October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD...
Transcript of October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD...
October 3, 2003 1
Partnerships for VoIP SecurityPartnerships for VoIP SecurityVoIP Protection ProfilesVoIP Protection Profiles
David Smith
Co-Chair, DoD VoIP Information Assurance Working Group
NSA Information Assurance Directorate,Information Assurance Solutions Group
(410) 854-7302
E-mail: [email protected]
October 3, 2003 2
AgendaAgenda
DoD IA Policies Common Criteria
– Protection Profiles & Security Targets
Information Assurance Technical Framework (IATF) and Forum
VoIP IA Initiatives– Protection Profile(s)– IATF
October 3, 2003 3
DoD IA PoliciesDoD IA Policies
DoDI 8500.1 & 8500.2NSTISSP 11
By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products shall be limited only to those which have been evaluated and validated in accordance with either:
•International Common Criteria
•NSA/NIST National Information Assurance Partnership (NIAP) Evaluation and Validation Program
•NIST FIPS Validation Program
October 3, 2003 4
Common Criteria (CC)Common Criteria (CC) Internationally Recognized Security
Criteria Security requirements specification
language Security functionality & assurance Provides basis for validating conformance
to specification (e.g. PP or ST) by independent third party (e.g. NIAP lab)
October 3, 2003 5
Protection Profiles vs. Protection Profiles vs. Security TargetSecurity Target Protection Profile - Customer
– Statement in CC language of security and assurance requirements (“I need”)
– For DoD, NSA writes the protection profiles
Security Target - Vendor– Vendor claim in CC language of security and
assurance requirements met (“I provide”)
Target of Evaluation
October 3, 2003 6
RobustnessRobustness
Basic = Best Commercial Practice Medium = Better than most current
commercial High= Usually Government Developed Robustness is the combination of
appropriate security requirements and assurance levels.– Imperative that Evaluation Report be read to
understand the IA quality. EAL doesn’t equate to Robustness level
October 3, 2003 7
National Information Assurance National Information Assurance Partnership (NIAP)Partnership (NIAP)
NSA/NIST Partnership US Focal Point for Common Criteria Manage & Maintain Process
– Common Criteria Evaluation and Validation Scheme
– Protection Profile Registry– Evaluated Products Registry– List of Certified Commercial Evaluation Labs
http://niap.nist.gov/
October 3, 2003 8
Information Assurance Technical Information Assurance Technical Framework (IATF)Framework (IATF)
A Technical Security Guidance Document– Unclassified– Evolving– Publicly available on IATF Web Site
UNCLASSIFIED
http://www.iatf.net
October 3, 2003 9
IATF BenefitsIATF Benefits
Helps U.S. Government users become Helps U.S. Government users become wiser consumers of implementing wiser consumers of implementing security solutionssecurity solutions
Assists U.S. industry in understanding Assists U.S. industry in understanding the government’s needs and the nature the government’s needs and the nature of the desired solutions to these needsof the desired solutions to these needs
Focuses investment resources on the Focuses investment resources on the security technology gapssecurity technology gaps
UNCLASSIFIED
October 3, 2003 10
Information Assurance Technical Information Assurance Technical Framework Forum (IATFF)Framework Forum (IATFF)
NSA-sponsored forum to foster dialog NSA-sponsored forum to foster dialog among U.S. Government agencies, among U.S. Government agencies, U.S. Industry, and U.S. AcademiaU.S. Industry, and U.S. Academia
Sessions approximately every 6 weeksSessions approximately every 6 weeks
Held at the Johns Hopkins Applied Held at the Johns Hopkins Applied Physics Lab, Laurel, MDPhysics Lab, Laurel, MD
UNCLASSIFIED
October 3, 2003 11
IATFF BenefitsIATFF Benefits
Fosters IA DialogFosters IA Dialog– U.S. Government-U.S. Industry-U.S. U.S. Government-U.S. Industry-U.S.
Academia Academia Increases awareness of available Increases awareness of available
security solutionssecurity solutionsEstablishes contacts between Establishes contacts between
individuals and organizations dealing individuals and organizations dealing with similar problemswith similar problems
UNCLASSIFIED
October 3, 2003 12
VoIP IA InitiativesVoIP IA Initiatives
LeverageLeverage– NIAP/CCNIAP/CC– IATF & IATFFIATF & IATFF– Government/Industry PartnershipGovernment/Industry Partnership
CommunicateCommunicate– Government Needs & Industry CapabilitiesGovernment Needs & Industry Capabilities
VoIP Protection ProfilesVoIP Protection Profiles VoIP IATF SectionVoIP IATF Section VoIP IATFF SessionVoIP IATFF Session
October 3, 2003 13
VoIP Protection Profile(s)VoIP Protection Profile(s)
Beginning developmentIncorporate DoD Voice IA
RequirementsPartnership with vendors, users
NIAP Evaluated VoIP Products Meeting DoD IA RequirementsNIAP Evaluated VoIP Products Meeting DoD IA Requirements
October 3, 2003 14
VoIP IATFFVoIP IATFF
Planning an IATFF session on VoIPLooking for session ideas
– Topics– Presenters
• Users, Vendors, Network Managers
http://www.iatf.net
October 3, 2003 15
Wrap-UpWrap-Up
Need partnerships with– Industry & Users
NIAP and IATF are good vehicles for communication of IA requirements
Getting the process started for VoIPNeed Your Help!!