Secure nets-and-data
-
Upload
kevin-mayo -
Category
Technology
-
view
331 -
download
1
description
Transcript of Secure nets-and-data
SECURING CLASSIFIED NETWORKS AND SENSITIVE DATA
Kevin MayoCTO Global GovernmentSun Microsystems, Inc.
Delivering Defence Solutions Globally
Agenda
WHAT IS THE SECURE NETWORK ACCESS PLATFORM?
Why it Works
Windows Interoperability, VOIP and Multi-Media
Delivering Defence Solutions Globally
• Role-based Access to Multiple Security Domains
• Secure Data Transfer between Domains
• Scalability and Availability
• Ability to meet Regulations and Certify/Accredit Deployed Platforms
• Maximize Workflow Efficiency
• Minimize Cost of Acquisition and Life-Time Ownership
Challenges for Secure Collaboration Networks
Delivering Defence Solutions Globally
Target Communities
• Government Communities of Interest have special IT needs based on classified information handling> Requirements for appropriate handling of classified
information mandate rigid approach to network configuration> Conceptual “compartments” are manifested in physically
isolated networks
• SNAP enables secure, multi-compartment access from a single, thin-client desktop system—while preserving network isolation
Delivering Defence Solutions GloballyGovernment System Requirements• Thin Client desktop – secure computing environment
• Single Virtual Switch to Multiple Networks> Single desktop with connections to multiple security domains
implemented as physically separated networks (without enabling intra-domain routing)
> End-users have controlled access to domains based on security level, compartmentalization
• Secure Inter-Domain Data Transfer> Automated and manual auditing based on pre-defined policies
and procedures
• Windows Interoperability> Secure Global Network, Citrix, RDP, X Windows or
Browser.
Delivering Defence Solutions GloballyStatus Quo Example—Stove Piped Networks for Secure Communications
Delivering Defence Solutions GloballyChanged the Game—Single Multi-Tiered Secure Communications
Delivering Defence Solutions GloballyMobility with Security: Ultra-Thin Client Front-End
Before:To ensure a high level of security physically isolated clients were deployed often resulting in
After:Full Session Mobility enabled by a single state
Delivering Defence Solutions Globally
DODCommunity
IntellCommunity
NATOCommunity
OtherCommunity
The Sun Solution: Secure Network Access Platform ARCHITECTURAL
INDEPENDENCE
●Multi-networkApplication Consolidation
●Ultra Secure Authentication layer
●Context free access layer
●User Identity/Role based access
> Auditability
> Session Mobility
V240 V240 V240
Switch Switch Switch Switch Switch
Switch
D1000
●N
Switch Switch
220R
Delivering Defence Solutions Globally
Different Security Domains• System Requirements and Security Policy dictate
which networks/security domain will be a part of the implementation
• Each security domain is assigned a label> All labels defined in Labels and Encoding File> All security domains within implementation must be
defined in Labels and Encoding File
• Sol 10 TX using Mandatory Access Control and Trusted Networking enforces security policy by allowing/denying access to/from a specific security domain
• Security Domains can be dynamically added/deleted from architecture as long as they are defined in policy
Delivering Defence Solutions Globally
User Access, Rights and Roles
• User Access dependent upon Roles and Security Clearance
• User Roles defined by job function and permission to applications and data
• All users are assigned a Role and are granted privileges based on security clearance
• Audit Logs record user activity
Delivering Defence Solutions Globally
Trusted Solaris(TM) Is Certified as one of Indus
OS CERTIFIED WITH EAL4 AND
3 PROTECTION PROFILES IN EAL4:CAPP—Controlled Access Protection Profile
(Ensures proper login)
RBPP—Role-based Protection Profile
(Role-based access control allows the
system administrator to define roles
based on job functions within an organization.
The administrator assigns privileges to those roles)
LSPP—Labeled Security Protection Profile (
All data and application components are
formally labeled addressed, and tracked
through role based access control
Trusted ExtensionsLayered on Solaris 10*EAL4+ (B1)
(CAPP, RBACPP, LSPP)
EAL4+ (C2) (CAPP & RBACPP)
EAL4 or EAL4+ (C2) (CAPP)
EAL3 or EAL3+
Linux
Solaris 10
Based on data from http://www.commoncriteriaportal.org/
TR
US
TE
D S
OLA
RIS
SO
LAR
IS 9
SO
LAR
IS 8
WIN
DO
WS
2000
HP
-UX
IBM
AIX
SuS
E
SG
I Irix
RE
DH
AT
Delivering Defence Solutions GloballyCommon Criteria Evaluation Levels
• CC Evaluation Assurance Levels (EAL)> EAL1 Functionally Tested
> EAL2 Structurally Tested
> EAL3 Methodically Tested and Verified
> EAL4 Methodically Designed, Tested and Verified
> EAL5 Semi-formally Designed and Tested
> EAL6 Semi-formally Verified Design and Tested
> EAL7 Formally Verified Design and Tested
• These are used to measure how well a protection profile has been tested...
Delivering Defence Solutions Globally
Certification vs. Accreditation
• Hardware and Software Components are evaluated against Protection Profiles and receive Certificationsat Evaluation Assurance Levels (EAL)
• Systems are Accredited based on the Security Policy established for the specific program
Delivering Defence Solutions Globally
US Accreditation Examples
• Certification Test & Evaluation (CT&E)> SR 1-8 Performed by DISA Slidell for NSA> SR 9 (Penetration Testing) Performed by NSA
• SABI Accredited> Completed Questionnaire> Valid Requirement from Operational Unit> DSAWG Process
> Cross Domain Technical Advisory Board - CDTAB> Cross Domain Systems Approval Process - CDSAP
• Documents> System Security Authorization Agreement - SSAA> Interim Authority to Operate - IATO> Cross Domain Appendix - CDA> Enclave MOA’s> Secret Network Connection Approval Process
• Awaiting US Department of Commerce export approval (expected this week)
Delivering Defence Solutions Globally
Agenda
What is the Secure Network Access Platform?
WHY IT WORKS
Windows Interoperability, VOIP and Multi-Media
Delivering Defence Solutions Globally
What Is Trusted Operating System?
Has the most complete set of trusted functionality of any certified OS
SolarisTM 10 Trusted
Extensions
A security-enhanced version of Solaris with additional access control policies
Implements label-based security with hierarchical and compartmented modes
Implements Role-Based Access Control and the Principle of Least Privilege
Provides a trusted multilevel desktop for workstations and ultra-thin clients
Delivering Defence Solutions Globally
Trusted Extensions
Solaris 2.3 Solaris 8/9 Solaris 10
Trusted Solaris
Solaris
Solaris 10w/ TX
Layered on
Solaris
BSM RBAC Process Attributes
Device Allocation
Virtualization
Privilege Policy
Trusted Networking
Trusted Desktop
Delivering Defence Solutions GloballyTrusted Solaris History• 1990, SunOS MLS 1.0
> Conformed to TCSEC (1985 Orange Book)
• 1992, SunOS CMW 1.0
> Compartmented-mode workstation requirements
> Release 1.2 ITSEC certified for FB1 E3, 1995
• 1996, Trusted Solaris 2.5
> ITSEC certified for FB1 E3, 1998
• 1999, Trusted Solaris 7
• 2000, Trusted Solaris 8
> Common Criteria: CAPP, RBACPP, LSPP at EAL4+
> Updates to Trusted Solaris 8 also re-certified
• 2006, Solaris 10 w/ Solaris Trusted Extensions
Delivering Defence Solutions Globally
The Network Delivers the Desktop
Delivering Defence Solutions GloballyTrusted Computing Key Features and Benefits● Trusted Extensions extends the security capabilities
of Solaris by providing:− Trusted Path− Least Privilege− Discretionary Access Control (DAC)− Mandatory Access Control (MAC)− Sensitivity Labels− Role-based Access Control (RBAC)− Trusted Networking− Trusted Windowing− Trusted Printing
Delivering Defence Solutions Globally
● What is Trusted Path?➢ A mechanism that provides confidence that
the user is communicating directly with the Trusted Computing Base (TCB)
➢ It ensure that attackers can't intercept or modify whatever information is being communicated
● How is Trusted Path achieved?➢ Trusted Windowing (Trusted CDE)
➢ Solaris Management Console (SMC)
Trusted Path
Delivering Defence Solutions GloballyLeast Privilege
● There is no concept of “superuser”➢ Root is not exempt from policy enforcement➢ Root is not required for administration
● In its place, fine-grained privileges...➢ That delegate specific capabilities as needed
● Example: How to start a web server?➢ In Solaris, must be started as root or using a RBAC role that sets UID to 0 before starting➢ In Trusted Solaris, only the privilege “net_privaddr” need be assigned
Delivering Defence Solutions GloballyDiscretionary Access Control
● Discretionary Access Control (DAC)➢ A software mechanism for controlling users' access to files
and directories.
➢ Leaves setting protections for files or directories to the owner's discretion
●There are two forms of DAC in both Solaris and Trusted Solaris:
➢ Unix Permissions
➢ Access Control Lists (ACLs)
Delivering Defence Solutions Globally
Mandatory Access Control
● Mandatory Access Control (MAC)➢ A system-enforced access control mechanism that uses
clearances and labels to enforce security policy➢ MAC is enforced according to your site's security policy and
cannot be overridden without special authorization or privileges
● MAC is key in SNAP for preserving network isolation
Delivering Defence Solutions Globally
Role-Based Access Control
● A role is a special account that provides access to specific programs using predefined privileges and authorizations
● Can only be assumed if Trusted Path exists
● Can grant fine-grained privileges to programs
● Can execute programs with different labels
Delivering Defence Solutions Globally
Sensitivity Labels● Sensitivity Labels are defined by:
➢ A Classification indicating the (hierarchical) level or degree of security● e.g, TOP SECRET, SECRET, CONFIDENTIAL, …➢ e.g., PUBLIC, INTERNAL, NEED TO KNOW, …
➢ A Compartment representing some grouping● e.g., ALPHA1, BRAVO1, BRAVO2● e.g., PAYROLL, HR, FINANCE, ENGINEERING
● Relationships can be hierarchical or compartmentalized
Delivering Defence Solutions Globally
Sensitivity Labels (2)
● Dominance Relationships➢ In a hierarchical relationship, a label that dominates
another is able to read data from the lower label (“read down”)
● Clearances➢ Highest level of access assigned to the user
● A user cannot read or write above clearance● Privileges can be given to exceed clearance
Delivering Defence Solutions Globally
Label Aware Services
• Services which are trusted to protect multi-level information according to predefined policy
• Trusted Extensions Label-aware service include:> Labeled Desktops
> Labeled Printing
> Labeled Networking
> Labeled Filesystem
> Label Configuration and Translation
> System Management Tools
> Device Allocation
Delivering Defence Solutions Globally
Device Allocation
• Devices must be allocated before they can be used
• Only authorized users/roles are allowed to allocate/deallocate devices at a label they are cleared for.
• USB devices can be allocated
• Sun This Client Devices> Audio filtered based on desktop unit> Hot pluggable device support
• Devicec can be contolled by role or by user
Delivering Defence Solutions Globally
Delivering Defence Solutions Globally
Zones for Trusted Extensions• Each zone has a label
> Labels are implied by process zone IDs
> Processes are isolated by label (and zone ID)
> Files in a zone assume that zone's label
• Global zone is unique> Parent of all other zones
> Exempt from all labeling policies
> No user processes—just TCB
> Trusted path attribute is applied implicitly
> Provides services to other zones
• Common naming service to all zones
• Device allocation on a per-zone / per-label basis
Delivering Defence Solutions GloballyTrusted Extensions - Option 1: Per-Zone
• Each zone has a unique IP address
• Network Interface may be virtualized to share a single hardware NIC or use multiple NICs
Solaris Kernel
Multilevel Desktop Services(Global Zone)
Need-to-
know
Internal
UsePublic
1.2.3.10 1.2.4.10 1.2.5.10 1.2.6.10
Delivering Defence Solutions Globally
Trusted Extensions - Option 2: All-Zon
• All zones share a single address
• Shared network Interface may be physical or logical
• Both per-zone and all-zone assignment strategies can be used concurrently
Solaris Kernel
Multilevel Desktop Services(Global Zone)
Need-to-
know
Internal
UsePublic
1.2.3.4 1.2.3.4 1.2.3.41.2.3.4
1.2.6.10
Delivering Defence Solutions GloballyMulti-Level Desktop Look and Feel
Delivering Defence Solutions GloballyTrusted Java Desktop System
Delivering Defence Solutions Globally
Trusted NetworkingSecure Network Access Platform for Governm
Top Secret Domain
Secret Domain A
Secret Domain B
Secret Domain C
Delivering Defence Solutions Globally
Benefits of Trusted Extensions• Leveraging Solaris functionality:
> Process & User Rights Management, auditing, zones> Make use of existing Solaris kernel enhancements
• Elimination of patch redundancy:> All Solaris patches apply, hence available sooner> No lag in hardware platform availability
• Extend Solaris Application Guarantee
• Full hardware and software support> File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.)> Processors (SPARC, x86, AMD64> Infrastructure (Cluster, Grid, Directory, etc.)
Delivering Defence Solutions Globally
Trusted Extensions in a Nutshell• Every object has a label associated with it
> Files, windows, printers, devices, network packets, network interfaces, processes, etc...
• Accessing or sharing data is controlled by the objects label relationship to each other> 'Secret' objects do not see 'Top Secret' objects
• Administrators utilize Roles for duty separation> Security admin, user admin, installation, etc...
• Programs/processes are granted privileges rather than full superuser access
• Strong independent certification of security
Delivering Defence Solutions Globally
Ease of Administration
Delivering Defence Solutions Globally
Sun Ray – Ultra Thin Client
Delivering Defence Solutions Globally
Client Pain Points
● Large Power Consumption
● Resource Underutilization
● Multiple Crash Sites
● Virus Entry Points
● Client Side Support
● Unapproved Apps
FAT OS
Local Apps
Big CPU, DRAM
Local HardDrive
Delivering Defence Solutions Globally
Thin Client Approach
Secure—Virus Free
Virtual Office
HA Client
Server-SideUpgrades
Delivering Defence Solutions Globally
Sun Ray 27017" LCD Integrated
OEM options
Sun Ray 2G1920 x 1200
Supports 24” Display
OEM's
Sun Ray Ultra-thin Clients
• No DATA at the desktop
• No APPS at the desktop
• No OS at the desktop
• No END-USER MANAGEMENT at the desktop
Multiple OS & Application Choices: Solaris, Linux or Windows
Broadband deployment capable
Small footprint
Session Mobility/ Hot-Desking
Built-in Java Card Readers supporting multifactor authentication
Delivering Defence Solutions Globally
Mobility with Security today at Sun● 30, 000+ Sun Rays deployed at Sun
● 1 SA per 3000 clients
● $ 4.8M Power Savings
● Zero Move/Add/Changes
● Patching and OS upgrade speed
● Zero annual desktop refresh costs
● $71 M Savings in Real Estate
● Software License Savings
● Secure: token authentication, no viruses
● Silent: no fans or moving part
● No User time for boot up and OS management
Delivering Defence Solutions Globally
Sun Ray Deployment Options
Sun Ray Server
ISP
InternetIntranet
Home
OfficeRouter/Firewall
CorporateWAN
Broadband Remote
Delivering Defence Solutions GloballyJavaBadge
One, Multi-App Badge With a Futurevs.
Multiple Cards With No Future
=
Corporate Card/Physical Access Card
Sun RayTM Server Session Mobility Card
PKI Authentication Token Card/ x509
Replaces Safeword Challenge/Response Card
Delivering Defence Solutions Globally
Agenda
What is the Secure Network Access Platform?
Why It Works
WINDOWS INTEROPERABILITY, VOIP, MULTI-
MEDIA
Delivering Defence Solutions Globally
Windows Interoperability
Delivering Defence Solutions Globally
Identity Synchronization for Windows(ISW) System Components
• ISW Connectors; synchronize modification and user creation events over the Message Queue> Sun Java System Directory Server> W2000/2003 Active Directory & NT SAM
• Connector Subcomponents; DS Plugin, NT Password Filter
• DLL, NT Change Detector
Delivering Defence Solutions Globally
Existing Network Resources and ISW
Delivering Defence Solutions Globally
VOIP
Delivering Defence Solutions Globally
What's in a Softphone?
• User interface
• IP interface
• Signaling
• CODEC execution
• RTP media streaming
• Audio/QoS functions
• Proxy logic
• SDK/APIs
Delivering Defence Solutions Globally
Current SunRay Softphone
SIP Communicator Lucent SIP softphone
Delivering Defence Solutions Globally
Multi-Media Capable Sun Ray• Delivered by 3rd party partner (GD C4 Systems)
> Prototype developed> Anticipated availability, December 06
• Local Video and Audio Devices> “Limited 3-D graphics rendering”
> codec and application dependent> high-resolution display capabilities
> Low latency audio> Streaming Audio and Video
• Desktop and Laptop / Portable footprint
• Sun Ray Engineering> Sun Ray DDX into X Server> Local Codec Execution on SR-2 Hardware
Delivering Defence Solutions Globally
Why Should Your Customers CareAbout or Consider the Secure NetworkAccess Platform?
Because it protects data, centralizescontrol of your data & helps avoidembarrassing and damaging mediamoments like these...
Delivering Defence Solutions Globally
Delivering Defence Solutions Globally
Delivering Defence Solutions GloballySecure Network Access Platform for Gov
3rd Party Security Extensions
Integration to Legacy Systems
Java Ultra-Thin Client Environment
Government Accredited Trusted Operating Env
RAS Compute Platform
Consulting, Training,and Support Services
TNE, Maxim, AC Tech,Cryptek, Tenix, RSA, TCS, etc.
Enterprise Solaris ™ 9
Secure Global Desktop, Citrix, RDP, Thinsoft
SunRay 2FS, 270; Sun Ray Session Server, Trusted CDE, Java Cards
Solaris 10 TX Certified EAL4+ (B1): CAPP, LSPP, RBPP
Sun StorEdge Sun Servers
Sun Open Work Practice, Workshop, POC, Architecture and Implementation + Training
and Support
THANK YOU