Secure nets-and-data
- 1. SECURING CLASSIFIED NETWORKS AND SENSITIVE DATA Kevin Mayo CTO Global Government Sun Microsystems, Inc.
- 2. Delivering Defence Solutions Globally Agenda WHAT IS THE SECURE NETWORK ACCESS PLATFORM? Why it Works Windows Interoperability, VOIP and Multi-Media
- 3. Delivering Defence Solutions Globally Challenges for Secure Collaboration Networks • • • • • • Role-based Access to Multiple Security Domains Secure Data Transfer between Domains Scalability and Availability Ability to meet Regulations and Certify/Accredit Deployed Platforms Maximize Workflow Efficiency Minimize Cost of Acquisition and Life-Time Ownership
- 4. Delivering Defence Solutions Globally Target Communities • Government Communities of Interest have special IT needs based on classified information handling > > • Requirements for appropriate handling of classified information mandate rigid approach to network configuration Conceptual “compartments” are manifested in physically isolated networks SNAP enables secure, multi-compartment access from a single, thin-client desktop system—while preserving network isolation
- 5. Delivering Defence Solutions Globally Government System Requirements • Thin Client desktop – secure computing environment • Single Virtual Switch to Multiple Networks > Single desktop with connections to multiple security domains implemented as physically separated networks (without enabling intra-domain routing) > End-users have controlled access to domains based on security level, compartmentalization • Secure Inter-Domain Data Transfer > Automated and manual auditing based on pre-defined policies and procedures • Windows Interoperability > Secure Global Network, Citrix, RDP, X Windows or Browser.
- 6. Delivering Defence Solutions Globally Status Quo Example— Stove Piped Networks for Secure Communications
- 7. Delivering Defence Solutions Globally Changed the Game— Single Multi-Tiered Secure Communications
- 8. Delivering Defence Solutions Globally Mobility with Security: Ultra-Thin Client Front-End Before: After: To ensure a high level of security physically isolated clients were deployed often single state Full Session Mobility enabled by a resulting in
- 9. Delivering Defence Solutions Globally The Sun Solution: Secure Network Access Platform DOD Community Intell Community Switch Switch Switch NATO Community Switch Other Community Switch ARCHITECTURAL INDEPENDENCE Multi-network Application Consolidation ● Ultra Secure Authentication layer ● V240 V240 V240 Switch Switch Context free access layer ● User Identity/Role based access ● Switch > ● D1000 Auditability > 220R Session Mobility N
- 10. Delivering Defence Solutions Globally Different Security Domains • System Requirements and Security Policy dictate which networks/security domain will be a part of the implementation • Each security domain is assigned a label > All labels defined in Labels and Encoding File > All security domains within implementation must be defined in Labels and Encoding File • Sol 10 TX using Mandatory Access Control and Trusted Networking enforces security policy by allowing/denying access to/from a specific security domain • Security Domains can be dynamically added/deleted from architecture as long as they are defined in policy
- 11. Delivering Defence Solutions Globally User Access, Rights and Roles • User Access dependent upon Roles and Security Clearance • User Roles defined by job function and permission to applications and data • All users are assigned a Role and are granted privileges based on security clearance • Audit Logs record user activity
- 12. Delivering Defence Solutions Globally Trusted Solaris(TM) Is Certified as one of Indus Trusted Extensions Layered on Solaris EAL4+ (B1) 10* (CAPP, RBACPP, LSPP) Solaris 10 EAL4+ (C2) (CAPP & RBACPP) OS CERTIFIED WITH EAL4 AND 3 PROTECTION PROFILES IN EAL4: CAPP—Controlled Access Protection Profile (Ensures proper login) RBPP—Role-based Protection Profile (Role-based access control allows the system administrator to define roles EAL4 or EAL4+ (C2) (CAPP) Linux based on job functions within an organization. The administrator assigns privileges to those roles) EAL3 or EAL3+ LSPP—Labeled Security Protection Profile ( All data and application components are REDHAT SGI Irix SuSE IBM AIX HP-UX WINDOWS 2000 SOLARIS 8 SOLARIS 9 TRUSTED SOLAR Based on data from http://www.commoncriteriaportal.org/ formally labeled addressed, and tracked through role based access control
- 13. Delivering Defence Solutions Globally Common Criteria Evaluation Levels • CC Evaluation Assurance Levels (EAL) > > > > > > > EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 Functionally Tested Structurally Tested Methodically Tested and Verified Methodically Designed, Tested and Verified Semi-formally Designed and Tested Semi-formally Verified Design and Tested Formally Verified Design and Tested • These are used to measure how well a protection profile has been tested...
- 14. Delivering Defence Solutions Globally Certification vs. Accreditation • Hardware and Software Components are evaluated against Protection Profiles and receive Certifications at Evaluation Assurance Levels (EAL) • Systems are Accredited based on the Security Policy established for the specific program
- 15. Delivering Defence Solutions Globally US Accreditation Examples • Certification Test & Evaluation (CT&E) > SR 1-8 Performed by DISA Slidell for NSA > SR 9 (Penetration Testing) Performed by NSA • SABI Accredited > Completed Questionnaire > Valid Requirement from Operational Unit > DSAWG Process > Cross Domain Technical Advisory Board - CDTAB > Cross Domain Systems Approval Process - CDSAP • Documents > > > > > System Security Authorization Agreement - SSAA Interim Authority to Operate - IATO Cross Domain Appendix - CDA Enclave MOA’s Secret Network Connection Approval Process • Awaiting US Department of Commerce export approval (expected this week)
- 16. Delivering Defence Solutions Globally Agenda What is the Secure Network Access Platform? WHY IT WORKS Windows Interoperability, VOIP and Multi-Media
- 17. Delivering Defence Solutions Globally What Is Trusted Operating System? A security-enhanced version of Solaris with additional access control policies Implements label-based security with hierarchical and compartmented modes Implements Role-Based Access Control and the Principle of Least Privilege SolarisTM 10 Trusted Extensions Provides a trusted multilevel desktop for workstations and ultra-thin clients Has the most complete set of trusted functionality of any certified OS
- 18. Delivering Defence Solutions Globally Trusted Extensions Trusted Solaris BSM Trusted Networking Trusted Desktop RBAC Solaris Solaris 2.3 Solaris 8/9 Solaris 10 w/ TX Layered on Solaris Process Attributes Device Allocation Virtualization Privilege Policy Solaris 10
- 19. Delivering Defence Solutions Globally Trusted Solaris History • 1990, SunOS MLS 1.0 > Conformed to TCSEC (1985 Orange Book) • 1992, SunOS CMW 1.0 > Compartmented-mode workstation requirements > Release 1.2 ITSEC certified for FB1 E3, 1995 • 1996, Trusted Solaris 2.5 > ITSEC certified for FB1 E3, 1998 • 1999, Trusted Solaris 7 • 2000, Trusted Solaris 8 > Common Criteria: CAPP, RBACPP, LSPP at EAL4+ > Updates to Trusted Solaris 8 also re-certified • 2006, Solaris 10 w/ Solaris Trusted Extensions
- 20. Delivering Defence Solutions Globally The Network Delivers the Desktop
- 21. Delivering Defence Solutions Globally Trusted Computing Key Features and Benefits ● Trusted Extensions extends the security capabilities of Solaris by providing: − − − − − − − − − Trusted Path Least Privilege Discretionary Access Control (DAC) Mandatory Access Control (MAC) Sensitivity Labels Role-based Access Control (RBAC) Trusted Networking Trusted Windowing Trusted Printing
- 22. Delivering Defence Solutions Globally Trusted Path ● What is Trusted Path? A mechanism that provides confidence that the user is communicating directly with the Trusted Computing Base (TCB) ➢ It ensure that attackers can't intercept or modify whatever information is being communicated ➢ ● How is Trusted Path achieved? Trusted Windowing (Trusted CDE) ➢ Solaris Management Console (SMC) ➢
- 23. Delivering Defence Solutions Globally Least Privilege ● There is no concept of “superuser” ➢ ➢ ● In its place, fine-grained privileges... ➢ That delegate specific capabilities as needed Example: How to start a web server? ➢ ➢ ● Root is not exempt from policy enforcement Root is not required for administration In Solaris, must be started as root or using a RBAC role that sets UID to 0 before starting In Trusted Solaris, only the privilege “net_privaddr” need be assigned
- 24. Delivering Defence Solutions Globally Discretionary Access Control ● Discretionary Access Control (DAC) A software mechanism for controlling users' access to files and directories. ➢ Leaves setting protections for files or directories to the owner's discretion ➢ There are two forms of DAC in both Solaris and Trusted Solaris: ● Unix Permissions ➢ Access Control Lists (ACLs) ➢
- 25. Delivering Defence Solutions Globally Mandatory Access Control ● Mandatory Access Control (MAC) A system-enforced access control mechanism that uses clearances and labels to enforce security policy ➢ MAC is enforced according to your site's security policy and cannot be overridden without special authorization or privileges ➢ ● MAC is key in SNAP for preserving network isolation
- 26. Delivering Defence Solutions Globally Role-Based Access Control ● ● ● ● A role is a special account that provides access to specific programs using predefined privileges and authorizations Can only be assumed if Trusted Path exists Can grant fine-grained privileges to programs Can execute programs with different labels
- 27. Delivering Defence Solutions Globally Sensitivity Labels ● Sensitivity Labels are defined by: ➢ A Classification indicating the (hierarchical) level or degree of security ● ➢ ➢ A Compartment representing some grouping ● ● ● e.g, TOP SECRET, SECRET, CONFIDENTIAL, … e.g., PUBLIC, INTERNAL, NEED TO KNOW, … e.g., ALPHA1, BRAVO1, BRAVO2 e.g., PAYROLL, HR, FINANCE, ENGINEERING Relationships can be hierarchical or compartmentalized
- 28. Delivering Defence Solutions Globally Sensitivity Labels (2) ● Dominance Relationships ➢ ● In a hierarchical relationship, a label that dominates another is able to read data from the lower label (“read down”) Clearances ➢ Highest level of access assigned to the user ● ● A user cannot read or write above clearance Privileges can be given to exceed clearance
- 29. Delivering Defence Solutions Globally Label Aware Services • Services which are trusted to protect multi-level information according to predefined policy • Trusted Extensions Label-aware service include: > > > > > > > Labeled Desktops Labeled Printing Labeled Networking Labeled Filesystem Label Configuration and Translation System Management Tools Device Allocation
- 30. Delivering Defence Solutions Globally Device Allocation • Devices must be allocated before they can be used • Only authorized users/roles are allowed to allocate/deallocate devices at a label they are cleared for. • USB devices can be allocated • Sun This Client Devices > Audio filtered based on desktop unit > Hot pluggable device support • Devicec can be contolled by role or by user
- 32. Delivering Defence Solutions Globally Zones for Trusted Extensions • Each zone has a label > Labels are implied by process zone IDs > Processes are isolated by label (and zone ID) > Files in a zone assume that zone's label • Global zone is unique > Parent of all other zones > Exempt from all labeling policies > No user processes—just TCB > Trusted path attribute is applied implicitly > Provides services to other zones • Common naming service to all zones • Device allocation on a per-zone / per-label basis
- 33. Delivering Defence Solutions Globally Trusted Extensions - Option 1: Per-Zone Need-toknow Internal Use Public Multilevel Desktop Services (Global Zone) Solaris Kernel 1.2.3.10 1.2.4.10 1.2.5.10 1.2.6.10 • Each zone has a unique IP address • Network Interface may be virtualized to share a single hardware NIC or use multiple NICs
- 34. Delivering Defence Solutions Globally Trusted Extensions - Option 2: All-Zon Need-toknow Internal Use Public Multilevel Desktop Services (Global Zone) Solaris Kernel 1.2.3.4 1.2.3.4 1.2.3.4 1.2.3.4 1.2.6.10 • All zones share a single address • Shared network Interface may be physical or logical • Both per-zone and all-zone assignment strategies can be used concurrently
- 35. Delivering Defence Solutions Globally Multi-Level Desktop Look and Feel
- 36. Delivering Defence Solutions Globally Trusted Java Desktop System
- 37. Delivering Defence Solutions Globally Trusted Networking Secure Network Access Platform for Governm Secret Domain A Secret Domain B Secret Domain C Top Secret Domain
- 38. Delivering Defence Solutions Globally Benefits of Trusted Extensions • Leveraging Solaris functionality: > Process & User Rights Management, auditing, zones > Make use of existing Solaris kernel enhancements • Elimination of patch redundancy: > All Solaris patches apply, hence available sooner > No lag in hardware platform availability • Extend Solaris Application Guarantee • Full hardware and software support > File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.) > Processors (SPARC, x86, AMD64 > Infrastructure (Cluster, Grid, Directory, etc.)
- 39. Delivering Defence Solutions Globally Trusted Extensions in a Nutshell • Every object has a label associated with it > Files, windows, printers, devices, network packets, network interfaces, processes, etc... • Accessing or sharing data is controlled by the objects label relationship to each other > 'Secret' objects do not see 'Top Secret' objects • Administrators utilize Roles for duty separation > Security admin, user admin, installation, etc... • Programs/processes are granted privileges rather than full superuser access • Strong independent certification of security
- 40. Delivering Defence Solutions Globally Ease of Administration
- 41. Delivering Defence Solutions Globally Sun Ray – Ultra Thin Client
- 42. Delivering Defence Solutions Globally Client Pain Points FAT OS Multiple Crash Sites ● Virus Entry Points ● Client Side Support ● Unapproved Apps ● Local Apps ● Large Power Consumption ● Resource Underutilization Big CPU, DRAM Local Hard Drive
- 43. Delivering Defence Solutions Globally Thin Client Approach Secure— Virus Free Virtual Office HA Client Server-Side Upgrades
- 44. Delivering Defence Solutions Globally Sun Ray Ultra-thin Clients Session Mobility/ Hot-Desking Multiple OS & Application Choices: Solaris, Linux or Windows Small footprint Built-in Java Card Readers supporting multifactor authentication Sun Ray 2G Sun Ray 270 1920 x 1200 Supports 24” Display 17" LCD Integrated Broadband deployment capable • No DATA at the desktop OEM's • No APPS at the desktop • No OS at the desktop OEM options • No END-USER MANAGEMENT at the desktop
- 45. Delivering Defence Solutions Globally Mobility with Security today at Sun ● 30, 000+ Sun Rays deployed at Sun ● 1 SA per 3000 clients ● $ 4.8M Power Savings ● Zero Move/Add/Changes ● Patching and OS upgrade speed ● Zero annual desktop refresh costs ● $71 M Savings in Real Estate ● Software License Savings ● Secure: token authentication, no viruses ● Silent: no fans or moving part ● No User time for boot up and OS management
- 46. Delivering Defence Solutions Globally Sun Ray Deployment Options Sun Ray Server Corporate WAN Router/ Firewal l Interne t Intrane t Office Broadband Remote ISP Hom e
- 47. Delivering Defence Solutions Globally JavaBadge One, Multi-App Badge With a Future vs. Multiple Cards With No Future Corporate Card/ Physical Access Card Sun RayTM Server Session Mobility Card = PKI Authentication Token Card/ x509 Replaces Safeword Challenge/Response Card
- 48. Delivering Defence Solutions Globally Agenda What is the Secure Network Access Platform? Why It Works WINDOWS INTEROPERABILITY, VOIP, MULTIMEDIA
- 49. Delivering Defence Solutions Globally Windows Interoperability
- 50. Delivering Defence Solutions Globally Identity Synchronization for Windows (ISW) System Components • ISW Connectors; synchronize modification and user creation events over the Message Queue > Sun Java System Directory Server > W2000/2003 Active Directory & NT SAM • Connector Subcomponents; DS Plugin, NT Password Filter • DLL, NT Change Detector
- 51. Delivering Defence Solutions Globally Existing Network Resources and ISW
- 53. Delivering Defence Solutions Globally What's in a Softphone? • • • • • • • • User interface IP interface Signaling CODEC execution RTP media streaming Audio/QoS functions Proxy logic SDK/APIs
- 54. Delivering Defence Solutions Globally Current SunRay Softphone SIP Communicator Lucent SIP softphone
- 55. Delivering Defence Solutions Globally Multi-Media Capable Sun Ray • Delivered by 3rd party partner (GD C4 Systems) > Prototype developed > Anticipated availability, December 06 • Local Video and Audio Devices > “Limited 3-D graphics rendering” > codec and application dependent > high-resolution display capabilities > Low latency audio > Streaming Audio and Video • Desktop and Laptop / Portable footprint • Sun Ray Engineering > Sun Ray DDX into X Server > Local Codec Execution on SR-2 Hardware
- 56. Delivering Defence Solutions Globally Why Should Your Customers Care About or Consider the Secure Network Access Platform? Because it protects data, centralizes control of your data & helps avoid embarrassing and damaging media moments like these...
- 59. Delivering Defence Solutions Globally Secure Network Access Platform for Gov 3rd Party Security Extensions Integration to Legacy Systems Java Ultra-Thin Client Environment Government Accredited Trusted Operating Env RAS Compute Platform Consulting, Training, and Support Services TNE, Maxim, AC Tech, Cryptek, Tenix, RSA, TCS, etc. Secure Global Desktop, Citrix, RDP, Thinsoft SunRay 2FS, 270; Sun Ray Session Server, Trusted CDE, Java Cards Solaris 10 TX Certified EAL4+ (B1): CAPP, LSPP, RBPP Sun Solaris Enterprise StorEdge™ 9 Sun Servers Sun Open Work Practice, Workshop, POC, Architecture and Implementation + Training and Support
- 60. THANK YOU