Secure nets-and-data

SECURING CLASSIFIED NETWORKS AND SENSITIVE DATA

Kevin MayoCTO Global GovernmentSun Microsystems, Inc.

Delivering Defence Solutions Globally

Agenda

WHAT IS THE SECURE NETWORK ACCESS PLATFORM?

Why it Works

Windows Interoperability, VOIP and Multi-Media


• Role-based Access to Multiple Security Domains

• Secure Data Transfer between Domains

• Scalability and Availability

• Ability to meet Regulations and Certify/Accredit Deployed Platforms

• Maximize Workflow Efficiency

• Minimize Cost of Acquisition and Life-Time Ownership

Challenges for Secure Collaboration Networks


Target Communities

• Government Communities of Interest have special IT needs based on classified information handling> Requirements for appropriate handling of classified

information mandate rigid approach to network configuration> Conceptual “compartments” are manifested in physically

isolated networks

• SNAP enables secure, multi-compartment access from a single, thin-client desktop system—while preserving network isolation

Delivering Defence Solutions GloballyGovernment System Requirements• Thin Client desktop – secure computing environment

• Single Virtual Switch to Multiple Networks> Single desktop with connections to multiple security domains

implemented as physically separated networks (without enabling intra-domain routing)

> End-users have controlled access to domains based on security level, compartmentalization

• Secure Inter-Domain Data Transfer> Automated and manual auditing based on pre-defined policies

and procedures

• Windows Interoperability> Secure Global Network, Citrix, RDP, X Windows or

Browser.

Delivering Defence Solutions GloballyStatus Quo Example—Stove Piped Networks for Secure Communications

Delivering Defence Solutions GloballyChanged the Game—Single Multi-Tiered Secure Communications

Delivering Defence Solutions GloballyMobility with Security: Ultra-Thin Client Front-End

Before:To ensure a high level of security physically isolated clients were deployed often resulting in

After:Full Session Mobility enabled by a single state


DODCommunity

IntellCommunity

NATOCommunity

OtherCommunity

The Sun Solution: Secure Network Access Platform ARCHITECTURAL

INDEPENDENCE

●Multi-networkApplication Consolidation

●Ultra Secure Authentication layer

●Context free access layer

●User Identity/Role based access

> Auditability

> Session Mobility

V240 V240 V240

Switch Switch Switch Switch Switch

Switch

D1000

●N

Switch Switch

220R


Different Security Domains• System Requirements and Security Policy dictate

which networks/security domain will be a part of the implementation

• Each security domain is assigned a label> All labels defined in Labels and Encoding File> All security domains within implementation must be

defined in Labels and Encoding File

• Sol 10 TX using Mandatory Access Control and Trusted Networking enforces security policy by allowing/denying access to/from a specific security domain

• Security Domains can be dynamically added/deleted from architecture as long as they are defined in policy


User Access, Rights and Roles

• User Access dependent upon Roles and Security Clearance

• User Roles defined by job function and permission to applications and data

• All users are assigned a Role and are granted privileges based on security clearance

• Audit Logs record user activity


Trusted Solaris(TM) Is Certified as one of Indus

OS CERTIFIED WITH EAL4 AND

3 PROTECTION PROFILES IN EAL4:CAPP—Controlled Access Protection Profile

(Ensures proper login)

RBPP—Role-based Protection Profile

(Role-based access control allows the

system administrator to define roles

based on job functions within an organization.

The administrator assigns privileges to those roles)

LSPP—Labeled Security Protection Profile (

All data and application components are

formally labeled addressed, and tracked

through role based access control

Trusted ExtensionsLayered on Solaris 10*EAL4+ (B1)

(CAPP, RBACPP, LSPP)

EAL4+ (C2) (CAPP & RBACPP)

EAL4 or EAL4+ (C2) (CAPP)

EAL3 or EAL3+

Linux

Solaris 10

Based on data from http://www.commoncriteriaportal.org/

TR

US

TE

D S

OLA

RIS

SO

LAR

IS 9

SO

LAR

IS 8

WIN

DO

WS

2000

HP

-UX

IBM

AIX

SuS

E

SG

I Irix

RE

DH

AT

Delivering Defence Solutions GloballyCommon Criteria Evaluation Levels

• CC Evaluation Assurance Levels (EAL)> EAL1 Functionally Tested

> EAL2 Structurally Tested

> EAL3 Methodically Tested and Verified

> EAL4 Methodically Designed, Tested and Verified

> EAL5 Semi-formally Designed and Tested

> EAL6 Semi-formally Verified Design and Tested

> EAL7 Formally Verified Design and Tested

• These are used to measure how well a protection profile has been tested...


Certification vs. Accreditation

• Hardware and Software Components are evaluated against Protection Profiles and receive Certificationsat Evaluation Assurance Levels (EAL)

• Systems are Accredited based on the Security Policy established for the specific program


US Accreditation Examples

• Certification Test & Evaluation (CT&E)> SR 1-8 Performed by DISA Slidell for NSA> SR 9 (Penetration Testing) Performed by NSA

• SABI Accredited> Completed Questionnaire> Valid Requirement from Operational Unit> DSAWG Process

> Cross Domain Technical Advisory Board - CDTAB> Cross Domain Systems Approval Process - CDSAP

• Documents> System Security Authorization Agreement - SSAA> Interim Authority to Operate - IATO> Cross Domain Appendix - CDA> Enclave MOA’s> Secret Network Connection Approval Process

• Awaiting US Department of Commerce export approval (expected this week)


Agenda

What is the Secure Network Access Platform?

WHY IT WORKS

Windows Interoperability, VOIP and Multi-Media


What Is Trusted Operating System?

Has the most complete set of trusted functionality of any certified OS

SolarisTM 10 Trusted

Extensions

A security-enhanced version of Solaris with additional access control policies

Implements label-based security with hierarchical and compartmented modes

Implements Role-Based Access Control and the Principle of Least Privilege

Provides a trusted multilevel desktop for workstations and ultra-thin clients


Trusted Extensions

Solaris 2.3 Solaris 8/9 Solaris 10

Trusted Solaris

Solaris

Solaris 10w/ TX

Layered on

Solaris

BSM RBAC Process Attributes

Device Allocation

Virtualization

Privilege Policy

Trusted Networking

Trusted Desktop

Delivering Defence Solutions GloballyTrusted Solaris History• 1990, SunOS MLS 1.0

> Conformed to TCSEC (1985 Orange Book)

• 1992, SunOS CMW 1.0

> Compartmented-mode workstation requirements

> Release 1.2 ITSEC certified for FB1 E3, 1995

• 1996, Trusted Solaris 2.5

> ITSEC certified for FB1 E3, 1998

• 1999, Trusted Solaris 7

• 2000, Trusted Solaris 8

> Common Criteria: CAPP, RBACPP, LSPP at EAL4+

> Updates to Trusted Solaris 8 also re-certified

• 2006, Solaris 10 w/ Solaris Trusted Extensions


The Network Delivers the Desktop

Delivering Defence Solutions GloballyTrusted Computing Key Features and Benefits● Trusted Extensions extends the security capabilities

of Solaris by providing:− Trusted Path− Least Privilege− Discretionary Access Control (DAC)− Mandatory Access Control (MAC)− Sensitivity Labels− Role-based Access Control (RBAC)− Trusted Networking− Trusted Windowing− Trusted Printing


● What is Trusted Path?➢ A mechanism that provides confidence that

the user is communicating directly with the Trusted Computing Base (TCB)

➢ It ensure that attackers can't intercept or modify whatever information is being communicated

● How is Trusted Path achieved?➢ Trusted Windowing (Trusted CDE)

➢ Solaris Management Console (SMC)

Trusted Path

Delivering Defence Solutions GloballyLeast Privilege

● There is no concept of “superuser”➢ Root is not exempt from policy enforcement➢ Root is not required for administration

● In its place, fine-grained privileges...➢ That delegate specific capabilities as needed

● Example: How to start a web server?➢ In Solaris, must be started as root or using a RBAC role that sets UID to 0 before starting➢ In Trusted Solaris, only the privilege “net_privaddr” need be assigned

Delivering Defence Solutions GloballyDiscretionary Access Control

● Discretionary Access Control (DAC)➢ A software mechanism for controlling users' access to files

and directories.

➢ Leaves setting protections for files or directories to the owner's discretion

●There are two forms of DAC in both Solaris and Trusted Solaris:

➢ Unix Permissions

➢ Access Control Lists (ACLs)


Mandatory Access Control

● Mandatory Access Control (MAC)➢ A system-enforced access control mechanism that uses

clearances and labels to enforce security policy➢ MAC is enforced according to your site's security policy and

cannot be overridden without special authorization or privileges

● MAC is key in SNAP for preserving network isolation


Role-Based Access Control

● A role is a special account that provides access to specific programs using predefined privileges and authorizations

● Can only be assumed if Trusted Path exists

● Can grant fine-grained privileges to programs

● Can execute programs with different labels


Sensitivity Labels● Sensitivity Labels are defined by:

➢ A Classification indicating the (hierarchical) level or degree of security● e.g, TOP SECRET, SECRET, CONFIDENTIAL, …➢ e.g., PUBLIC, INTERNAL, NEED TO KNOW, …

➢ A Compartment representing some grouping● e.g., ALPHA1, BRAVO1, BRAVO2● e.g., PAYROLL, HR, FINANCE, ENGINEERING

● Relationships can be hierarchical or compartmentalized


Sensitivity Labels (2)

● Dominance Relationships➢ In a hierarchical relationship, a label that dominates

another is able to read data from the lower label (“read down”)

● Clearances➢ Highest level of access assigned to the user

● A user cannot read or write above clearance● Privileges can be given to exceed clearance


Label Aware Services

• Services which are trusted to protect multi-level information according to predefined policy

• Trusted Extensions Label-aware service include:> Labeled Desktops

> Labeled Printing

> Labeled Networking

> Labeled Filesystem

> Label Configuration and Translation

> System Management Tools

> Device Allocation


Device Allocation

• Devices must be allocated before they can be used

• Only authorized users/roles are allowed to allocate/deallocate devices at a label they are cleared for.

• USB devices can be allocated

• Sun This Client Devices> Audio filtered based on desktop unit> Hot pluggable device support

• Devicec can be contolled by role or by user


Zones for Trusted Extensions• Each zone has a label

> Labels are implied by process zone IDs

> Processes are isolated by label (and zone ID)

> Files in a zone assume that zone's label

• Global zone is unique> Parent of all other zones

> Exempt from all labeling policies

> No user processes—just TCB

> Trusted path attribute is applied implicitly

> Provides services to other zones

• Common naming service to all zones

• Device allocation on a per-zone / per-label basis

Delivering Defence Solutions GloballyTrusted Extensions - Option 1: Per-Zone

• Each zone has a unique IP address

• Network Interface may be virtualized to share a single hardware NIC or use multiple NICs

Solaris Kernel

Multilevel Desktop Services(Global Zone)

Need-to-

know

Internal

UsePublic

1.2.3.10 1.2.4.10 1.2.5.10 1.2.6.10


Trusted Extensions - Option 2: All-Zon

• All zones share a single address

• Shared network Interface may be physical or logical

• Both per-zone and all-zone assignment strategies can be used concurrently

Solaris Kernel

Multilevel Desktop Services(Global Zone)

Need-to-

know

Internal

UsePublic

1.2.3.4 1.2.3.4 1.2.3.41.2.3.4

1.2.6.10

Delivering Defence Solutions GloballyMulti-Level Desktop Look and Feel

Delivering Defence Solutions GloballyTrusted Java Desktop System


Trusted NetworkingSecure Network Access Platform for Governm

Top Secret Domain

Secret Domain A

Secret Domain B

Secret Domain C


Benefits of Trusted Extensions• Leveraging Solaris functionality:

> Process & User Rights Management, auditing, zones> Make use of existing Solaris kernel enhancements

• Elimination of patch redundancy:> All Solaris patches apply, hence available sooner> No lag in hardware platform availability

• Extend Solaris Application Guarantee

• Full hardware and software support> File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.)> Processors (SPARC, x86, AMD64> Infrastructure (Cluster, Grid, Directory, etc.)


Trusted Extensions in a Nutshell• Every object has a label associated with it

> Files, windows, printers, devices, network packets, network interfaces, processes, etc...

• Accessing or sharing data is controlled by the objects label relationship to each other> 'Secret' objects do not see 'Top Secret' objects

• Administrators utilize Roles for duty separation> Security admin, user admin, installation, etc...

• Programs/processes are granted privileges rather than full superuser access

• Strong independent certification of security


Ease of Administration


Sun Ray – Ultra Thin Client


Client Pain Points

● Large Power Consumption

● Resource Underutilization

● Multiple Crash Sites

● Virus Entry Points

● Client Side Support

● Unapproved Apps

FAT OS

Local Apps

Big CPU, DRAM

Local HardDrive


Thin Client Approach

Secure—Virus Free

Virtual Office

HA Client

Server-SideUpgrades


Sun Ray 27017" LCD Integrated

OEM options

Sun Ray 2G1920 x 1200

Supports 24” Display

OEM's

Sun Ray Ultra-thin Clients

• No DATA at the desktop

• No APPS at the desktop

• No OS at the desktop

• No END-USER MANAGEMENT at the desktop

Multiple OS & Application Choices: Solaris, Linux or Windows

Broadband deployment capable

Small footprint

Session Mobility/ Hot-Desking

Built-in Java Card Readers supporting multifactor authentication


Mobility with Security today at Sun● 30, 000+ Sun Rays deployed at Sun

● 1 SA per 3000 clients

● $ 4.8M Power Savings

● Zero Move/Add/Changes

● Patching and OS upgrade speed

● Zero annual desktop refresh costs

● $71 M Savings in Real Estate

● Software License Savings

● Secure: token authentication, no viruses

● Silent: no fans or moving part

● No User time for boot up and OS management


Sun Ray Deployment Options

Sun Ray Server

ISP

InternetIntranet

Home

OfficeRouter/Firewall

CorporateWAN

Broadband Remote

Delivering Defence Solutions GloballyJavaBadge

One, Multi-App Badge With a Futurevs.

Multiple Cards With No Future

=

Corporate Card/Physical Access Card

Sun RayTM Server Session Mobility Card

PKI Authentication Token Card/ x509

Replaces Safeword Challenge/Response Card


Agenda

What is the Secure Network Access Platform?

Why It Works

WINDOWS INTEROPERABILITY, VOIP, MULTI-

MEDIA


Windows Interoperability


Identity Synchronization for Windows(ISW) System Components

• ISW Connectors; synchronize modification and user creation events over the Message Queue> Sun Java System Directory Server> W2000/2003 Active Directory & NT SAM

• Connector Subcomponents; DS Plugin, NT Password Filter

• DLL, NT Change Detector


Existing Network Resources and ISW


VOIP


What's in a Softphone?

• User interface

• IP interface

• Signaling

• CODEC execution

• RTP media streaming

• Audio/QoS functions

• Proxy logic

• SDK/APIs


Current SunRay Softphone

SIP Communicator Lucent SIP softphone


Multi-Media Capable Sun Ray• Delivered by 3rd party partner (GD C4 Systems)

> Prototype developed> Anticipated availability, December 06

• Local Video and Audio Devices> “Limited 3-D graphics rendering”

> codec and application dependent> high-resolution display capabilities

> Low latency audio> Streaming Audio and Video

• Desktop and Laptop / Portable footprint

• Sun Ray Engineering> Sun Ray DDX into X Server> Local Codec Execution on SR-2 Hardware


Why Should Your Customers CareAbout or Consider the Secure NetworkAccess Platform?

Because it protects data, centralizescontrol of your data & helps avoidembarrassing and damaging mediamoments like these...

Delivering Defence Solutions GloballySecure Network Access Platform for Gov

3rd Party Security Extensions

Integration to Legacy Systems

Java Ultra-Thin Client Environment

Government Accredited Trusted Operating Env

RAS Compute Platform

Consulting, Training,and Support Services

TNE, Maxim, AC Tech,Cryptek, Tenix, RSA, TCS, etc.

Enterprise Solaris ™ 9

Secure Global Desktop, Citrix, RDP, Thinsoft

SunRay 2FS, 270; Sun Ray Session Server, Trusted CDE, Java Cards

Solaris 10 TX Certified EAL4+ (B1): CAPP, LSPP, RBPP

Sun StorEdge Sun Servers

Sun Open Work Practice, Workshop, POC, Architecture and Implementation + Training

and Support

THANK YOU

Secure nets-and-data

Technology

Transcript of Secure nets-and-data