secure nets-and-data

SECURING CLASSIFIED NETWORKS AND SENSITIVE DATA

Kevin MayoCTO Global GovernmentSun Microsystems, Inc.

Delivering Defence Solutions Globally

Agenda

WHAT IS THE SECURE NETWORK ACCESS PLATFORM?

Why it Works

Windows Interoperability, VOIP and Multi-Media

• Role-based Access to Multiple Security Domains

• Secure Data Transfer between Domains

• Scalability and Availability

• Ability to meet Regulations and Certify/Accredit Deployed Platforms

• Maximize Workflow Efficiency

• Minimize Cost of Acquisition and Life-Time Ownership

Challenges for Secure Collaboration Networks

Target Communities

• Government Communities of Interest have special IT needs based on classified information handling> Requirements for appropriate handling of classified

information mandate rigid approach to network configuration> Conceptual “compartments” are manifested in physically

isolated networks

• SNAP enables secure, multi-compartment access from a single, thin-client desktop system—while preserving network isolation

Delivering Defence Solutions GloballyGovernment System Requirements• Thin Client desktop – secure computing environment

• Single Virtual Switch to Multiple Networks> Single desktop with connections to multiple security domains

implemented as physically separated networks (without enabling intra-domain routing)

> End-users have controlled access to domains based on security level, compartmentalization

• Secure Inter-Domain Data Transfer> Automated and manual auditing based on pre-defined policies

and procedures

• Windows Interoperability> Secure Global Network, Citrix, RDP, X Windows or

Browser.

Delivering Defence Solutions GloballyStatus Quo Example—Stove Piped Networks for Secure Communications

Delivering Defence Solutions GloballyChanged the Game—Single Multi-Tiered Secure Communications

Delivering Defence Solutions GloballyMobility with Security: Ultra-Thin Client Front-End

Before:To ensure a high level of security physically isolated clients were deployed often resulting in

After:Full Session Mobility enabled by a single state

DODCommunity

IntellCommunity

NATOCommunity

OtherCommunity

The Sun Solution: Secure Network Access Platform ARCHITECTURAL

INDEPENDENCE

●Multi-networkApplication Consolidation

●Ultra Secure Authentication layer

●Context free access layer

●User Identity/Role based access

> Auditability

> Session Mobility

V240 V240 V240

Switch Switch Switch Switch Switch

Switch

Switch Switch

Different Security Domains• System Requirements and Security Policy dictate

which networks/security domain will be a part of the implementation

• Each security domain is assigned a label> All labels defined in Labels and Encoding File> All security domains within implementation must be

defined in Labels and Encoding File

• Sol 10 TX using Mandatory Access Control and Trusted Networking enforces security policy by allowing/denying access to/from a specific security domain

• Security Domains can be dynamically added/deleted from architecture as long as they are defined in policy

User Access, Rights and Roles

• User Access dependent upon Roles and Security Clearance

• User Roles defined by job function and permission to applications and data

• All users are assigned a Role and are granted privileges based on security clearance

• Audit Logs record user activity

Trusted Solaris(TM) Is Certified as one of Indus

OS CERTIFIED WITH EAL4 AND

3 PROTECTION PROFILES IN EAL4:CAPP—Controlled Access Protection Profile

(Ensures proper login)

RBPP—Role-based Protection Profile

(Role-based access control allows the

system administrator to define roles

based on job functions within an organization.

The administrator assigns privileges to those roles)

LSPP—Labeled Security Protection Profile (

All data and application components are

formally labeled addressed, and tracked

through role based access control

Trusted ExtensionsLayered on Solaris 10*EAL4+ (B1)

(CAPP, RBACPP, LSPP)

EAL4+ (C2) (CAPP & RBACPP)

EAL4 or EAL4+ (C2) (CAPP)

EAL3 or EAL3+

Solaris 10

Based on data from http://www.commoncriteriaportal.org/

I Irix

Delivering Defence Solutions GloballyCommon Criteria Evaluation Levels

• CC Evaluation Assurance Levels (EAL)> EAL1 Functionally Tested

> EAL2 Structurally Tested

> EAL3 Methodically Tested and Verified

> EAL4 Methodically Designed, Tested and Verified

> EAL5 Semi-formally Designed and Tested

> EAL6 Semi-formally Verified Design and Tested

> EAL7 Formally Verified Design and Tested

• These are used to measure how well a protection profile has been tested...

Certification vs. Accreditation

• Hardware and Software Components are evaluated against Protection Profiles and receive Certificationsat Evaluation Assurance Levels (EAL)

• Systems are Accredited based on the Security Policy established for the specific program

US Accreditation Examples

• Certification Test & Evaluation (CT&E)> SR 1-8 Performed by DISA Slidell for NSA> SR 9 (Penetration Testing) Performed by NSA

• SABI Accredited> Completed Questionnaire> Valid Requirement from Operational Unit> DSAWG Process

> Cross Domain Technical Advisory Board - CDTAB> Cross Domain Systems Approval Process - CDSAP

• Documents> System Security Authorization Agreement - SSAA> Interim Authority to Operate - IATO> Cross Domain Appendix - CDA> Enclave MOA’s> Secret Network Connection Approval Process

• Awaiting US Department of Commerce export approval (expected this week)

Agenda

What is the Secure Network Access Platform?

WHY IT WORKS

Windows Interoperability, VOIP and Multi-Media

What Is Trusted Operating System?

Has the most complete set of trusted functionality of any certified OS

SolarisTM 10 Trusted

Extensions

A security-enhanced version of Solaris with additional access control policies

Implements label-based security with hierarchical and compartmented modes

Implements Role-Based Access Control and the Principle of Least Privilege

Provides a trusted multilevel desktop for workstations and ultra-thin clients

Trusted Extensions

Solaris 2.3 Solaris 8/9 Solaris 10

Trusted Solaris

Solaris

Solaris 10w/ TX

Layered on

Solaris

BSM RBAC Process Attributes

Device Allocation

Virtualization

Privilege Policy

Trusted Networking

Trusted Desktop

Delivering Defence Solutions GloballyTrusted Solaris History• 1990, SunOS MLS 1.0

> Conformed to TCSEC (1985 Orange Book)

• 1992, SunOS CMW 1.0

> Compartmented-mode workstation requirements

> Release 1.2 ITSEC certified for FB1 E3, 1995

• 1996, Trusted Solaris 2.5

> ITSEC certified for FB1 E3, 1998

• 1999, Trusted Solaris 7

• 2000, Trusted Solaris 8

> Common Criteria: CAPP, RBACPP, LSPP at EAL4+

> Updates to Trusted Solaris 8 also re-certified

• 2006, Solaris 10 w/ Solaris Trusted Extensions

The Network Delivers the Desktop

Delivering Defence Solutions GloballyTrusted Computing Key Features and Benefits● Trusted Extensions extends the security capabilities

of Solaris by providing:− Trusted Path− Least Privilege− Discretionary Access Control (DAC)− Mandatory Access Control (MAC)− Sensitivity Labels− Role-based Access Control (RBAC)− Trusted Networking− Trusted Windowing− Trusted Printing

● What is Trusted Path?➢ A mechanism that provides confidence that

the user is communicating directly with the Trusted Computing Base (TCB)

➢ It ensure that attackers can't intercept or modify whatever information is being communicated

● How is Trusted Path achieved?➢ Trusted Windowing (Trusted CDE)

➢ Solaris Management Console (SMC)

Trusted Path

Delivering Defence Solutions GloballyLeast Privilege

● There is no concept of “superuser”➢ Root is not exempt from policy enforcement➢ Root is not required for administration

● In its place, fine-grained privileges...➢ That delegate specific capabilities as needed

● Example: How to start a web server?➢ In Solaris, must be started as root or using a RBAC role that sets UID to 0 before starting➢ In Trusted Solaris, only the privilege “net_privaddr” need be assigned

Delivering Defence Solutions GloballyDiscretionary Access Control

● Discretionary Access Control (DAC)➢ A software mechanism for controlling users' access to files

and directories.

➢ Leaves setting protections for files or directories to the owner's discretion

●There are two forms of DAC in both Solaris and Trusted Solaris:

➢ Unix Permissions

➢ Access Control Lists (ACLs)

Mandatory Access Control

● Mandatory Access Control (MAC)➢ A system-enforced access control mechanism that uses

clearances and labels to enforce security policy➢ MAC is enforced according to your site's security policy and

cannot be overridden without special authorization or privileges

● MAC is key in SNAP for preserving network isolation

Role-Based Access Control

● A role is a special account that provides access to specific programs using predefined privileges and authorizations

● Can only be assumed if Trusted Path exists

● Can grant fine-grained privileges to programs

● Can execute programs with different labels

Sensitivity Labels● Sensitivity Labels are defined by:

➢ A Classification indicating the (hierarchical) level or degree of security● e.g, TOP SECRET, SECRET, CONFIDENTIAL, …➢ e.g., PUBLIC, INTERNAL, NEED TO KNOW, …

➢ A Compartment representing some grouping● e.g., ALPHA1, BRAVO1, BRAVO2● e.g., PAYROLL, HR, FINANCE, ENGINEERING

● Relationships can be hierarchical or compartmentalized

Sensitivity Labels (2)

● Dominance Relationships➢ In a hierarchical relationship, a label that dominates

another is able to read data from the lower label (“read down”)

● Clearances➢ Highest level of access assigned to the user

● A user cannot read or write above clearance● Privileges can be given to exceed clearance

Label Aware Services

• Services which are trusted to protect multi-level information according to predefined policy

• Trusted Extensions Label-aware service include:> Labeled Desktops

> Labeled Printing

> Labeled Networking

> Labeled Filesystem

> Label Configuration and Translation

> System Management Tools

> Device Allocation

Device Allocation

• Devices must be allocated before they can be used

• Only authorized users/roles are allowed to allocate/deallocate devices at a label they are cleared for.

• USB devices can be allocated

• Sun This Client Devices> Audio filtered based on desktop unit> Hot pluggable device support

• Devicec can be contolled by role or by user

Zones for Trusted Extensions• Each zone has a label

> Labels are implied by process zone IDs

> Processes are isolated by label (and zone ID)

> Files in a zone assume that zone's label

• Global zone is unique> Parent of all other zones

> Exempt from all labeling policies

> No user processes—just TCB

> Trusted path attribute is applied implicitly

> Provides services to other zones

• Common naming service to all zones

• Device allocation on a per-zone / per-label basis

Delivering Defence Solutions GloballyTrusted Extensions - Option 1: Per-Zone

• Each zone has a unique IP address

• Network Interface may be virtualized to share a single hardware NIC or use multiple NICs

Solaris Kernel

Multilevel Desktop Services(Global Zone)

Need-to-

Internal

UsePublic

1.2.3.10 1.2.4.10 1.2.5.10 1.2.6.10

Trusted Extensions - Option 2: All-Zon

• All zones share a single address

• Shared network Interface may be physical or logical

• Both per-zone and all-zone assignment strategies can be used concurrently

Solaris Kernel

Multilevel Desktop Services(Global Zone)

Need-to-

Internal

UsePublic

1.2.3.4 1.2.3.4 1.2.3.41.2.3.4

1.2.6.10

Delivering Defence Solutions GloballyMulti-Level Desktop Look and Feel

Delivering Defence Solutions GloballyTrusted Java Desktop System

Trusted NetworkingSecure Network Access Platform for Governm

Top Secret Domain

Secret Domain A

Secret Domain B

Secret Domain C

Benefits of Trusted Extensions• Leveraging Solaris functionality:

> Process & User Rights Management, auditing, zones> Make use of existing Solaris kernel enhancements

• Elimination of patch redundancy:> All Solaris patches apply, hence available sooner> No lag in hardware platform availability

• Extend Solaris Application Guarantee

• Full hardware and software support> File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.)> Processors (SPARC, x86, AMD64> Infrastructure (Cluster, Grid, Directory, etc.)

Trusted Extensions in a Nutshell• Every object has a label associated with it

> Files, windows, printers, devices, network packets, network interfaces, processes, etc...

• Accessing or sharing data is controlled by the objects label relationship to each other> 'Secret' objects do not see 'Top Secret' objects

• Administrators utilize Roles for duty separation> Security admin, user admin, installation, etc...

• Programs/processes are granted privileges rather than full superuser access

• Strong independent certification of security

Ease of Administration

Sun Ray – Ultra Thin Client

Client Pain Points

● Large Power Consumption

● Resource Underutilization

● Multiple Crash Sites

● Virus Entry Points

● Client Side Support

● Unapproved Apps

FAT OS

Local Apps

Big CPU, DRAM

Local HardDrive

Thin Client Approach

Secure—Virus Free

Virtual Office

HA Client

Server-SideUpgrades

Sun Ray 27017" LCD Integrated

OEM options

Sun Ray 2G1920 x 1200

Supports 24” Display

Sun Ray Ultra-thin Clients

• No DATA at the desktop

• No APPS at the desktop

• No OS at the desktop

• No END-USER MANAGEMENT at the desktop

Multiple OS & Application Choices: Solaris, Linux or Windows

Broadband deployment capable

Small footprint

Session Mobility/ Hot-Desking

Built-in Java Card Readers supporting multifactor authentication

Mobility with Security today at Sun● 30, 000+ Sun Rays deployed at Sun

● 1 SA per 3000 clients

● $ 4.8M Power Savings

● Zero Move/Add/Changes

● Patching and OS upgrade speed

● Zero annual desktop refresh costs

● $71 M Savings in Real Estate

● Software License Savings

● Secure: token authentication, no viruses

● Silent: no fans or moving part

● No User time for boot up and OS management

Sun Ray Deployment Options

Sun Ray Server

InternetIntranet

OfficeRouter/Firewall

CorporateWAN

Broadband Remote

Delivering Defence Solutions GloballyJavaBadge

One, Multi-App Badge With a Futurevs.

Multiple Cards With No Future

Corporate Card/Physical Access Card

Sun RayTM Server Session Mobility Card

PKI Authentication Token Card/ x509

Replaces Safeword Challenge/Response Card

Agenda

What is the Secure Network Access Platform?

Why It Works

WINDOWS INTEROPERABILITY, VOIP, MULTI-

Windows Interoperability

Identity Synchronization for Windows(ISW) System Components

• ISW Connectors; synchronize modification and user creation events over the Message Queue> Sun Java System Directory Server> W2000/2003 Active Directory & NT SAM

• Connector Subcomponents; DS Plugin, NT Password Filter

• DLL, NT Change Detector

Existing Network Resources and ISW

What's in a Softphone?

• User interface

• IP interface

• Signaling

• CODEC execution

• RTP media streaming

• Audio/QoS functions

• Proxy logic

• SDK/APIs

Current SunRay Softphone

SIP Communicator Lucent SIP softphone

Multi-Media Capable Sun Ray• Delivered by 3rd party partner (GD C4 Systems)

> Prototype developed> Anticipated availability, December 06

• Local Video and Audio Devices> “Limited 3-D graphics rendering”

> codec and application dependent> high-resolution display capabilities

> Low latency audio> Streaming Audio and Video

• Desktop and Laptop / Portable footprint

• Sun Ray Engineering> Sun Ray DDX into X Server> Local Codec Execution on SR-2 Hardware

Why Should Your Customers CareAbout or Consider the Secure NetworkAccess Platform?

Because it protects data, centralizescontrol of your data & helps avoidembarrassing and damaging mediamoments like these...

Delivering Defence Solutions GloballySecure Network Access Platform for Gov

3rd Party Security Extensions

Integration to Legacy Systems

Java Ultra-Thin Client Environment

Government Accredited Trusted Operating Env

RAS Compute Platform

Consulting, Training,and Support Services

TNE, Maxim, AC Tech,Cryptek, Tenix, RSA, TCS, etc.

Enterprise Solaris ™ 9

Secure Global Desktop, Citrix, RDP, Thinsoft

SunRay 2FS, 270; Sun Ray Session Server, Trusted CDE, Java Cards

Solaris 10 TX Certified EAL4+ (B1): CAPP, LSPP, RBPP

Sun StorEdge Sun Servers

Sun Open Work Practice, Workshop, POC, Architecture and Implementation + Training

and Support

THANK YOU

secure nets-and-data

Technology

fishing nets or safety nets

secure data transmission03.doc

data secure product intro

petri nets with semi-structured data

grants data base fas active in two era-nets ifau evaluated

flow control data nets - mit

1 intro data nets

fake secure data

don’t secure routing, secure data delivery

intro data nets[1]

secure data sanitization

a petri nets semantics for privacy-aware data flow...

secure online backup—end-to-end data...

enhanced secure anti-collusion data sharing scheme … ·...

nets: juno2: collaborative research: steam: secure and...

fishing nets or safety nets

multi access data nets

secure cloud - secure big data processing in untrusted...

transportation secure data center

data link data nets