Tech Trend NotesPreview of Tomorrow’s Information TechnologiesVolume: 9 Edition: 4 Fall 2000

High-ReflectHigh-Reflectance,ance,Dielectric MirrorsDielectric Mirrors

Page 12Page 12

Page 3Page 3

Real TReal Time ime Intrusion DetectionIntrusion Detection

Page 16Page 16

Pointers Pointers - - Page 32Page 32

Calendar of EventCalendar of Events s - - Page 41Page 41TTechnology Forecastechnology Forecasts - Page 28s - Page 28

Focus - Page 22Focus - Page 22

1Research & Advanced Technology PublicationFall 2000

Introduction

The decade of the nineties hasbeen particularly challenging for theNational Security Agency'sInformation Assurance mission. Thegradual but accelerating changeoverfrom government produced tech-nologies to commercial products andservices has seriously eroded ourability to protect informationprocessed by the national securitycommunity. Numerous governmentprograms intended to produce highassurance data systems and worksta-tion platforms have been largelyunsuccessful, and the buying powerof the government has not com-manded the attention of the ITindustry. The historical flow of tech-nology from government to industri-al and home users has largely beenreversed. We often find technologiesthat are more sophisticated in ourhomes earlier than in our govern-ment workspaces. The shortcomingsof our information assurance tech-nologies are further evidenced by theshift of R&D resources away fromprotection and into detection andresponse initiatives.

To address these issues, duringthe summer of 1999 the NSAAdvisory Board (NSAAB) reviewedthe Information Systems SecurityOrganization's (ISSO) commercial-off-the-shelf (COTS) strategy. Theboard acknowledged the need toprovide the functionality and the feel

of familiar COTS technology to ourusers, but they believed that wewould not be able to influence thesecurity of COTS technology forhigh assurance applications. Theboard challenged the InformationAssurance Research Office to initi-ate a project to develop architecturesthat would allow COTS technologyto be used safely in high assuranceapplications.

A Tiger Team was assembled fora one-year effort to develop an archi-tectural approach to allow the safeuse of COTS in sensitiveGovernment applications. The usershould see a familiar interface, e.g.,Microsoft Windows OperatingSystem (OS) and off-the-shelf appli-cation software, but achieve theassurance needed for DoD use. TheNSAAB suggested that one or moregovernment-off-the-shelf (GOTS)components be included, preferablyas plug-ins; and their removal shouldallow the system to be used as a nor-mal COTS machine. The notion of a"Vault" was introduced as anInternet accessible, protected enclavethat would provide high assuranceservices to connected user machines.

The results of the Tiger Teameffort are a proof-of-concept archi-tecture and a set of components thatare referred to as NetTop. Theremainder of this article willdescribe the concept and technicalapproach used in the architecture,

identify several investigated applica-tions, and suggest future capabilities.

User Requirements

The ISSO’s customers have longidentified shortcomings with thesecurity technology that was avail-able to them. One significant con-cern is that their workspaces arecluttered with computer equipmentto support access to multiple net-works of differing sensitivity.Dealing with this duplication ofequipment has long been a problem,since there is no single system thatcan support all of their access needs.A second concern is that governmentdeveloped security solutions haveoften been incompatible with otherstandards-based IT products, whichhas significantly complicated theinterfacing and upgrading of systemcomponents. The cost and complexi-ty of network management is also asteadily growing issue, particularlyin times of declining resources andmounting security concerns over theoutsourcing of support. Our cus-tomers also need the ability to movedata across isolated networks inorder to perform their daily tasks,and the techniques to make suchtransfers efficient and safe. Finally,the increased importance placed oncoalition operations brings new chal-lenges for technology to securelysupport these operations. The archi-tecture of the NetTop prototype sug-gests a near-term approach that can

NetTopCommercial Technology in High Assurance ApplicationsBy Robert Meushaw and Donald Simard

2 Research & Advanced Technology Publication Tech Trend Notes

provide a useful and practical set ofcapabilities to satisfy these needs.

An Initial Capability

To begin the development of theNetTop architecture, a modest, initialcapability was sought. Opportunely,the ISSO's System Solutions Groupidentified an Internet-based versionof the Remote Access SecurityProgram (RASP) system as anexcellent prospect. The RASP pro-vides secure remote access to a hostcomputer over a dial-up connection,and includes a laptop computer anda specially developed encryptingmodem to protect the communica-tions link. Many customers haverequested a similar capability forremote network connectivity, butusing Internet connections through alocal Internet Service Provider (ISP),i.e., use the public data networkrather than the public voice network.The ability to provide a secure,remote connection over the Internetto a secure enclave was selected asthe initial NetTop goal.

An architecture that can achievethis capability has been known forsome time. It typically includes anend-user workstation, an in-lineencryptor, and possibly a filteringrouter or firewall to connect to theInternet. Commercially, such solu-tions are knows as Virtual PrivateNetworks (VPN). Figure 1 depicts atypical VPN client configuration.This system configuration wouldprovide the required functionality,but it would be cumbersome andexpensive for a mobile user.

Recycling Technology

The requirement that NetTopusers see a familiar COTS computerdesktop environment was taken as afundamental precept of the architec-ture. One consequence of thisapproach is that for high assuranceapplications, the end-user environ-ment must be presumed to beuntrustworthy, and the NetTop archi-tecture must protect against poten-tially hostile behavior.

In order to place limitations upona potentially malicious component,we explored the concept of encapsu-lation to constrain the behavior ofthe end-user operating system andapplication software. The methodselected for encapsulating the OSwas based upon a 30-year-old tech-nology, Virtual Machine Monitors(VMM). VMM technology wasdesigned and developed in the era oflarge IBM mainframe computers,and was intended to help extend thelife of legacy software, whenimproved hardware or OS softwarewas released. In essence, a VMMwas a software system that randirectly on the computer hardware,and allowed multiple operating sys-tems to be installed on top of it. Byrunning older OS versions in somevirtual machines, legacy softwarecould be run, while newer applica-

tion software could be executed inVMs running more current OS ver-sions.

Commodity VMMs

During the NetTop design discus-sions, we identified a new commer-cial product, VMware, that provideda practical VMM capability. TheVMware product is a spin-off ofDARPA-sponsored research atStanford University, and is generallyused for providing a safe test envi-ronment for OS and networkingsoftware.

There were several novel capabil-ities of VMware that made it attrac-tive for use in NetTop. First, it wasdesigned for efficient operation onIntel x86 platforms rather than onlarge mainframe computers, whichmade it suitable for use on common-place personal computers, worksta-tions, and laptops. Next, VMwareoperates on top of an underlyinghost OS rather than directly on thesystem hardware. VMMs that rundirectly on hardware have been stud-ied previously under ProjectNeptune for their use in securingsystems. A Neptune type of VMMwould face the enormous challengeof keeping pace with changes in theunderlying hardware platform.VMware takes advantage of the host

Figure 1 - Typical Virtual Private Network Client Configuration

3Research & Advanced Technology PublicationFall 2000

OS's need to track these changes.This is a much more practicalapproach, and would be particularlyimportant to produce a GOTS VMMfor NetTop. Lastly, VMware pro-vides an abstraction for "virtualEthernet hubs." This capabilityallows virtual machines to be inter-connected in a fashion that is wellunderstood by network designersand administrators.

A Network on a Desktop

Using VMware, the initialNetTop system was constructedusing a powerful laptop computer.The operating system chosen for thehost OS was Redhat Linux Version6.2. Three virtual machines net-worked by two virtual hubs wereinstalled on top of the host OS, pro-viding an in-line configuration ofthree machines comprising (1) anend-user Windows NT machine, (2)an encrypting machine using IPSec,and (3) a Filtering Router (FR)machine. Both the VPN and FRwere hosted on VMs running theLinux operating system. Figure 2displays the initial NetTop prototypeconfiguration.

The initial NetTop configurationdemonstrates a number of importantcapabilities. It encapsulates theunmodified, end-user Windowsoperating system in a VM. Animportant characteristic of thisapproach is that the encryption canbe provided as an in-line functionthat cannot be bypassed by mali-cious actions of the end-user OS orapplication software. Rudimentaryprotection from network attacks isprovided through a filtering router.

Any of the individual virtualmachines can be replaced or upgrad-ed with standards-based compo-nents. The interconnection of the vir-tual machines is based upon familiarTCP/IP networking. Finally, a singleplatform replaces several traditionalcomponents, thereby reducing hard-ware and maintenance costs. Animportant side benefit is that thearchitecture makes no assumptionsabout the communications technolo-gy used to connect the external net-work. The user is free to select the

desired technology, including dial-up, Ethernet, ATM, wireless, etc.

The basic NetTop configurationprovides the same functionality asthree separate hardware platforms.Each virtualized component shouldoperate identically to its real-worldcounterpart with "bug for bug com-patibility." The simple NetTop con-figuration was successfully connect-ed across the Internet to a simulated,secure enclave on an unclassifiedNSA network, using both dial-up

Figure 2 - Simple NetTop System Configuration

Figure 3 - NetTop Logical Configuration

4 Research & Advanced Technology Publication Tech Trend Notes

and cable modem connections. Sucha configuration could have all of thecapabilities of a locally connectedmachine, including the ability toconnect to the Internet, if permittedwithin the enclave. Figure 3 illus-trates a NetTop logical configura-tion.

Multiple Security Levels

A natural extension to the firstprototype was the addition of otherVMs to provide increased function-

ality. The second version of theNetTop prototype included anotherWindows NT machine connecteddirectly to the filtering router asshown in Figure 4. This machineallows a user to access the Internetdirectly. This extended prototypesuggests a powerful feature of theNetTop architecture - the ability toreplace multiple end-user worksta-tions within a single, hardware plat-form. In theory, multiple user con-nections to networks of differingsensitivity could be provided using

multiple VPNs. This envi-ronment providesMultiple (single) SecurityLevel (MSL) capabilityrather than true Multi-Level Security, but stilladdresses an importantcustomer need.

Another configurationfor a MSL system isshown in Figure 5, wheretwo isolated VM worksta-tions are connected to twodifferent networksthrough two networkinterface cards. Since the

network connections are alreadyphysically isolated, encrypted com-munication tunnels are not needed.This type of NetTop configurationmay be appropriate to replace multi-ple end user workstations, when sep-arate communications infrastructuresare already available.

Thin-Client VMs

While the VMs described so farhave been fully configured Windowsor Linux systems, there is nothingpreventing a VM from being a "thinclient." In fact, there may be reasonswhy a thin-client would be prefer-able. For example, if the WindowsNT in Figure 4 was installed as a"display only" thin-client, all classi-fied files could be kept on a remoteserver in a protected enclave. Thisconfiguration increases assurance,since the NetTop device containsminimal sensitive information.

Assurance

Despite the functional and costadvantages that the NetTop architec-ture described above may offer tosome users, its usefulness willdepend upon its ability to withstanddetermined attacks from the externalnetwork and from malicious end-user software. The most sensitiveapplications may require additionalprotection against compromisingsystem failures. While NetTopattempts to deal with insecuritiesthat may be caused by user errors,no attempt has been made to thwartmalicious insiders. As a practicalmatter, it should only be necessaryto demonstrate that a NetTop config-uration provides the same degree of

Figure 4 - NetTop Multiple Security Level Configuration

Figure 5 - NetTop Dual Network MSL Configuration

5Research & Advanced Technology PublicationFall 2000

security as the separate networkcomponents that it replaces. If thiscan be achieved, then the basicarchitectural approach is validated.

A number of approaches havebeen identified to increase the assur-ance of the NetTop architecture. Thecritical aspect of the architecture thatmust be validated is the ability of theVMM/Host OS combination to suf-ficiently isolate the various NetTopcomponents. Our approach to deal-ing with security in the underlyinghost is to use a Trusted Linux OSprototype that has been developedunder the IARO's OS Securityresearch program. Trusted Linuxincorporates flexible access controlmechanisms. In order to bolster theinherent isolation provided by theVMM, a tailored security policy hasbeen developed for the TrustedLinux host. The VMM/TrustedLinux combination will be evaluatedfurther during an internal "red team"exercise to assess the degree of iso-lation it provides.

The Trusted Linux prototype isalso envisioned for use as the guestOS in the VPN and Filtering RouterVMs. It is likely that a substantiallyreduced Trusted Linux OS could beconfigured to support each VM. Ineach case, specific security policiesneed to be tailored to support thelimited functionality of eachmachine. The particular encryptionand filtering router products selectedcould be from National InformationAssurance Partnership approved listsor specially developed GOTS com-ponents.

Another critical component of theunderlying host platform is theBIOS function that controls the ini-tial boot-up process, and its ability toarrive at a secure initial state.Vulnerabilities in the BIOS havelong been identified as the "Achilles'heel" of computer systems. Workpresently underway to develop arobust, trusted BIOS should beincorporated into any high assuranceNetTop system.

Failure Checking

Even a minimal NetTop configu-ration will be an extremely complexhardware and software system. Itwill not likely be amenable to theforms of failure analysis historicallyused for NSA high assurance sys-tems. While it might seem that sig-nificant failures in a NetTop devicewould result in complete systemshutdown, sensitive applicationswill require more rigorous assur-ance arguments. Lacking failuredetection support in the workstationplatform, an approach using a typeof "dead man's switch" has been

developed to limit failure effects bysevering external NetTop communi-cations.

In order to make an effectiveargument for the correct operationof a failure checking mechanism,hardware and software must becompletely independent of the sys-tem being checked. A DallasSemiconductor Tiny InterNetInterface (TINI) embeddable com-puter was networked to the in-lineNetwork Encryptor machine, andwas programmed to use a simplenetwork "ping" to the VPNmachine as a health check. If noresponse was received, the Internetconnection was interrupted. A morerobust health check could include amore complex set of tests to gainincreased assurance that the NetTopdevice is working properly. Thetests could includechallenge/response exchanges witha Failure Detection Server in theprotected enclave. A dead-manswitch of this type may be suitablefor a GOTS plug-in component forhigh assurance applications. The

Figure 6 - NetTop Improved Assurance Configuration

6 Research & Advanced Technology Publication Tech Trend Notes

failure detection approach is shownin Figure 7.

Moving Data Safely

Many organizations require theability to move informationbetween networks of differing secu-rity levels. A common operationinvolves downgrading informationfrom highly classified to lower clas-sified systems, but increasingly,information is imported from theInternet into classified systems. Inthe first case, it is essential thatclassified information not be com-promised, while in the second, aprimary concern is the protection ofthe classified host from maliciouscontent.

The VMware product includes acapability to copy and paste databetween VMs via a clipboard. Thisfeature does not include sufficientsafeguards for use in a high assur-ance NetTop system. In order toprovide a more trusted copy/pastefunction, a new capability, dubbed a"Regrader," was developed. This

capability includes a protocol forperforming the regrade operation,as well as a "Regrade Server" thatprovides a trusted network service.By making the regrade operation acentralized service, a number ofadvantages are gained. First, consis-tency in the regrade operation canbe achieved. Second, it would bepossible to develop and enforce aregrade policy that specified theconditions under which each usercould perform regrade operations.The regrade operation could include"sanitization" functions to deter thetransfer of covert or malicious con-tent. Finally, an audit log could be

maintained and monitored for sus-picious activity. Figure 8 depictsthe protocol exchange between theRegrade Server and two hosts ofdifferent security levels. A trusteduser token is employed in a chal-lenge/response exchange with thetrusted server in order to safeguardagainst untrusted OS behavior.

Coalition Support

The paradigm of virtualmachines creates abstractions ofphysical computers. Each VM iscomposed of a set of files thatembody a hardware/software sys-tem. This set of files can be copiedfrom one physical machine toanother. Given the portability ofVMs, there is no inherent reasonwhy a VM, or set of VMs, couldnot be electronically transferred. Itis possible for a NetTop device tobecome a member of a coalition bydownloading an appropriately con-figured VM over a secured commu-nications channel. The set of VMsin each coalition would constitute aVPN, and would not be able tocommunicate directly with VMs inother coalitions. Cross-coalitioncommunication is performed using

Figure 7 - Dead-Man Switch Architecture

Figure 8 - Regrade Server Protocol

7Research & Advanced Technology PublicationFall 2000

a variation of the RegradeServer previously described.For some coalitions, it mightbe useful to distribute applica-tion specific VMs, such as asecure Voice-over-IP machine.A centralized CoalitionManagement Server could beused to manage the configura-tion and distribution of VMsto coalition members. Theessence of NetTop's coalitionsupport is its ability to distrib-ute virtual systems electroni-cally. Figure 9 displays ahypothetical situation inwhich four organizations par-ticipate in four data coalitions andtwo voice coalitions. A simple capa-bility to demonstrate electronic dis-tribution of VMs is under develop-ment.

Additional Capabilities

A number of useful capabilitiesare included in the prototypes thatwere not described in the NetTopoverview. The entire file system onthe hard disk is encrypted in orderto protect against compromise if themachine is lost or stolen. The"International Patch" for Linux wasinstalled, which provides softwareencryption capabilities and servicesunder the control of the TrustedLinux host OS. The hard diskencryption is transparent to allVMs. Additionally, this diskencryption cannot be corrupted orbypassed by an VM. A process wasdeveloped that uses a floppy diskand a user entered PIN to "boot-strap" the decryption and loading ofsystem files from the hard disk.

During normal operation, all diskfiles, including temporary files, arestored encrypted on the hard disk.

The hardware virtualization pro-vided by the VMM also provides acapability to alter the operation ofthe hard disks seen by each VM. Inone mode, all changes made to aVM's hard disk are discarded whenit is powered down. This may beuseful in the operation of the IPSecand FR machines by preventingpermanent changes to the system ifa successful attack did occur. Anychanges would be lost when theVM was restarted, which wouldforce an adversary to repeat theattack.

Performance

Real-world performance deter-mines any technology's acceptance.NetTop's architecture includes a lotof functionality in a single hard-ware platform, yet the performanceis quite acceptable. The laptop com-

puter used in the prototype includesa 500 MHz Pentium III processorand 384 MB of memory. TheVMware VMM is surprisinglymodest in its affect upon the per-formance of a VM, and only aslight degradation is noticed. Asmore VMs are introduced, moreserious performance degradation isnoticed, but can be minimized withadditional memory. The 384-MBconfiguration of the NetTop proto-type shown in Figure 4 was suffi-cient to support the Linux host andfour guest VMs - two Windows NTmachines for the end-user terminalsand two Linux machines for the in-line Network Encryptor andFiltering Router. Overall, the per-formance of the NetTop prototypeis quite satisfactory, and easilykeeps pace with a high-speed, cablemodem connection. Continuingenhancements in hardware perform-ance will only improve its perform-ance.

Figure 9 - NetTop Coalition Concept

8 Research & Advanced Technology Publication Tech Trend Notes

Future Development

The NetTop proof-of-concept hasdemonstrated an architecture thatappears to have significant promisefor information assurance applica-tions. In its current form, however, itis unsuitable for widespread use andrequires considerable refinement.Our research has uncovered a num-ber of shortcomings in current tech-nology that need to be addressed.Additionally, important topics stillmust be investigated. Areas requir-ing further development are:

· Identification & AuthenticationArchitecture

· Biometric activation technique· Key & certificate management· Filtering Router management· Un-spoofable labels for MSL

windows· Trusted VM switching mechanism· Installation & configuration wizards

· IPSec modifications for NetTopprotocols

· User friendly interfaces

The set of capabilities identifiedas NetTop extensions - FailureDetection Server, Regrade Server,and Coalition Management Server -suggests an expansion of the securityservices typically considered as partof a Security ManagementInfrastructure. The integration ofthese services with traditional keyand certificate management servicesmay deserve a separate investigationto develop a concept for a morecomprehensive security infrastruc-ture.

Development of the NetTop pro-totype is continuing. Some of theconcepts previously describedincluding a Regrade Server, thin-clients, and coalition support will beintegrated as each is developed.

Conclusion

The Information AssuranceResearch Office has responded tothe NSAAdvisory Board's challengewith the NetTop proof-of-concept.The novel architecture builds uponCOTS technology, fortifies it withGOTS components, and provides acombination with the potential to besecurely used for sensitive applica-tions. It also addresses other impor-tant concerns, and provides a frame-work for useful extensions. NetTopdepends heavily upon the isolationcapabilities provided by the TrustedLinux/VMM combination. Therobustness of the approach stillrequires a comprehensive securityevaluation.

Donald Simard is the TechnicalDirector for the System and NetworkAttack Center and has been with theAgency since 1979. The majority ofhis work has been in the Information

Systems Security Organization.He is a Master in the INFOSECTechnical Track and has aMasters Degree in ComputerScience.

Robert Meushaw isTechnical Director for theInformation AssuranceResearch Office. He joined theAgency in 1973 with BS and MSdegrees in ElectricalEngineering. Mr. Meushaw hada long career in the InformationSystems Security Organizationprior to his current position. Heis a Master in the ComputerSystems Technical Track.

A very simple NetTop configuration with only one user Virtual Machine can providea very useful feature - media encryption - which could not otherwise be done witha high-level of confidence. Since the host operating system does not runapplications software, it is protected from virus attacks and other malicious softwarethat might corrupt the user VM. With the media encryption function embedded inthe host OS, all of the files on the hard disk can be encrypted transparently to theuser OS. The user OS cannot bypass the cryptography that is protecting the media.

TTN