 11

IATFF BenefitsIATFF Benefits

Fosters IA DialogFosters IA Dialog– U.S. Government-U.S. Industry-U.S. U.S. Government-U.S. Industry-U.S.

Academia Academia Increases awareness of available Increases awareness of available

security solutionssecurity solutionsEstablishes contacts between Establishes contacts between

individuals and organizations dealing individuals and organizations dealing with similar problemswith similar problems

UNCLASSIFIED

October 3, 2003 12

VoIP IA InitiativesVoIP IA Initiatives

LeverageLeverage– NIAP/CCNIAP/CC– IATF & IATFFIATF & IATFF– Government/Industry PartnershipGovernment/Industry Partnership

CommunicateCommunicate– Government Needs & Industry CapabilitiesGovernment Needs & Industry Capabilities

VoIP Protection ProfilesVoIP Protection Profiles VoIP IATF SectionVoIP IATF Section VoIP IATFF SessionVoIP IATFF Session

October 3, 2003 13

VoIP Protection Profile(s)VoIP Protection Profile(s)

Beginning developmentIncorporate DoD Voice IA

RequirementsPartnership with vendors, users

NIAP Evaluated VoIP Products Meeting DoD IA RequirementsNIAP Evaluated VoIP Products Meeting DoD IA Requirements

October 3, 2003 14

VoIP IATFFVoIP IATFF

Planning an IATFF session on VoIPLooking for session ideas

– Topics– Presenters

• Users, Vendors, Network Managers

http://www.iatf.net

October 3, 2003 15

Wrap-UpWrap-Up

Need partnerships with– Industry & Users

NIAP and IATF are good vehicles for communication of IA requirements

Getting the process started for VoIPNeed Your Help!!