Calhoun: The NPS Institutional Archive
DSpace Repository
Theses and Dissertations
Thesis and Dissertation Collection
1987
Applicability of Army automation security
guidance to local area computer network security.
Ayres, Jeffrey D.
http://hdl.handle.net/10945/22630
Downloaded from NPS Archive: Calhoun
„n*r
HAM
SCHOOL
Jo
S003
NAVAL POSTGRADUATE SCHOOL
Monterey, California
THESIS
APPLICABILITY OF ARMY AUTOMATION
SECURITY GUIDANCE
TO
LOCAL AREA COMPUTER NETWORK SECURITY
by
Jeffrey
D.
Ayres
March 1987
Thesis Advisor
Thomas
J.
Brown
Approved for public release; distribution is unlimited.
T232275
uRity Classification Of This page
REPORT DOCUMENTATION PAGE
RESTRICTIVE
lb
.REPORT SECURITY CLASSifiCATiON
MARKINGS
UNCLASSIFIED
SECURITY CLASSifiCATiON AUTHORITY
1
DEClASSif iCATiON
|
/
DOWNGRADING SCHEDULE
ERfORMiNG ORGANISATION REPORT NuMBER(S)
NAME
(If
ival
(C/fy.
State.
SYMBOL
Naval Postaraduate School
62
and JiPCooe)
nterey, California
NAME Of MONiTORiNG ORGANIZATION
la
applicable)
Code
Postaraduate School
MONiTOHiNG ORGANIZATION REPORT NUVBER(S)
S
bo OfUCE
Of PERFORMING ORGANIZATION
:ADDRESS
DISTRIBUTION/ AVAILABILITY Of REPORT
J
Approved for public release;
distribution is unlimited.
ADDRESS
7b
80 OffiCt
)RGAMZATiON
(if
and HP Coae)
93943-5000
Monterey, California
93943-5000
i.AME Of fUNDiNG/ SPONSORING
State,
(Cry.
SYMBOL
9
PROCUREMENT INSTRUMENT
lOEN'if
C
ATiON NUMBER
applicable)
SOURCE Of fijNDiNG NUMBERS
TAS<
PROJECT
ELEMENT NO
NO
NO
>DDRESS(C«fy. State, and /IP Cooe)
'0
PROGRAM
.TlE
AO'«
oNiT
ACCESSION NO
(include Security Claudication)
plicability of army automation security guidance to
:al area computer network security
;
fRSONA,. AUTwOR(S)
e:f rey
Ayres
D.
J:t?£ Of REPORT
13b
aster's Thesis
t-me
covered
fROM
14
DATE Of REPORT
(Year
Month Day)
S
PAGE COoNT
1987 March
TO
135
-PPlEMENTary notation
COSATi CODES
ElD
GROUP
SUB
JSTftACT (Continue on reverie
18
GROUP
it
SUBJECT TERMS (Continue on reverie
if
neceisary and identify Oy block numoer)
Computer network security, Local- area network
security, Army computer network security
regulations, guidance, regulations, security.
neceuary and identify by blcxk number)
The U.S. Army Combat Developments Experimentation Center (USACDEC)
rectorate of Information Management (DIM), Fort Ord, is currently
lvolved with several network implementations, all at various stages of
jvelopment, and wants adequate network security at an affordable price.
.ring early stages of development they found almost no existing local
•ea network (LAN) security guidance.
This thesis does not look for a
;t
or perfect LAN guidance solution, but develops a background for
^curity considerations during the development of a network based on
isting automated data processing security guidance.
All Army guidance
viewed was supplied by USACDEC/DIM; all other (DoD, etc.
guidance was
lected for review by USACDEC/DIM, but obtained else where.
)
>"R'3UTiON/ AVAILABILITY Of ABSTRACT
NCLASSlfiEQ/UNL'MlTEO
SAME AS RPT
Q
21
Q OTiC
ABSTRACT SECURITY CLASSifiCATiON
USERS
;AME Of RESPONSIBLE INDIVIDUAL
22b TELEPHONE (include AreaCode)
(408) 646-3117
»RM 1473,
84
MAR
83 APR M't'on may be uied
All
until
eihauitcd
otn«r vditiont *,« obiOl*t«
22c
OfHCfc
Code
SYMBOL
6
2Bb
SECURITY CLASSifiCATiON Of ThiS PAGE
Approved
for public release; distribution
Applicability of Army
is
unlimited.
Automation Security Guidance
to
Local Area Computer Network Security
by
Jeffrey D. Ay res
Captain. United States Air Force
B.B.A., University of Wisconsin - Eau Claire, 1979
Submitted in partial fulfillment of the
requirements for the degree of
IN SYSTEMS TECHNOLOGY
(Command, Control and Communications)
MASTER OF SCIENCE
from the
NAVAL POSTGRADUATE SCHOOL
March 1987
ABSTRACT
The U.S. Army Combat Developments Experimentation Center (USACDEC)
Directorate of Information
several
Management (DIM), Fort Ord,
network implementations,
all
at
various
adequate network security at an affordable
set or perfect
LAX
for security considerations during the
automated data processing
supplied by
USACDEC/DIM;
USACDEC, DIM,
security
all
other
currently involved with
of development, and wants
During early stages of development
price.
they found almost no existing local area network
does not look for a
stages
is
(LAN)
security guidance.
This thesis
guidance solution, but develops a background
development of a network based on existing
guidance.
(DoD,
but obtained else where.
All
etc.)
Army
guidance
reviewed was
guidance was selected for review by
TABLE OF CONTENTS
I.
INTRODUCTION: OVERVIEW OF A LOCAL AREA
COMPUTER NETWORK SECURITY ENVIRONMENT
A.
B.
C.
D.
II.
INTRODUCTION
11
1.
The Military Computer
2.
Overview of
3.
LAN
4.
Accreditation Process
16
PURPOSE
ASSUMPTIONS
OVERVIEW OF CHAPTERS
17
LANs
in a
Security Threat
11
C3 Environment
12
Security Problems
14
18
19
A GENERIC "BASELINE" CONFIGURATION
A.
BACKGROUND
1.
Introduction
2.
Benefits
and
Reasons
20
20
20
20
Pitfalls
LAN
NETWORK CONFIGURATION COMPONENTS
3.
B.
11
for a
21
21
1.
Component Overview
21
2.
Topology
22
3.
LAN
24
4.
Protocols
Dieital Switches
and Computerized Branch Exchange
(CBX)
.
5.
The Network
6.
Internetworking
7.
Transmission Media
8.
Ethernet
9.
The Generic
26
.
28
Interface
29
,
31
33
Base-line Configuration
34
C.
POSSIBLE USES/APPLICATIONS
35
D.
ENVIRONMENTAL CONSIDERATIONS
FUTURE EXPANSION
35
E.
36
III.
SECURITY REGULATION AND GUIDANCE OVERVIEW
A.
B.
C.
D.
E.
F.
G.
IV.
INTRODUCTION
38
38
1.
Scope
38
2.
Background
39
GUIDANCE SUMMARIES
CATEGORY GUIDANCE/REGULATIONS THAT
40
1:
APPLY TO LANS
41
1.
Sensitivity
41
2.
ADP
3.
General Network. References
4.
Risk
5.
Configuration Control
45
6.
Physical; Environmental Considerations
47
7.
General Communications
47
Security Operation
Modes
42
43
Management
44
CATEGORY 2: GUIDANCE/REGULATIONS THAT DO
NOT APPLY TO LANS
48
1.
Sensitivity
48
2.
General Communications
49
3.
Configuration Control
49
CATEGORY
GUIDANCE
3:
OUTDATED REGULATIONS AND
50
1.
Physical/ Environmental
51
2.
Configuration Control
51
CATEGORY 4: LAN AREAS AND TOPICS NOT
COVERED BY GUIDANCE
52
1.
Overview
2.
ATSs
3.
Configuration Components
52
4.
Software
52
5.
Network Audit Procedures
52
6.
Peripherals vs. System
vs.
52
ADP
Networks
(i.e.
LANs)
Approach
THE NEXT STEP
BASIC NETWORK SECURITY DEVELOPMENT
CONSIDERATIONS PERTAINING TO COMPONENT
GUIDANCE REQUIREMENTS
OVERVIEW
A.
PART
1:
52
53
53
54
54
1.
Chapter IV Component Categories
2.
A
Strategy for Applying General
ADP
54
Guidance
to a
Network
B.
C.
55
PART 2: GENERAL LAN GUIDANCE
REQUIREMENTS FOR NET WORK COMPONENTS
-
1.
System/ Miscellaneous
56
2.
ADP
66
3.
Transmission Hardware
69
4.
Software
71
Hardware
PART 3: MULTILEVEL OPERATION MODE
GUIDANCE REQUIREMENTS FOR NETWORK
-
COMPONENTS
D.
E.
V.
56
73
1.
Configuration Considerations
2.
Sensitivity
3.
Procedures
4.
Software
-
73
and Operating Mode
73
74
Operating System
74
PART 4: SYSTEM HIGH MODE GUIDANCE
REQUIREMENTS FOR NETWORK COMPONENTS
-
1.
Configuration Considerations
2.
Sensitivity
and Mode of Operation
SUMMARY
74
74
75
75
LOCAL AREA COMPUTER NETWORK APPROVAL
METHODOLOGY
A.
B.
C.
77
INTRODUCTION
ACCREDITATION OVERVIEW
77
77
1.
Background
77
2.
The Accreditation Process
79
ACCREDITATION REQUIREMENT SUMMARY
Need and Requirements
.79
1.
Validated System
2.
Statement of Accreditation Objectives and System Goals
SO
3.
Risk Management Analysis
SO
4.
System Configuration and Operation
SO
5.
Implementation Plans
80
6.
Standard Test and Evaluation (ST&E)
SO
7.
Plans for
S.
Problem Areas
ST&E
Results
80
SI
81
D.
E.
F.
G.
H.
9.
Other Documentation
81
10.
Accreditation Documentation
81
11.
System Operating Level
12.
Accreditation Authority Review
81
13.
System Implementation and Operation
82
Command Review
ORGANIZATIONS INVOLVED WITH APPROVAL
AUTHORITY
SUMMARY OF ADP SECURITY POSITIONS
THE ACCREDITATION PROCESS SYSTEM
CONFIGURATION AND OPERATION
METHODOLOGY IN RELATION TO SECURITY
REQUIREMENTS: SYSTEM CONFIGURATION
CONSIDERATIONS, REQUIREMENTS
82
84
85
1.
Sensitivity
85
2.
Network Control
87
3.
Network Management Appointments
93
4.
Network Procedures
94
5.
Significant Applications
94
6.
Configuration/System Documents Required
95
7.
Future Upgrade; Expansion
95
8.
Waivers and Exceptions
95
ADDITIONAL SYSTEM COMPONENT
CONSIDERATIONS
ADP Hardware
95
95
2.
Terminals
96
3.
Software
96
TWO ALTERNATIVE EXAMPLES
1.
2.
VI.
82
-
1.
I.
81
Generic Configuration
Design
Multilevel
Example
-
-
97
Svstem High or Dedicated
."
High-level Design
CONCLUSIONS AND RECOMMENDATIONS
A.
SUMMARY AND CONCLUSIONS
98
98
104
104
1.
Sensitivity
104
2.
Configuration
105
3.
The
106
4.
Accreditation
Security
Goal
107
2.
109
6.
Network Access
110
7.
Software
Ill
8.
Miscellaneous Network
Management Considerations
Ill
112
1.
General Protection of the Generic Configuration
112
2.
Important Guidance
112
3.
Future Research
to Reference
113
FINAL COMMENTS
C.
1.
Physical Protection
RECOMMENDATIONS
B.
APPENDIX
5.
:
114
SECURITY GUIDANCE SUMMARIES
115
INTRODUCTION
REGULATION/GUIDANCE SUMMARIES
a.
ARMY REGULATION 380-380: Automation
MAR 85
ARMY REGULATION
115
115
Security,
8
b.
Army (DA)
c.
3SO-5: Department of the
Information Security Program. 15 FEB 85
ARMY REGULATION
Management,
d.
15
SEP
Life
18-100:
Armv
Aug 81
123
Processing Installation
1 SEP 85
18-4:
Review/ Evaluation Checklist,
f.
ARMY PAMPHLET
18-7:
ARMY REGULATION
Security
h.
(COMSEC),
ARMY REGULATION
Processing
i.
DEC
3
124
85
Communications
530-2:
SEP
1
123
Automatic Data Processing
Management Review Guide,
g.
82
125
Automatic Data
18-7:
Management Review Program, 30
ARMY TECHNICAL BULLETIN
TB
NOV
18-107:
84
ARMY REGULATION
Security Monitoring, 15
k.
380-53:
NOV
DoD
3220. 22-M:
126
(DoD) MANUAL
Manual for
Industrial Security
Safeguarding Classified Information",
1.
1
MAR 84
DoD DIRECTIVE 5215.1 (DoD Dir 5215.1),
SUBJECT: Computer Security Evaluation Center, 25
OCT 82
DoD MANUAL 5200.28-M: ADP Security Manual
'
m.
126
Communications
84
DEPARTMENT OF DEFENSE
125
Armv
Automation Automatic Data Processing Equipment
Operations Management, 3 FEB 86
i.
122
122
Cycle Management, 15
ARMY PAMPHLET
115
Armv Automation
18-1:
SO
TECHNICAL BULLETIN TB
Automation
e.
:
126
127
Techniques and Procedures for Implementing.
Deactivation. Testing, and Evaluating Secure ResourceSharing
ADP
Systems,
JAN
73
127
n.
DoD COMPUTER SECURITY CENTER CSCSTD-OOl-83: DoD Trusted Computer Svstem
Evaluation Criteria (Also
Book"), 15
83
AUG
o.
p.
Known
128
DoD DIRECTIVE 5200.28: Security Requirements for
Automatic Data Processing (ADP) Systems, 18 AUG 72
129
NATIONAL COMPUTER SECURITY CENTER
PUBLICATION NCSC-WA-002-85:
Security Considerations, 1985
LIST
as the "'Orange
OF REFERENCES
INITIAL DISTRIBUTION LIST
Personal Computer
129
131
134
LIST
OF FIGURES
2.1
Generic Baseline Configuration
22
2.2
Basic Architecture Alternatives
23
2.3
Generic
2.4
The Generic
2.5
Interconnected Networks (Catenet)
30
5.1
General Accreditation Process and Requirements
79
5.2
The Generic Configuration with Multiplexers
89
5.3
The Generic Configuration with Cryptography
91
5.4
The Gerneric Configuration Between Buildings
99
5.5
Simple Multilevel
5.6
Multilevel
Subnetwork Configuration
101
5.7
Multilevel
LAN
103
CBX
27
Architecture
Interface
-
Model
29
LAN
100
Hieh Level Confieuration
10
I.
INTRODUCTION: OVERVIEW OF A LOCAL AREA COMPUTER
NETWORK SECURITY ENVIRONMENT
INTRODUCTION
A.
1.
The Military Computer Security Threat
Computer
Computer
data
security
processing
security
is
is
a
problem that
especially important in the military
(ADP) systems
control
large
many computer
plagues
forces
centers.
where extensive automated
and
information.
sensitive
Moreover,
potential damage from penetration is growing with the ever increasing
concentration of sensitive information in computers and the interconnection oT
these computers into large networks. Through computer penetration an enemv
could, for example, compromise plans for emplovment of tactical fighters or
compromise operational plans and targeting for nuclear missiles. [Ref. IT p. 17J
the
For example, one group of juvenile hackers "managed
or
more communications
forces, this type
[Ref.
satellites."
2: p.
one
In terms of control of military
of penetration via computer could be a serious event
command,
in a
because C3 systems include computers,
control and communications (C3) context
satellites
13]
to shift the orbit of
Thus, C3 computer networks, as well as
and communications hardware.
other military systems, must continually operate in a secure manner.
C3 networks and
other military systems include computer networks, local
networks, and local area networks (LAN).
more computers with
modems and
communication
network
devices.
that
[Ref. 4: p.
296]
consider a local computer network
is
258].
3: p.
provides
Moreover, a
can serve a variety of devices and
minicomputers."
computer network consists of one or
the connected terminal devices and other related devices, such as
input/output channels [Ref.
communications
A
LAN
A
local
interconnection
network
a
for
is
a "small-area"
variety
of
a "general-purpose local network that
is
typically used for terminals, microcomputers,
Given the preceding
(LCN) and
Before addressing security of
LANs,
a
a
LAN
one
definitions,
in the
C3 environment
an example and background of distributed processing.
11
data
this
thesis
and
will
same.
is
addressed to provide
2.
Overview of
LANs
in a
C3 Environment
This section will provide a general definition of C3, a definition of distributed
LAN
processing, a look, at
considerations for
Many
support of distributed processing, some C3 environmental
LAN, and
lastly,
varied definitions of
There are variations such as
communications and
a few
C3
C3
exist;
command and
not
all
are agreed
upon
control (C2) alone; C3;
intelligence (C3I), etc.
thesis the following definition
functional activities and applications.
from JCS Pub.
[Ref. 5: pp. 1-6].
1
will
in military circles.
command,
control,
For the purpose of
this
be used.
exercise of authority and direction bv a properlv designated commander over
assigned forces in the accomplishment of his mission. Command and control
functions are performed through an arrangement of personnel, equipment,
communication, facilities, and procedures which are employed by a commander
in planning, directing, coordinating, and controlling forces and operations in the
accomplishment of admission. [Ref. 5: p. 6]
The
Thus, a C3 system
used to support a decision maker (commander). Moreover,
is
sensors, automatic data processors (ADP), and communications equipment
svstems are extensions of the decision maker's ability to gather, process,
disseminate information. [Ref. 6: p. 618]
For our purposes C3
be used in a general
will
and control (C2, C3, C3I,
etc.)
way
to indicate
and
and
any type of command
system.
Given the above comments, a C3 system generally consists of human, sensor,
ADP components, along with any associated
the ADP network aspects that relate to C3 in
communication and
software.
will only consider
general.
the-loop and sensor considerations are ignored in this thesis because
with
LAN
security.
C3
used as an application example because
is
it
it
is
This thesis
All man-in-
deals strictly
one military
application that often involves distributed processing supported by computers and
networks.
C3 systems tend
to be distributed configurations.
Distributed processing
Current trends in C3
implemented via communications and computer networks.
systems are toward surviveable dispersed systems in which distributed
major
role [Ref. 6: p. 638].
where some or
all
Distributed
ADP
is
ADP
will play a
"data processing in an organization
of the processing and storage of data
locations that are connected bv telecommunication lines."
12
is
is
provided at different
Decentralized
ADP
is
"data
processing in an organization where the processing and storage of data are provided
Any
independently at various locations throughout the organization."
computer system can support both types of processing.
used
in
a
C3 system
management
[Ref. 3: pp.
114,127].
A
distributed
combination of both can be
Furthermore,
pure
distributed
managing
involves the increased sharing of responsibility (with users) for
functions of processing, movement, and storage of information.
of distributed system development
is
The
overall
"to develop a conceptual view.
framework, in which to manage distributed data management." [Ref.
7:
.
data
approach
to provide a
.
pp. 6-8]
Distributed processing can be viewed as a hierarchical structure of computer
systems and
LANs.
In this context, a local area network
(LAN)
will
refer
to
a
physically separate geographic part of a distributed computing/communications system.
It
includes an interconnection of computer processors, terminals, sensors,
Normally,
required software.
LAN
all
control points are possible [Ref.
LAN
configurations.
In
the
components are channeled through
LANs and
point to communicate with other
8].
and the
a central
wide area networks, however multiple
Moreover, individual computer systems make up
broader sense, the computer system supports some
of functional application(s) through application software.
kind(s)
etc.,
The
LAN
also
supports applications, only in a distributed environment.
LANs have emersed as the practical way to evolve vesterdav's centralized, time
sharing computer system into tomorrow's truly distributed network of
functionally dedicated, microprocessor based servers.
Thus,
LANs
can be thought of as the "system bus"
environments [Ref.
LAN
environment
9: p.
is
69].
for locally distributed
computing
In other words, transfering data within the distributed
similar to the transfer of data within a single
The general environment a C3 system operates
in
computer system.
one
is
in
which
"the rate,
complexity, dimensionality, and uncertainty of events and of information about them.
in
both
crisis
and war
force information
is
situations,
is
rapidly increasing."
required for effective force
commanders mission performance depends on
that,
computers can and are used
are outnumbered.
Understanding of events and
management
his
[Ref.
C3 system
6: p.
620].
[Ref. 10: p. 87].
to provide a qualitative superiority in areas
For example, computers are
at the heart
Air Force. The need for secure computer networks
13
Thus, a
To
all
were we
of the C3 process in the
clear when we realize that good
effectiveness: conversely, ineffective
objective sought. [Ref. 1: pp. 17-18]
C3
C3
is
capabilities can double or triple force
is certain to jeopardize
or deny the
LAN
Generally, the driving force behind
eliminate potential
Walker spy
the
Navy warship
damage from unauthorized system
in
is
to reduce or
For example, given
a Soviet agent
aboard a U.S.
by tampering with sensor and weapon
bomb,
"Like an invisible time
computer system, ready
the
commands."
security
agent would accomplish this by inserting or modifying portions of
software modules.
hidden
ADP
penetration.
ring incident, consider this scenario:
stealing the ship's ability to fight
An
software.
and
[Ref.
to
the subverted software could
explode
in
the
lie
form of catastrophic
2: p. 12]
Given the processes/activities within a C3 system,
information technology does not simplv help the commander and his staff, but
also stimulates the development of collective military creativity, in which the
largest group of people, including those separated" bv great' distances, can
participate (in Druzhimn and Kontorov). [Ref. 6: pp. 619-620]
As
LAN
a result, a
can help provide
collection to decision aids.
and blackboards.
filtering in a
Some examples
wide variety of processing; from data
include dynamic electronic maps, pointers
[Ref. 6: pp. 627,636]
In short, various "Department of Defense
everything from targeting
[Ref.
2: p.
1]
Given that "the
reconfiguration
bring
is
ADP
resolution and filtering.
LAN
is
LAN
will address a
LANs
for
Pentagon parking
lot."
dynamic system expansion and
C3I applications," the future should
networks supporting C3 with more versatile and accurate
[Ref. 9: p. 69]
especially important
some form of
of
we mentioned some examples of
government systems
military
flexibility
virtually
Security Problems
Earlier
security
to parceling out spaces in the
particularly applicable to tactical
more advanced
3.
ICBM's
(DoD) computers handle
a
in general.
LAN
in
the
C3
arena.
LAN
However,
Many government and
configuration.
Thus, we
will
penetration
military
is
it
that
important to
concentrate on small local level
level.
few general computer network security points in terms of
and
internal vulnerabilities.
14
all
C3 systems depend on
configurations with emphasis on security at the unit
areas, espionage
indicate
This section
ADP
target
ADP
General
network
procedures,
ADP/network
target
areas
operating
interfaces,
target area
no
is
-
Extraction
copying data.
Alteration
-
and physical
systems
loose
personnel
access.
Once an
emissions,
electronic
chosen, a system penetration can result in [Ref.
Observation
-
include
11: p. 81]:
change in data.
direct effect in, or
modification or change of hardware, procedures, or data.
Addition of extraneous data.
Use of hardware or software resources.
The above penetration
like the
Walker spy
UCLA
student
Advance Research
in
ring, or external
broke into
Project
can result
activities
over
in "espionage".
from enemy sources and hackers.
150 computer accounts in
Agency Network (ARPANET)
an attempt to prove system
security. Air
Force
the
can be internal,
For example, a
Pentagon funded
[Ref. 2: preface].
Moreover,
teams have penetrated Air
tiger
Force systems which were thought to be tamper-proof.
comments
It
Tiger team findings and
include:
•
New
•
Holes generally result from
•
It
•
The access threat from outside sources is srowing; communication
microwave intercepts; etc. [Ref. 1: pp. 23-24]
teams found new holes, even
after previous
human
teams could not gain access.
design oversight.
does not take a highly skilled expert to penetrate security.
Some common
techniques used to commit computer-related fraud and abuse
are listed below.
•
•
tabs;
COMPUTER-RELATED FRAUD
•
Entering unauthorized information
•
Manipulating authorized input information
•
Manipulating or improperly using information
•
Creating unauthorized
•
Overriding internal controls.
files
files
and records
and records
COMPUTER-RELATED ABUSE
computer
time, software, information, or
equipment
•
Stealing
•
Entering unauthorized information
•
Creating unauthorized information
•
Developing computer programs for nonwork purposes
•
Manipulating or improperly using computer processing.
15
files
and records
Examples range from routing government funds
information.
to personal
bank accounts,
[Ref. 12: pp. 10-11,31]
Obviously, given an application and threats of fraud and abuse,
is
By consequence, the
required.
level
approved before operations begin.
process
is
4.
to selling
ADP
security
of security required for a network must be
Army
In the
the
ADP
and network approval
called accreditation.
Accreditation Process
One important
result
of concerns for
ADP
security
in
the
Army
is
the
accreditation process.
The term
'accreditation' is used to describe the process where by information
the security of an Armv data processing activitv (DPA). ATS
pertaining to
(automated telecommunications svstem), or network
submitted for approval.
The
levels
accreditation authority for systems processing critically sensitive (CS)
of information are Headquarters Department of the
command (MACOM) commanders
Army (HQDA)
At the
be the accreditation authority.
(DPA)
authority.
sensitivity,
and accreditation
accreditation
approves or disapproves
the system
is
is
to
and that the system
processing activities
grouped according
to
make
of risk associated with
cost effective.
and
[Ref. 13: p. 30]
installations caused the
and procedures.
Army
For example, Army data
(DPA) and/or automated telecommunication systems (ATS)
to sensitivity categories
accreditation process
accreditation.
level
sure the accreditation efforts relate
variation in types of systems, functions,
to develop different accreditation standards
The
is
be the accreditation
13: p. 6]
Disapproval indicates that the
The goal
may
submitted system documentation and
authority reviews
not acceptable.
to the specified system,
The
it.
commanders can
presented in following chapters.
is
Nonsensitive systems do not need accreditation. [Ref.
The
For
sensitive level the heads of the data processing
or centralized office automation agencies
More on
or major
(general officers), depending on the system.
highly sensitive (HS) information, installation, post, or field operation
activities
and
collected analyzed,
is
[Ref. 13: p. 30J
The purpose:
is
and
levels.
a critical review
"to
are
provide
of a designated
information
which
DPA/ATS
will
enable
prior
the
accreditation authority to determine that sensitive information can be processed within
the
bounds of acceptable
risk."
By consequence, the
16
analytical accreditation process
minimum,
requires, as a
command
authorities at both the operating
evolves
accreditation
management
level.
from completing
a
and accrediting
series
documentation must be
all
levels.
of goal and
Understandably,
objective
statements,
and system descriptions, and other documentation and
reviews, operation
In addition,
reviews.
and formal review by
investigation, information gathering,
classified according to its sensitivity
[Ref. 13]
The process ends when
issued by the
"a formal, dated, statement
appropriate authority."
of accreditation has been
At that time the accreditation
is
effective.
[Ref. 13]
PURPOSE
B.
The U.S. Army Combat Developments Experimentation Center (USACDEC)
Management (DIM), Fort Ord,
Directorate of Information
several
network implementations,
USACDEC
government agencies,
adequate network security
at
in
information,
security
at
has
it's
various stages of development.
own
an affordable
they found almost no existing
approved
all
LAN
currently involved with
is
Like
many
inherent resource constraints, and wants
price.
During early stages of development
security guidance.
Given
their
networks would be
terms of existing guidance, and their requirement to process sensitive
USACDEC/DIM
guidance
in
terms
was
of
interested in
LANs.
an "outsider's" interpretation of
Thus the following
thesis
statement
ADP
was
developed:
Identify local computer network (LAN) regulation and guidance requirements
that are valid and outdated, and
areas" that are not adequatelv covered bv
current regulations, to give system developers a better feel Tor security
LAN
boundaries.
In doing
this,
the purpose
is
not to look for a set or perfect solution, but to
develop a background for security considerations during the development of a network.
It is
hoped that
this will
be used as a guide or a tool for identifying security bounds
during system development or expansion.
of regulations and guidance that are
left to
knowledge that computer technology
it's
application
Or, in the
is
ADP
not used by upper
context,
information at the work
it
is
level.
The reason, of
is
course,
interpretation.
To
is
that there are parts
all that, it is
common
constantly changing for the better, assuming
command/management
levels to
"micro-manage."
not used by upper level commanders to access detailed
In addition, current regulations cannot keep
17
up because
many new
to
ideas for regulations
ADP
and
protection "have been sidetracked in the rush
modernize computer systems and continually update software."
result, a certain level
[Ref. 2: p. 3]
DoD,
components
a generic baseline system
that can be found in
purpose here
is
used as a guide.
DoD
and on many
exist
consists of basic
It
and Army networks.
The
provide general technical network background information for
to
is
a
of risk must be accepted by the system developers and sponsors.
Given the wide variety of computer systems and computer networks that
within the
As
configuration security analysis, and give the reader
result, the general baseline analysis is in
interfaces at a conceptual level.
some frame of
reference.
As
a
terms of configuration hardware, software, and
Hence, the scope of the thesis
is
limited mostly to
configuration security; physical security and operational considerations are limited, and
personnel security
is
only mentioned in certain areas.
Furthermore, the thesis
is
intended to serve as a guide for identifying network guidance requirements for system
components and the
component
It
is
overall
system configuration.
topics are identified in Chapter
hoped
II.
that this thesis will provide the system developer with a guide/tool
him/her focus an accreditation
that will help
The system configuration and
potential expansion alternatives,
possible accreditation
effort,
develop the system, examine
become aware of operational
methods and
constraints,
and develop
strategies.
ASSUMPTIONS
C.
The following assumptions
•
are
made
to help limit the scope
of the
thesis.
comments concerning guidance
applicability are restricted to the guidance
Note: a list of the guidance can be found in Chapter
III.
All Army guidance reviewed was supplied bv USACDEC/DIM; all other
(DoD, etc.) guidance was selected for review by USACDEC/DIM, but obtained
else where.
All
referenced in this thesis.
The generic baseline used could be a microcomputer, minicomputer, mainframe
computer based network, or any combination.
Specific brands of software and hardware will not be mentioned unless they are
a part of many
systems.
DoD
The thesis assumes basic building construction of
components is adequate.
A
risk
management
Chapter
analysis
is
complete.
facilities
Risk management
housing
is
LAN
explained in
III.
A
"network" has the same basic functions and requirements as a LAN.
any references to a "network" in the guidance, pertains to LANs as well.
Automated data processing (ADP)
computer systems.
18
is
Thus
used in a general way to represent
Army or DoD personnel with an ADP
managers, or security managers considering
installation of a network for the first lime; and ADP security managers in
The
•
audience
thesis
background;
mostly
is
Army commanders,
general.
No command-unique
•
regulations or guidance documents are referenced.
OVERVIEW OF CHAPTERS
D.
The chapters
current
that follow address the generic baseline configuration, a review of
and
regulations
security
network
guidance,
development
considerations
pertaining to security requirements; and potential security approval methodology.
More
Hardware
detail.
Chapter
specifically,
that
may
system software identified
operational networks.
in
a
limited fashion,
LAN
configuration in
access the network will be identified.
In addition, the
be based on actual software currently in use on some
will
Types of tailor-made and off-the-shelf application software
be identified.
will
defines the generic baseline
Examples of possible applications of
be identified.
network
II
a
network similar
Moreover, environmental considerations
and physical hardware layout
will
will
to the generic
will
be addressed
be restricted to hardware
interface relationships (no detailed building or floor-plan layouts).
Chapter
generic
LAN
III
will
an overview of the
give
baseline described in Chapter
II.
LAN
security considerations for the
What's more,
it
will categorize security
regulations and guidance to determine what currently applies and
Also, parts of the
LAN
that are not covered
by current regulations
Network development considerations pertaining
It
A
considered.
Interpretations of the regulations are suggested.
Chapter V.
First, the basic
are highlighted.
is
for
developed
Furthermore, the relevancy of regulations are
addressed in terms of accreditation requirements in
Army
accreditation process
is
outlined and important areas
Then, gaps between what security regulations state and what
the generic network are considered in terms of the accreditation process.
directions
accreditation
and
addresses regulations that apply, current
and future expansion.
is
be identified.
general strategy
operations,
Approval methodology
will
outdated
is
to system high requirements
multilevel requirements are identified in Chapter IV.
pertaining to the generic baseline system.
what
preparation
are
not
presented;
only
exists in
Note
general
that
strategy
considerations.
Finally,
examines.
Chapter VI presents conclusions and summarizes the areas the
Additionally,
some recommendations
protection, important guidance,
are presented in
and future research suggestions.
19
thesis
terms of general
II.
A GENERIC "BASELINE" CONFIGURATION
BACKGROUND
A.
1.
Introduction
Chapter
In
I
a
communications network,
network that
network was defined
local
typically used as a
is
the automatic data processing
include
a
LAN
(ADP)
medium
humidity, security,
LAN
Moreover, the geographic scope of a
is
is
a
campus
or a military base.
As
low error
with
little
[Ref. 4: p.
this thesis
LANs,
concerned with
other devices that can
data communication devices)
(i.e.
etc.),
and
telephones,
televisions.
small, usually serving a building or a
Two
examples are
1]
In a well designed network, additions and replacements can be
rate.
impact on the other devices on
This
distributed.
chapter
trie
network.
and
made
In addition, control of the
[Refs. 4,14]
will
look
at
configuration
environment, and expansion in relation to the generic
components,
LAN
applications,
the
"baseline."
Benefits and Pitfalls
A
ADP
is
a general rule, key characteristics are high data rates, short distances,
network can be
2.
general
a general purpose local
group of buildings not covering more than a few tens of kilometers.
a
small-area
Thus, the basic configuration
Even though
applications of
transmission
(temperature,
sensors
which
computer network.
concepts are the same for both networks.
communicate over
LAN
contrast to a
in
be
to
local
facility
links ensure
network improves the
through redundancy.
continued operation
reliability, availability,
In other words,
when
many
part of the network
and
survivability of
an
separate device nodes and
is
damaged or under
repair.
Other general benefits include:
•
Improved system responsiveness/performance.
•
Use of a
•
Flexibility of
single terminal to access multiple computers.
One major
equipment location.
pitfall is
risks the introduction
Other general
[Ref. 4: pp. 2-3]
that the addition of
new
applications or enhancements
of errors and the reduction of performance of the entire system.
pitfalls include:
20
Interoperability /interface problems with diverse types of equipment.
format-conversion software
may
Special
be needed.
Loss of control -- it is hard to control information, enforce standards, protect
and secure, and manage, distributed systems. [Ref. 4: pp. 2-3]
Reasons
3.
for a
LAN
General reasons for implementing a
LAN
include:
Resource sharing; transmission of information; economizing on terminals,
Future transitions to new svstems is enhanced because
to put the old and new computer on the same network.
it
etc.
provides a mechanism
Expansion.
Provide vendor independence (related to expansion).
Easy
to
add devices
allow for expansion,
The
2.1) will
to
i.e.
an existing cable plant. Assuming cable was
throughout a building. [Ref. 15: pp. 186-187]
laid to
generic base-line network configuration for this thesis (reference Figure
be based on a collection of host computers, a computer branch exchange, and
Ethernet.
Both Ethernet and the computer branch exchange (CBX) control routing
and transmission of data throughout the network, and both are explained below.
Many Department
and
a baseline
is
of Defense
(DoD)
agencies are currently using these components
needed for reference in terms of the security regulation analysis.
The
collection of host computers could be mini, micro, mainframe, or a combination of any
of these, although the exact type of computer
The
base-line configuration
basic
LAN
LAN
not important for our level of analysis.
intended to provide a vehicle for a general description of
components, what they do,
applied to a
B.
is
is
how
they relate to each other, and
how
they are
configuration.
NETWORK CONFIGURATION COMPONENTS
1.
Component Overview
There are components and functions
defines
and explains basic
characteristics
common
and functions
to
all
for
Topology
protocols
Digital switches
Networking
and Computer Branch Exchanges (CBX)
interface
Internetworking (gateways)
Transmission media
Ethernet (because selected for the baseline)
21
This section
some of the following
components:
LAN
LANs.
NETWORK CONTROL CENTER
Ethernet
COMPUTER
COMPUTER
COMPUTER
COMPUTER
GATEWAY
PERSONAL
COMPUTER
TERMINAL
TERMINAL
DEVICE
DEVCE
COMPUTER
GATEWAY
Figure 2.1
2.
Generic Baseline Configuration.
Topology
There are three main architectural alternatives for LANs; bus/tree,
Reference Figure 2.2 [Ref.
star.
and
14: p. 10].
Bus J tree
a.
In a bus topology the transmission
stations
ring,
and
devices.
Each
station or device
is
medium
is
a linear cable
attached to the
shared by
medium and
all
receives or
sends information by bidirectional transmission of signals which propagate the length
of the
medium
[Ref. 4: p. 295].
A
tree
is
also defined as a topology in
which stations
and devices are attached to a shared transmission medium, but the cable branches out
22
'
LOCAL NETWORK
TOPOLOGIES
Vl
\Jn
C=
STAR
—
p^
RING
A
1
—
'
1
1
...
from
a device called a headend.
Basic Architecture Alternatives.
A
network. Stations/devices transmit
headend
is
the end of a multichannel bus or tree
and receive from the headend.
to,
enables each station or device to receive and transmit signals
[Ref. 4: p. 29S].
Bus topologies are usually
always be multi-channel (broadband).
broadband
see Tutorial Local
Bus or
time because
all
a
The headend
the tree branches
and
trees
must
For a more detailed description of baseband and
Network Technology Section
share
among
single channel (baseband);
tree topologies only allow
devices
-J
^
REE
Figure 2.2
|
1
\
BUS
L-,
|
2 [Ref. 4].
one pair of devices to communicate
common communications medium.
In
at a
terms of
transmission media, trees usually use coaxial cable, but sometimes use twisted pair
cable for low performance applications.
this
chapter [Ref.
Transmission media
14: p. 8],
23
will
be addressed later
in
Problems can
One example of
topology.
from the shared access nature of the bus or
arise
a
major problem
Another problem
transmit and when.
is
determining what station should
is
adjusting the signal strength to required levels
between devices before transmission (signal balancing).
with
many
35-36].
types
different
of
and
devices
manage some of
Protocols
tree
These problems are magnified
unique characteristics [Ref.
their
4:
pp.
these problems and are discussed later in the
chapter.
Characteristics of Ring
b.
LANs
For computer-to-computer communications, the ring
efficient
topology [Ref.
14: p.
8].
A
single closed
path
connected by unidirectional transmission links [Ref.
that receives data
on another
link
on one communication
link
it
36].
and transmits
around the ring from one repeater
integral part of the ring topology because
formed when repeaters are
is
4: p.
often the most
is
it
A
repeater
sequentially, bit by bit,
to the next.
The repeater
transmits data as fast as
without buffering, and connects linear segments in a ring network. Data
all
attached stations/devices.
provide the
to
is
receives
it
an
it
is
readable by
all
be used as
[Ref. 4: p. 297]
Twisted-pair, baseband coaxial, and fiber-optic cables can
transmission media
a device
is
repeater-to-repeater
links.
Broadband
coaxial,
however, could not easily be used because transmitting data on multiple channels
requires
more than
just
a
repeater.
transmitting and receiving, which
is
Functionally this would require asynchronous
more complicated.
[Ref. 4: p. 37]
Star Topology
c.
Any two
All stations are connected to a central switch in a star topology.
stations
in
the
LAN
communicate
via
circuit
switching.
switching
Circuit
communication method that establishes a dedicated communications path
two devices through one or more intermediate switching nodes
Digital data
sent as a continuous stream of bits.
is
only has one switch (see Figure
and channel bandwidth
3.
LAN
guaranteed.
As
a
connect
circuit switches).
Conceptually, a pure star topology
a result, delay
is
limited to propagation time
[Ref. 4: pp. 295,297]
Protocols
LANs
devices
is
2.2).
(i.e.
to
is
need a means of controlling access to transmission media so any two
on the network can control data when required
[Ref. 4: p.
37].
Protocols
provide this necessary access control so that the network transmission media can be
shared.
A
protocol
is
defined as
24
a set of rules governing the communication and the transfer of data between two
or more devices in a communication svstem: the rules define the handling of
certain communication problems, such as framing, error control, sequence
control, transparency, line control, and start-up control. [Ref. 3: p. 303]
A protocol is
LAX devices.
implemented within a
LAN
medium
In a protocol, the transmission
two
The
parameters.
and the
distributed,
first
the
is
second
station to be as simple as possible,
hand, a centralized scheme
is
"how".
may
a reduction in efficiency.
the
"where"
parameter,
a
access, allow logic at each device or
On
the other
Distributed scheme pros and cons are a mirror image of
In both schemes, the
such
factors,
centralized or distributed network scheme.
common medium
all
as
"how" parameter
of cost,
those
is
and
performance,
[Ref. 4: p. 37]
access control techniques, multiple data transfers
share a single transmission capacity.
The most common
access
the Carrier Sense Multiple Access with Collision Detection
access
or
centralized
i.e.
Thus, the parameters are constrained by the topology of the particular
complexity.
In
In
based on
is
act as a bottleneck resulting in a single point of failure
among competing
trade-off
("where"),
and avoid problems of coordination.
the above points for the centralized scheme.
a
location
control
parameter
access control technique
scheme may afford greater control over
centralized
and
via software, firmware, etc., in the associated
category,
method
(CSMA/CD)
LANs
for
in the
is
random
token bus for bus and tree systems, and token ring for
rings.
[Ref. 4: p. 37]
CSMA/CD
priority,
and only one station can transmit
and waits
until the
channel
is
stations try to transmit at the
detect
it
Traffic already
operates as follows.
at a time.
Each
clear before transmitting.
same
time.
When
on the network channel has
station
on the bus
Collisions occur
collision occurs,
Token bus
both stations
is
a
more complicated medium access protocol than
position in an ordered sequence.
When
the sequence.
the
first
will
trying
14: pp. 9-10]
In token bus, stations on the bus form a virtual ring where each station
stations.
when two
and cut short the transmission, then wait a short period of time before
another transmission. [Ref.
listens
station
is
The
done
first
it
This process continues for
station transmits to
any or
CSMA/CD.
is
all
assigned a
the other
passes a control token to the next station in
all
276-277,10]
25
stations,
and then
repeats.
[Refs. 3,14: pp.
Token
ring
works
way
in a
constantly circulating. Transmission
similar to token bus except the control token
is
possible only if a station has the control token.
Thus, when a station wants to transmit,
the control token to circulation
4.
it
grabs the control token, and then returns
finished.
it is
[Ref. 14: p. 10]
Computerized Branch Exchange (CBX)
Digital Switches and
A
when
computerized branch exchange (CBX)
a combination of digital switching
is
CBX
and telephone private branch exchange (PBX) technologies. The
PBX
digital
that also handles data devices without
telephone exchange on the user's premises that provides a
telephones on extension lines within a building or local area.
Modern
access to the public telephone network.
Use of digital phones
Distributed
PBX
digital
defined as "a
is
modems." Usually a
system that only handles data over a star topology
refers to a
is
digital switch
LAN. A PBX
switching
is
facility
In addition,
a
for
provides
it
characteristics include:
to permit integrated voice/data workstations.
architecture.
Multiple
switches
hierarchical
with
distributed
intelligence.
Dedicated port assignments for
PBX
Thus, a modern
refer to all
can be used for local area computer networks.
modern CBXs and PBXs together
as
"CBXs".
The
CBX
of
variety
characteristics
and the
local
digital switch are
networking
[Ref. 4: pp. 134,295,297]
major
The
CBX
data rate, or "bandwidth".
of the
of
the
most
by twisted pair
important
to a central
uses circuit switching to establish a dedicated
to
communicate and guarantees the
may
Moreover, while data rates
Mbps)
capacity (throughput) can be high (500
limits
alternatives for handling a
One
requirements.
communications path between two devices wishing
throughput
LAN
that the stations are usually connected
is
switching unit {star topology).
feature
This thesis will
Characteristics
a.
wide
attached devices.
all
be limited (64 Kbps), total
[Ref. 4: p.
133].
Even though higher
can be achieved with a bus or a ring topology, a key distinguishing
CBX
is
the
transparency which
it
offers
due to
circuit
switching
[Ref. 14: p. 10].
A
not voice
digital switch differs
traffic.
from a
CBX
in that
it
only handles data
Digital switching techniques have been used to build
switching products designed for data-only applications,
i.e.,
lines
This
26
is
many
and
digital
a digital switch does not
provide telephone service. In sum, the major function of a digital switch
connection between two attached
traffic
is
to
make
a
accomplished via two sub-functions.
The
first
limited
is
port contention which
number of
select
a
is
specific
port or connection.
Notice that for brevity,
terminals.
switch did not allow this
If the
we have assumed
that the control unit of the switch
4: p. 133]
Architecture
of
CBX
proprietary, so the details are not generally available in
most
Manufacturers have developed
architectural features
common
to
all
CBX
to
a
switch
digital
a variety
architectures.
cases.
CBX
architecture
if
architecture.
<
i
Voice Line
(
Group
onirol
1
L nit
;
(
Voice Line
Services
Group
L nit
i
i
1
Djij Line
Services
Group
Unit
SWITCH
i
'
i
Data Line
—i-
Protocol
Group
(
onvcrter
•
i
Protocol
Converter
Trunk
Trunk
Figure 2.3
Generic
27
CBX
Note
4: p.
that
you eliminate the voice
[Ref. 16: p. 237]
Architecture.
They
are
Thus, the general
systems will be presented. [Ref.
Figure 2.3 illustrates a generic
degenerates
The second sub-
were pre-configured by a system operator would be
can talk to the requesting port. [Ref.
b.
number of
an interactive process of allowing an application program
capability, only connections that
possible.
used for host-to-terminal connections when a
ports are open for a larger
function, port selection,
or user to
is
134]
the
CBX
features.
The
heart of the system
lines (usually 8-24) are
The control
switch.
the digital switch.
A
generators.
a digital switching network
They provide access
interface units attached.
incoming
is
to or
that has a series of
from the outside world.
multiplexed by the interface unit for input to the
unit exchanges control signals with attached devices
is
a
and operates
and tone and busy-signal
Service units include dialed-digit registers
trunk
Multiple
communications channel between two switching centers that
normally consists of a group of
enclosed in a single casing.
lines
are used to connect off-site locations,
Trunk
and protocol converters connect
interface units
dissimilar lines.
[Refs. 4,16: pp. 134-136,566]
This generic architecture
means
be
the loss of only a small
made redundant.
reliable
because the failure of any interface unit
number of lines. Key elements
must share a
common LAN
There are three general ways that devices can attach
"homogenous/ single- vendor approach" where everything
is
LAX.
a
The
first
is
the
guaranteed to be compatible
In other words, each device can physically connect and operate with
The standards approach
standards tend to freeze technology
new
protocol to be compatible.
to
minimal interface software and handle the same protocol.
approach".
control unit can
Interface
All network devices
by the vendor.
like the
[Ref. 4: p. 136]
The Network
5.
is
Second,
is
the "'standards'
an interconnection problem because current
is
when new
interfaces are developed.
Furthermore,
standards for interfaces are constantly on the drawing boards and often become
obsolete as soon as they are issued [Ref. 16: p. 121].
interface approach" in
[Ref. 4: p. 173].
which network operation
Given the various ways
network interface unit (NTU)
Typically, the
NIU
communications controller
General
NTU
is
to
make
Last,
details are
LAN
is
the "standard network
hidden from the device
interconnections,
required to attach a device/station to a
is
some
LAN.
a microprocessor-based device that functions like a
to provide data transmission service to the attached device.
functions include:
Accept data from connected device.
Buffer the data until
medium
access
is
obtained.
Transmit addressed data packets.
Search for packets on the
Load
medium
that have the device's
own
the packet into buffer.
Transmit data
sort of
(at the
proper data rate) to the attached device.
28
address.
Usually the hardware interface between the
NIU
and the attached devices
communications interface such as RS-232C.
serial
RS-232-C
In
data
a standard
is
communications, the
a set of standards specifying various electrical, mechanical, functional,
is
and
procedural characteristics for interfaces between computers, terminals, and modems.
The NIU can be an outboard device
more
the
circuit
NIU
model
is
is
an inboard device (one or
(a stand alone unit) or
boards attached to the device's bus). Another important characteristic of
that
it
must, at a minimum, implement the
depicted in Figure
LAN
protocol.
A
generic
NIU
[Refs. 3,4,15,16]
2.4.
USER DEVICE(S)
MECHANISMS FOR ENABLING
COmUNI CATION BETWEEN
DEVICE(S) AND THE
NETWORK
NETWORK
INTERFACE
ACCESS AN D CONTROL
MECHA YISMS
COMMUNI CATION
TECHNOLOGY
SPECIFIC
TRANSPORT MEDIUM
The Generic
Figure 2.4
6.
Interface Model.
Internetworking
Internetworking
networks.
communication among devices
the
The bridge and gateway
internetworking.
networks,
is
i.e.
the
The
simplest
same
is
interfaces
the
are
common methods
two
bridge
because
it
is
and protocols. Typically,
interconnections involving one-vendor hardware.
complicated gateway.
Reference Figure
2.5.
29
on
for
it
two
used
to
or
provide
homogeneous
is
more
local
used for network
This thesis will focus on the more
[Refs. 4,16]
s
s
s
s
S » station
B = bndge
gateway
G
Figure 2.5
A
gateway
different protocols.
local
is
Interconnected Networks (Catenet).
a device that connects
two systems, usually systems that use
For instance, a gateway would be used to connect two independent
networks or to connect a local network to a long-haul network.
gateway device
is
complex because
it
must accommodate
30
As
a result, a
differences between networks
and long-haul). These differences include: addressing schemevinaxirnurrLpack.et
(local
size,
network, interfaces, time-outs, error recovery, status reporting, routing techniques,
access controls, and connections.
design issues.
Thus, protocols are the major cause of gateway
__
[Ref. 4: pp. 229-231,296]
accommodate
Different protocol approaches can be used to
In fact, a different gateway must be built for each pair of networks, which
differences.
is
hard to manage from an internetwork standpoint.
(IP)
The idea behind the IP
a better approach.
is
share a
common
protocol only for internetwork,
the local network and puts the burden for the IP
is
IP.
that the gateways
is
traffic,
and stations
while normal intranetwork
on the gateway. Additionally, the IP
taken one step further in a catenet which
networks using an
7.
In contrast, an internet protocol
This enables one to eliminate internetting capabilities from
operations are undisturbed.
concept
these network,
is
a collection of interconnected
[Refs. 4,15]
Transmission Media
A
medium
transmission
and receivers
transmitters
in
a
is
defined as
the physical path
between network
Common
communications system.
media include
twisted pair cable, coaxial cable, radio waves, optical fibers, and infrared transmission
The geographic scope of these media
through the atmosphere.
distance between different points on the network.
network that includes
varied
immunity
to
effects
noise,
Noise
is
of distortion and interference.
due
to
construction
their
the
is
maximum
a contamination of the
Different media have
and nature
of operation.
[Ref. 17: pp. 19,21]
Traditionally, twisted pair, coaxial,
information within a
LAN
and
fiber optic cables are
used to transmit
and are the media our generic configuration
will
use.
Understandably the physical channel produces certain constraints on factors important
to the
network manager
in terms of the
amount and
quality of information transmitted.
[Ref. 17: p. 21]
a.
Twisted Pair
Twisted pair
The transmission
is
just that, a pair of wires that
distance
form a transmission
line/cable.
depends on signaling techniques and quality of wire.
Twisted pair can be used for both multipoint and point-to-point in analog or
transmission.
Moreover, multipoint service data rates and distance are
addition, twisted pair provides one data path
of a bidirectional
digital signal [Ref. 16: p.
31
known
32].
as the "baseband",
Usually twisted pair
digital
restricted.
In
which consists
is
used for low
speed transmissions.
In short,
point-to-point
and most applications
applications,
Furthermore, extra protection
outside buildings.
The reason
an important parameter
is
is
runs
it
of network security
in terms
line
acts
like
a
transmission antenna
and allows
Under the
right conditions
transmission distances can range up to 15 kilometers.
[Refs. 14,17: pp.
motivated outsiders to detect and receive that energy.
LAN
when
that energy loss increases with distance between devices.
What's more, the transmission
normal
few close buildings.
restricted to buildings or a
required for twisted pair, especially
is
LAN
than multipoint for
better
[Refs. 14,17: pp. 7,22-23]
Geographic scope
for twisted pair.
is
7,22-23]
CBX
The
is
the most
common contemporary network
using twisted pair transmission lines
from
connections
are
multiplexer.
[Ref. 17: p. 23]
usually
among network
device
Construction of coaxial cable
intermediate
switch,
switch,
or
is
more complicated than
twisted pair.
There
an internal conductor wire with an outer conductor concentric with and completely
surrounding
particularly
it.
Coaxial cable
good
for
is
used for point-to-point applications.
multipoint
topologies,
yet
sophisticated conventional topologies (star, ring, bus,
In
Hence, twisted pair
nodes.
Coaxial Cable
b.
is
central
to
implementation
fact,
can
it
etc.),
Besides that,
used
be
it is
simple
for
to
and variations of the above.
may
coaxial cable networks are well suited to bus/tree architectures, that
used for office automation, laboratory, and process control environments. [Ref.
17:
be
pp.
24-26]
Both baseband and broadband coaxial transmission distances depend on
tolerable
delay,
load,
and implementation.
multiple and separate data paths (channels).
Unlike baseband,
Maximum
broadband provides
distances in typical baseband
coaxial networks are limited to one to three kilometers, while broadband networks can
span areas often kilometers or more
(fifty is a practical
upper
range between twisted pair and fiber optic cable (fiber optic
broadband coaxial cable can provide a high throughput
is
limit).
Capacity
covered next).
for a large
is
mid-
In short,
number of
devices.
[Refs. 14,17: pp. 7,25]
Even though coaxial cable has a
may
still
"act as
different construction
than twisted
an antenna allowing an eavesdropper to tap into the
coils appropriately placed."
As
a result, geographic scope
security parameter for coaxial cable.
[Ref. 17: p. 24]
32
is
line
pair,
it
with pickup
an important network
Fiber Optics
c.
Compared
to conventional twisted pair
and coaxial media,
a completely different construction and composition.
core
The cladding
layer isolates the fibers
optical cable consists of a
signal
should
of cable
to the other.
fiber optic cable
is
steel stabilizer acts as
tap proof because the
cable
A
beam of
light
fibers.
each transmit a
central
member.
computer
security
steel stabilizing
an antenna
light
Without
of
is
a steel stabilizer,
passive taps are currently limited
So
cable.
This
even though
for the signals,
in relation to network, security,
can provide a non-emanating media that requires
signal-encoded
is
[Ref. 17: p. 26]
number of
protection than twisted-pair or coaxial cable.
fiber
between adjacent
fibers that
steel stabilizer for transmission.
by the properties and composition of the
optic
talk
avoided in applications where
be
does not use the
fiber cable
and prevents cross
fiber optic cables include a
importance because the
fiber
Each
lower index of refraction.
slightly
group of discrete optical
from one end of the cable
Some
type
optical fiber has a center
of plastic or glass material with a high index of refraction.
surrounded by a cladding layer of a material with a
An
One
optical fiber has
physical
less
[Ref. 17: pp. 27-29]
is
transmitted through an optical cable to
produce high transmission capacities. Data rates are as high as a few gigabits per
second over a single glass
fiber.
[Ref. 17: pp. 26-27]
Current applications include long-haul computer-to-computer high speed
links,
long distance terminal and processor connections, links between buildings, and
communications trunks between complexes
8.
is
carrying digital data
a
city.
[Ref. 17: p. 2S]
packet switched, multi-accessed communications
among
medium with no
broadcast
Channel access
is
locally distributed
computing systems.
central control for the
is
a passive
network communication channel.
Ethernet was originally developed by Xerox.
and Xerox.
It
system for
coordinated in a distributed fashion by the stations wishing to
the Ethernet design
was
jointly developed
The current updated version of
by Digital Equipment Corporation,
Intel,
[Ref. 18: p. 39]
Ethernet access techniques are based on
basic
ends of a
Ethernet
Ethernet
transmit.
at opposite
components
CSMA/CD
(mentioned above).
consist of a station, controller, transmission system,
to-transmission-system
interface.
connected to an Ethernet;
it
may
The
"station"
is
the
basic
and
33
controller-
addressable
be a terminal, computer, or some other
The
ADP
device
device.
As
and algorithms needed
a general rule, the set of functions
channel are referred to as the controller.
manage
to
The transmission system
access to the
includes a broadcast
transmission medium, the appropriate transmitting and receiving devices, and
components used
to
Ethernet interface
is
fairly
the
and
controller,
the
to the transmission
controller
manages
the
controllers.
much of
simple because the controller does
managing access
instance, the protocol for
in
communications path among the
establish a
all
system
the work.
is
the
The
For
implemented
communications
process.
[Ref. 18: pp. 40,44]
Applications intended for Ethernet include office automation, distributed data
The
processing, and terminal access.
driving force behind
provide economical connection to a local communication
traffic at
high peak data rates. [Ref.
it's
development was to
medium
carrying bursts of
18: p. 53]
Security of Ethernet svstems
is
summarized:
Protection, security, and access control are all svstem-wide functions that require
a comprehensive strategy. The Ethernet svsteni itself is not designed to provide
encryption or other mechanisms for security, since these "techniques bv
themselves do not provide the kind of protection most users require. Security in
the form of encryption, where required, is the responsibility of the end-user
processes. [Ref. 18: p. 53]
9.
The Generic
Base-line Configuration
As mentioned above,
illustration
only.
applications.
A
It
the configuration illustrated in Figure 2.1
represents the majority of basic
point
of interest
configurations together on the same
system by separating host
traffic
is
that
it
uses
LAN. The
components
the
idea
is
Ethernet
to
on the Ethernet and device
is
LAN
CBX LAN
typical
and
used for
of
have a more responsive
traffic
on the CBX. In
terms of the generic base-line, the majority of devices connected via the Ethernet are
considered to be host computers, and the majority of hardware accessing, or connected
to, the
LAN
via the
CBX
will
be considered to be devices (personal computers (PC),
terminals, printers, etc.).
In reality,
numerous combinations of microcomputers, mainframe computers,
personal computers, peripherals (printers, disk drives,
etc.),
attached to the network.
it
For the purpose of
pair, coaxial, or fiber optic cable
this thesis,
will
and terminals could be
be assumed that twisted
could be used (in appropriate locations).
34
POSSIBLE USES/ APPLICATIONS
C.
An
application
"system"
a
is
been
has
that
defined
implementation of electronic data processing techniques [Ref.
word
applications include
processing, data base
and mail (message) systems.
for a
Many
user.
management
be
to
suitable
Common
22].
3: p.
for
systems, spread sheets,
can be developed and tailor-made
Specific applications
applications can be purchased "off the shelf, while others are
extremely complicated (space shuttle systems, navigation systems, C3 systems
For the generic baseline configuration
this thesis will
assume that
all
etc.).
the
common
applications can be run, and that a high volume of mail traffic exists as a result of
Two
tailor-made applications.
are
C3 and
examples of high volume mail/message environments
large scale technical analysis operations.
ENVIRONMENTAL CONSIDERATIONS
D.
"Computers have been
out."
and intentionally
shot, stabbed, stolen,
Environmental security once meant keeping a computer
locks, fences, guards, etc.
powerful
controls
computers,
portable
protect
that
intruders or vandals;
Today's environment
against
terminals,
natural
etc.
is
much
like
and environmental hazards
like
surrounded by
facility
different with
Physical
disasters
electrically shorted
concerns
security
floods,
fires,
power
many
small
include
earthquakes;
or
Physical
fluctuations.
security controls are needed to regulate the environment surrounding the computer.
Additionally,
the
records,
logs,
libraries,
environment includes areas not covered
in
this
thesis:
magnetic media, backup storage areas, and
program
utility
rooms.
ADP
security
[Ref. 12: p. 21]
In sum, environmental security
arena.
is
more concerned with
the physical
This thesis will be concerned more with security of the
actual physical device and building security.
LAN
configuration than
Nevertheless, there will be aspects of the
configuration analysis that address certain physical threat areas (natural disaster,
inadvertent
actions,
and
deliberate
Consequently,
actions).
an
overview
of
considerations for physical access, electrical power, and the general environment will be
presented.
Environmental
vulnerabilities,
1)
factors
follow
with
a
brief
explanation
of
threats
or
and general safeguards.
Physical building security — vulnerable areas are adjacent to, within, above,
and below any buildine containing an
center,
equipment, computer
equipment room, media librarv, utilitv sources, and alarm svstems, especiallv
at periods other than normal work "hours.
Safeguards include [Ref 19: pp'.
ADP
2-3
FZ
S-50]:
35
ADP
ADP
a)
center isolation; limited access routes; integrity of
Building design:
construction; reinforcement; underground communication/power lines;
extensive lighting.
b)
Physical barriers: fences; barred windows; locks; automated
systems; man-traps; secure storage containers (safes, etc.).
c)
Guards and
d)
Electronic monitors
e)
Administrative procedures: access
access
receptionists.
—
includes intrusion detectors and object detectors.
lists,
sign-in logs, badges, etc.
Visitor control: authorization; inspection; records; etc.
2)
power
Electric
basic
--
transients;
brownouts; blackouts.
programs, erase memory, and destrov
safeguards
include
monitoring "devices,
spike
are
threats
Moreover, power surges can
alter
microcircuits.
Possible
suppressors, voltage regulators, dual feeds,
3)
and
diesel generators.
[Refs. 12.19]
—
Environment
basic threats are temperature extremes, humidity, and particle
Safeguards
include
monitoring devices, redundant air
conditioning, access to outside air for emergency ventilation, dust covers, bans
contaminants.
on smoking.
4)
Fire
and
fire
5)
6)
[Refs. 12,19]
prevention includes buildine construction usine
fire resistant materials,
partitions and dampers where possible:
center isolation; periodic
inspections; proper sprinkling systems. [Refs. 12,19]
--
ADP
fire
Flooding — threat sources include flood plains, water storage areas,
water steam pipes, and building leaks. Safeguards include building location
and design, ADP center location, water seals, and drain svstems. [Ref. 19: p. 6
FZS-50J"
Other considerations.
a)
Neighboring
b)
operations,
construction
[Ref. 19: p. 7
FZ
elevators, cleaning equipment,
interference include:
radio and TV transmitters, microwave communications, and
[Ref. 19: p. 7 FZ S-50]
lines,
RADAR.
d)
explosive
or
major roads, and high crime areas.
Electromagnetic
power
c)
chemical
threats:
activities, airports,
Communications failure:
communication links. [Ref.
Computer hardware
procedures
must
19:
failure:
pp.
1
provide
adequate protection
S-27 Atch 13,1 S-28 Atch 4]
of
prevention includes proper maintenance
and record keeping, security clearances
for
maintenance
people, and contingency plans. TRefs. 12,19]
E.
FUTURE EXPANSION
In general,
there
configuration because
communication
other
devices,
is
it
a
lot
of
and room
flexibility
for
expansion
in
a
LAN
can provide for the interconnection of a variety of data
an increased number of device nodes, and can be connected
networks via gateways.
To
that,
all
assuming appropriate hardware capability
more
"applications"
could be
to
added,
exists.
For instance, the generic configuration presented
in this thesis
to provide standardized templates or "boiler-plates" for queries,
36
could be expanded
menus, reports, data
RDT&E
bases,
project
testing,
management.
DoD
systems acquisition,
etc.;
generic
data analysis; and
Also, expert systems could be implemented to assist with test
and project planning. Thus, a
LAN
configuration
natural
a
is
develop
to
tool
applications, prototypes, testing methodology, etc., via easy network interface allowing
production and
faster
computers,
terminals,
testing
of configurations.
transmission
media;
This
and design
includes
of
analysis
and
of benchmark,
LAN
LAN
configurations.
Clear, too,
is
the possibility of internet network connection via gateways
bridges to wide-area networks.
include
multiple
gateways
to
A
the
single
LAN
or
configuration might be expanded to
same wide-area network,
or
several
wide-area
networks, via modification of existing device nodes and/or addition of gateways.
Given the generic
this
chapter,
LAN
components and future expansion
design stages, but
first
a
Security can be best applied early in the network
network manager needs
guidance that applies to his or her network.
existing
networks
covered in
network management becomes more complicated when the network
processes sensitive information.
some
possibilities
security regulations
to
have a
37
for
the
security
The next chapter provides an overview of
and guidance and how
in general.
feel
it
applies to
LANs
and
III.
SECURITY REGULATION AND GUIDANCE OVERVIEW
INTRODUCTION
A.
Once any network,
security
ADP
(or
measures must
be
of
required to process sensitive information,
is
implemented.
sensitivity determines the extent
LAN
system)
In
the
general,
degree
of information
of security control required for the system.
Thus, the
configuration must be shaped to meet the security requirements for a given level
sensitivity.
1.
Scope
Wliat
a.
is
Covered
In general, topics within selected regulation and guidance that pertain to
ADP
networks
and
environmental
LANs)
(i.e.
aspects.
Regulation (AR) 380-380
this chapter.
Chapter
I
The
may
are addressed along with limited risk
Also,
ADP
limited
management, physical
items
accreditation
relating
to
Army
network accreditation requirements are addressed
accreditation process
is
more
discussed in
detail in
in
Chapter V. Also,
be referenced for an accreditation overview.
Regulation and guidance topics referenced by
this thesis are
placed in four
broad categories:
1)
Regulations and guidance that apply to LANs.
2)
Regulation and guidance that
3)
Outdated regulations and guidance,
4)
LAN
DO NOT
as
network
specific
description in Chapter
considerations
consideration
no longer applies
areas and topics not covered by regulations etc.
All the categories are concerned with any
well
i.e.
apply to LANs.
II,
requirement that relates to networks as
Given the parts of the generic network
requirements.
applicability of guidance
and component
is
ADP
level
is
considerations.
based on general system- wide
For example, a
system-wide
the sensitivity level(s) of information an entire system will handle.
Thus, the corresponding sensitivity guidance
is
applied.
Similarly,
guidance for a
remote mainframe computer terminal would be applied to network terminals
network component).
This approach
is
applied to
level" areas.
38
all
LAN
(a
component and "system-
What
b.
Not Covered
is
Personnel requirements are not covered by this
of classified information that relate to personnel security are addressed.
sensitivity
2.
Background
There
to
"LANs"
general.
almost nothing in the guidance reviewed for
is
specifically
and very
in terms
little
guidance selected by
Remember,
USACDEC/DIM
this thesis that pertains
of direct references to "networks" in
ADP
But, the guidance reviewed does address
LAN/network components.
general
Topics such as
thesis.
(guidance
the
is
security topics that relate to
thesis
to
restricted
is
existing
listed in the following section
of
this chapter).
AR
Because
Army,
it is
380-380
currently the focal guidance for
is
used as the origin for
basic security topics covered in
physical,
environmental,
personnel,
communications,
number of network
more
into
general
topic
telecommunications,
management,
security topics, the
These
areas.
Thus, the
AR
regulations referenced are similar to
access, hardware, software, procedural, risk
the limited
security in the
other guidance reviewed for this thesis.
all
all
ADP
AR
etc.
380-380:
terminal
Yet to better summarize
380-380 topics are combined
topic
areas
are
sensitivity,
physical/environmental, risk management, general communication (telecommunication,
communications
security,
general/ miscellaneous
etc.),
ADP.
(hardware,
configuration
Moreover,
anything
software,
pertaining
to
a
access),
topic
and
area
is
addressed in each of the four regulation categories mentioned above.
Before continuing, telecommunications, protected distribution system (PDS),
communications security (COMSEC), and an automated telecommunications system
(ATS)
are defined.
signs,
signals, writing, images,
medium
to
Telecommunications
the transmission, emission, or reception of
is
sounds, or other information over wire or broadcast
A
and from a distant location.
PDS,
is
an approved telecommunications
system that permits safe transmission of unencrypted sensitive information by applying
Note
physical and electromagnetic safeguards.
[Ref. 13: p. 78].
Communications
security
is
that the term "network"
is
not used
the protective measures exercised to deny
unauthorized access to telecommunications information related to U.S. Government
national security.
Security measures include
crypto-security,
emission security, and physical security. Cryptography
the
is
transmission security,
the art or science concerning
methods, means, and principles for making plain text unintelligible and for
converting encrypted messages into intelligible form.
39
[Ref. 13: pp. 72,73]
An ATS
is
a
computer based system composed of terminal and/or automated
switching equipment, interconnecting
facilities,
and/ or control equipment, used for the
purpose
of transmission and reception of signals in the form of sounds, images,
graphics,
and data, and
ATS
their associated firmware or software
seems to equate to a general definition of a network,
More on
communication transmission.
below.
B.
this
is
programs.
Note
that
an
in terms of device-to-device
addressed in Category 4 comments
[Ref. 13: p. 72]
GUIDANCE SUMMARIES
Guidance referenced
refe enced in the
A summary
for this thesis are listed below.
for each
may
be
Appendix.
ARMY REGULATION 380-380: AUTOMATION SECURITY. Effective 8
MAR 86.
ARMY REGULATION 3SO-5: Deptartment of the Armv Information Security
Program. Effective
FEB
15
ARMY REGULATION
SEP
85.
18-1:
Armv Automation Management.
Effective
15
SO.
TECHNICAL
Management.
BULLETIN TB
Effective 15
ARMY PAMPHLET
Checklist.
Effective
1
ARMY PAMPHLET
AUG
Effective
1
SEP
Automation
Life
Cvcle
Processing
18-4:
85.
Installation
Review/Evaluation
SEP
18-7:
Automatic Data Processing Management Review
DEC 85.
ARMY REGULATION 530-2:
Guide. Effective
Armv
18-100:
81.
3
Communications
Security
(COMSEC)
82.
ARMY REGULATION
Program. Effective 30
18-7: Automatic
84.
NOV
ARMY TECHNICAL BULLETIN
TB
Data Processing Management Review
18-107:
Army Automation Automatic
Effective 3 FEB 86.
Data Processing Equipment Operations Management.
ARMY REGULATION
Communications
380-53:
NOV 84.
DEPARTMENT OF DEFENSE
Security
Monitoring.
MANUAL DoD
5220.22-M:
Effective 15
Manual
Industrial Security
1
MAR
(DoD)
for Safeguarding Classified Information.
Effective
84.
DoD DIRECTIVE
5215.1
Security Evaluation Center.
(DoD
Directive
5215.1),
OCT 82.
ADP Securitv
SUBJECT:
Computer
Dated 25
DoD MANUAL 5200.28-M:
Manual Techniques and
Procedures for Implementing, Deactivation, Te'sting, and Evaluating Secure
Resource-Sharing ADP Systems. Dated JAN 73.
DoD COMPUTER SECURITY CENTER CSC-STD-001-83: DoD Trusted
Computer Svstem Evaluation Criteria. Also known as the "ORANGE BOOK".
T
Dated
15
AUG
83.
DoD DIRECTIVE
Processing
(ADP)
5200.28:
Security
Systems. Dated 18
Requirements
AUG
40
72.
for
Automatic
Data
NATIONAL COMPUTER SECURITY CENTER PUBLICATION NCSC-
•
WA-002-85: Personal Computer Security Considerations. Dated
CATEGORY
C.
1985.
GUIDANCE/REGULATIONS THAT APPLY TO LANS
1:
Since information/data sensitivity determines the security requirements for the
ADP
system that handles
addressed
it,
sensitivity requirements
To emphasize
first.
and modes of operation
number of
the limited
to networks,
direct references
general network, guidance references will be addressed next, then other general
that pertain
topics
networks
to
"LANs" and "networks"
references to
be presented.
will
Since there are
in general, the rest
be
will
ADP
few direct
so
of the thesis will use the two
terms interchangeably.
1.
Sensitivity
guidance references stressed that sensitivity of data be based on an
All
individual's
need-to-know the information
need-to-know must be a
valid,
leaked or stolen.
[Ref. 20: p.
damage
to national security, if
The
and ATSs
it
accreditation authority
is
more
and storage of
broad
restrictive
the official designated to accredit
for the processing, production, use,
in
was some
Sensitivity designations are divided into
10]
categories with the flexibility for an accreditation authority to impose
designations.
The
performance of duty.
approved need, based on the information contained
the system and the information's potential
how
in relation to
DPAs
sensitive defense material
[Ref. 13: p. 71].
Sensitivity applies to
this thesis will
assume
need-to-know, basic
most types of
it
ATS,
administrative,
must apply
ADP
to
terminals,
ADP
systems, therefore
as well [Ref. 13] Moreover, in terms of
requirements are similar for contractor access of
sensitivity
In short, security requirements for
classified information.
(transmission media,
LANs
and normal
controlling
devices,
etc.)
result
components
from the assigned
sensitivity level.
AR
380-380 sensitivity designations are divided into four levels just as the
designations in the
Criteria
it
as
(CSC-STD-OOl-83), also known as the "Orange Book". The
the
document
Orange Book from
this
point on.
are similar, but labeled different.
Orange Book
below.
Department of Defense Trusted Computer System Evaluation
for a label
comparison.
We
[Refs. 13,21: pp. 6,5-51]
41
The
sensitivity
thesis will refer to
requirements in each
Reference the Appendix
will
use the
AR
summary of
380-380 designations
the
listed
CRITICALLY SENSITIVE
•
(CS).
DPAs/ATSs that process classified defense information or
applications involving large dollar volume assets, and resource accounting
or authorization data greater than S25 million per year.
Applies to
Levels in descending order of sensitivity,
a)
Level
1
(CS1)
-
sensitive
compartmented information (SCI) or Single Integrated Operational Plan—
Extremelv Sensitive Information (SIOP-ESI). g) Level 2 (CS2) - TOP
SECRET, c) Level 3 (CS3) - "SECRET/CONFIDENTIAL information or
applications involving large dollar volume assets or resource accounting or
authorization data CS25~million per annum or higher)."
Large dollar
volume assets and resources refer to items that range from weapons (like
tanks) to large stock piles of supplies,, for example millions of dollars worth
of telephone~poles stored in one location.
HIGHLY SENSITIVE
•
DPAs/ATSs
(HS) applies
to:
not included in "CS" above, that process
USE ONLY (FOUO)
FOR OFFICIAL
information.
Information covered by The Privacy Act of 1974.
"Asset or resource accounting of authorization data of dollar value greater
than
SI, 000 ,000."
Any
unclassified data the accreditation authority
wants
to classify at this
level.
SENSITIVE.
•
Applies to information not covered by "CS" or "HS": a) DPAs/ATSs that
"process information relating to asset or resource, proprietary or
contractual information", b) Any data the accreditation authority wants to
classify at this level.
"Includes data vulnerable to
fraud,
theft,
misuse, misrepresentation,
or
interception."
NONSENSITIVE.
•
An
analysis has indicated that a higher classification
is
not required.
Analvsis must be approved bv the installation system security manager
(SSM).
Analysis must be kept on
Sometimes a
higher
information which warrant
information.
This
is
known
file
and reviewed.
classification
higher
may
classification
as "compilation".
combinations
of
than that of the single parts
of
be
assigned
This includes combinations of certain
types of data/information (defense plans, technical information,
volume
2.
asset or resource accounting
ADP
Security Operation
Possible operation
amounts. [Ref.
all
modes
types of systems
etc.),
and large dollar
20: p. 11]
Modes
for the
waiveable features (passwords, audit
that apply to
to
above
trails, etc.)
(ADP, ATS,
42
sensitivity levels require certain
[Ref. 13: p. 8]
etc.)
non-
The operation modes
are listed below.
[Ref. 13]
MULTILEVEL SECURITY MODE.
A trusted system of operating system
•
software, hardware, and firmware.
Restrictions, a) Need written approval of ACSI to use multilevel, b) If
intend to secure accreditation, must notify ACSI prior to milestone 0.
All
CS1
This
•
CS2 systems need
or
mode does not apply
to
the specific written approval of the
CS3 and lower
ACSI.
sensitivity systems.
CONTROLLED SECURITY MODE.
Characteristics [Ref. 13: pp. 7-81. a) Untrusted operating svstem software,
b) System secure for highest information security level, c) Svstem accesses
no more than two securitv clearance levels below the highest level of
information on the svstem.' d) Each terminal area can be secured for the
highest level of information processed through the terminal located in that
area, i.e. semi-multilevel because different terminal areas may have different
access levels.
Controlled securitv mode requirements applv from host to all remote
locations. Again regulation is in terms of general ADP networks, not
LANs.
[Ref. 13: p. 42]
SYSTEM HIGH MODE.
•
"The central computer svstem and all of its connected peripheral devices
and remote terminals are 'protected according to the highest classification of
material in the system."
All personnel accessing the svstem have a security clearance, but not a
need-to-know all material in the system.
DEDICATED SECURITY MODE
•
[Ref. 13: p.
8].
When
a computer svstem (terminals, peripherals, etc.) is classified for a
certain type/ categorv of information, and all users have the same security
clearance and the" need-to-know.
Required for
all
systems unless one of the above modes
is
approved by the
accreditation authority.
•
PERIODS PROCESSING
"Included
for
a
[Ref. 13: pp. 8,46]
Dedicated Security Mode when the entire svstem is used
period of time for a category*, type, or classification of
in the
specific
information."
People must have the appropriate security level for the time(s) they access
the system.
Can be used
for certain types of information on systems accredited in the
systems high and controlled security modes.
3.
General Network References
a.
General Direct References
Even though there
are few references to "networks" in
defines "networks" as one of several operational service modes,
[Ref. 13: p.
7].
At
best,
AR
manager, network security
AR
380-380,
and the most vulnerable
380-380 mentions network specific positions:
officer,
and
a terminal area security officer
43
it
network
(TASO)
for
remote terminals which are network
ADP
aspects of
related.
(remote devices, telecommunications,
"network" except in
ADP
etc.),
and communications networks
all
but does not mention
interfaces.
It
states
that
measures must meet telecommunications network requirements and be cost
security
effective.
[Ref. 22]
Furthermore, the only direct
Defense Data Network [Ref.
the
Moreover, one manual addresses
"network" checklists [Ref.
Another
literal
reference in one
Army
directive pointed out that the
Computer
(CSEC)
This indicates that government
regulators are concerned with network security and not just security of specific
categories, but
networks are not addressed as an entity
still
The guidance documents referenced
[Ref. 26].
to
"checklist" [Ref. 25].
Security Evaluation Center
purpose includes evaluation of "network security."
component
is
Other guidance referenced contained some
23].
and noted that they are only a
24],
regulation
some form of LAN/network guidance, or
at
ADP
in great detail
for this thesis should at least reference
least identify
important LAN/network
topics within.
b.
General Indirect References
As mentioned
components that
By addressing
earlier,
most of the guidance addresses general
are often part of networks, as well as stand alone
these
ADP
can be obtained. As a
parts, or
result, the
system
computer systems.
components, overall network security considerations
network accreditation authority must ensure that the
network component security requirements produce a synergistic
desired level of system security for the network.
guidance requirements identified throughout
4.
ADP
effect that yields the
This idea applies to direct and indirect
this thesis.
Risk Management
Risk management
is
defined by
AR
380-380 as "an element of managerial
science concerned with the identification, measurement, control,
uncertain events."
and minimization of
Procedures are not standardized because every system
There are four phases [Ref.
13:
is
unique.
pp. 29,77]
•
Risk assessment derived from an evaluation of vulnerabilities and threats.
•
Management
•
Control implementation.
•
Effectiveness review.
decision.
Vulnerabilities
terms.
and penetration are addressed by
[Ref. 13: pp. 67-69]
44
this thesis in general
ADP
Again, as mentioned in Chapter
be complete for the generic
is
LAN
I,
a
risk,
management
presented in Chapter
an important, but lengthy process
a real-world implementation because
in
terms of
A
this thesis.
risk,
It
assumed
is
management
to
analysis
should be conducted in
intended to assist with the network sensitivity
it is
designation.
In order to limit the scope of the thesis,
management
analysis
was conducted
II.
analysis
that identified
assumed that
it is
all
a adequate risk
vulnerabilities (this
is
an
ideal
situation).
5.
Configuration Control
Configuration
control
regulations
hardware, and software topic categories.
summary of ADP components and
a.
and guidance are presented
Again, material presented here
ADP
system
is
concerned with control of procedures,
AR
380-380 and other
based on a need-to-know with "access" only to the hardware devices and
software needed to accomplish an assigned task.
control procedures
start
a general
processes that apply to network components.
information, access to terminals/devices, and resource sharing.
is
is
access,
Configuration access control
Access security for an
guidance
in
is
to
The general
idea of security access
minimize vulnerability during authorized and unauthorized
up and shut downs, provide mandatory control of
systems, and provide transaction logs for accountability.
ATS
jobs on
new Army
[Ref. 13: pp. 24-25]
In general, actual information access control to data
mandatory access control and discretionary access
all
control.
files
Mandatory
is
based on
access control
is
a means of restricting access to objects based on the sensitivitv (as represented bv
a label) of the information contained in the objects and the formal authorization
(i.e., clearance) of subjects to access information of such sensitivitv.
Discretionary access control
is
means of restricting access to objects based on the identify of subjects and/or
groups to which they belone. The controls are discretionary in the sense that a
subject with a certain access permission is capable of passing that permission
(perhaps indirectly) on to any other subject. [Ref. 21: pp. 110,111]
a
By consequence, pure data control
processed through the system.
mentioned
literally.
In
requires an auditable record of data as that data
is
one of the few places where "network"
is
fact, this is
[Ref. 27: p. 2-1]
45
Before an
interface to a specific
of the
DoD
terminal or device, or a network can access or
ADP
the
system, device,
component, and the agency operating the
component have
sharing of
ADP system,
ADP network,
ADP
[Ref. 22: p. 20].
In addition,
The guidance addresses
resources between agencies needs approval.
ADP context, but
administrative LAN typically
must meet approval
Normally, the agency and
net.
network
responsibility for security of a
etc.,
resource sharing in an
can be
applied to networks.
For
instance, an
requires sharing of peripherals for
word
processing, data base, and other applications.
b.
[Ref. 27: p. 7-1]
Hardware and Software
Most hardware configuration
control guidance
configuration with a central mainframe
from beginning
ADP
easily
systems.
to
of a single
in terms
is
Life cycle security planning
site.
is
ADP
required
end and applies to networks, nodes, and terminals as well as general
[Ref. 13: p. 10].
Acquisition of entire
ADP
systems or components
is
a function of mission
AR 18-1 encourages low level
decision making (to "practical levels"), and stresses ADP decentralized management
concepts. If the reader is currently involved, or about to begin, some sort of ADP
need.
To
streamline acquisition and give
it
flexibility,
network security planning or implementation, he/she may find that general integration
ADP
and streamlining of regulatory
system acquisition.
Decentralized
This
be used
could
thesis
management seems
network guidance
to be a
management
principles
must
a
In addition,
comply
with
also be a desired tool for
such a
primer for
good environment
distributed yet inherently unsecure nature.
ADP
as
may
for
AR
federal
LANs
project.
because of their
18-1
states
laws
and
that
Army
regulations.
[Ref. 28: pp. 1-1,1-2.2-1]
In terms of network hardware and software components, some guidance
(such as
AR
380-380 and
Army Pamphlet
18-7) provide checklists.
Checklists include
configuration optimization, communication, emanation, and remote access security.
Checklists in
Army Pamphlet
18-7
must be completed on an annual
are equipment upgrades, or major agency reorganization.
Another point of
accredited with a specific
ADP
interest
system
is
if
that
the
personal
PC
with that system more than 50 percent of the time.
relation to need-to-know, etc.) that apply to the
addition, a privately
owned PC can only be used
46
basis,
there
[Refs. 13,24]
computers (PCs) must be
will interconnect, or
The same
ADP
when
be collocated,
security requirements (in
system apply to the PC(s).
In
in a stand alone configuration, but
must comply with
AR
provisions of
all
380-380 and other guidance.
processed becomes the property of the agency in which
It
is
it is
Information
[Ref. 13: pp. 9-10]
used.
required that "software-based protective controls complement and
support hardware protective features of computer circuitry." General purpose software
(executive,
categories
applications software)
utility,
tools
for
development of applications software, and
require adequate software security controls. Again, security
all
requirements must be appropriate for the sensitivity level of the system.
operating systems
is
addressed in Chapter IV. [Ref.
Guidance on
13: pp. 20-22]
Physical/ Environmental Considerations
6.
Physical and environmental guidance requires physical facility access controls
that
meet security and protection standards appropriate
information handled by any
AR
does play a major role
it
This includes
system.
Even though personnel
network systems.
thesis,
ADP
security
in all aspects
380-380, and other guidance,
for the sensitivity levels of
of
administrative and
not addressed directly in
is
ADP
ADP
security.
One
this
point stressed by
that protection of remote terminals,' sites requires
is
they be staffed with people cleared for the highest security classification level cleared
for that particular
mode.
For example,
site.
is
a requirement of the controlled security
[Ref. 13: pp. 21,45]
General Communications
7.
ADP-to-ADP
equipment
internetwork, and intranetwork.
ADP
standardization of
goal.
this
Naturally with
.
communication
With
so
many
component connections
or without
links
can
be
intersystem,
possible device-to-device interfaces,
is
a major
Army ADP management
connection of
standardization,
ADP
systems
or
networks require awareness of security requirements of the other system and agency.
[Refs. 13,28,29]
Army
COM SEC
secured by either
PDSs
guidance indicates that
on a case-by-case
mode of
basis.
policy requires that
PDSs have
The PDS must be approved
for a certain sensitivity level
Moreover,
Army automation
all
circuits
that interconnect
AR
530-2.
COMSEC
of:
•
National Security Agency (NSA) produced cryptographic systems.
•
An
approved Protected Distribution System (PDS).
47
and
systems or networks must be
protection under the provision of
achieved by proper implementation
In addition,
physical and electromagnetic safeguards approved
operation [Refs. 13,29: pp. 76,10].
COMSEC
record telecommunications will be
or encryption in approved cryptographic systems.
remotely located components of
provided
all
can be
Approved commercial communications protection equipment.
•
[Ref. 13: pp.
In contrast to encryption and other requirements, guidance recognizes that
enemy
developments
technical
components
render
continuous
Thus,
useless.
could
encryption
current
evaluation
and
processes
of communication
for
links
encryption and system emanation vulnerabilities, and emergency procedures, should be
ADP
part of system operations wherever remote
components
Vulnerability and hearability (emanation detection) surveys
systems to
may
CATEGORY
D.
CONFIDENTIAL
system processing. [Ref.
fact that there are
few direct
literal
guidance referenced, the topics covered in
the
ADP
network related
configuration control.
An
and exceptions.
"the
privilege."
exception."
1.
tests
to
30: pp. 4-5]
references to network, security in
this
guidance topics in terms of
exception
is
which a
a case to
relinquishing
category will
sensitivity,
Moreover, each of these areas
of intentionally
act
These
GUIDANCE/REGULATIONS THAT DO NOT APPLY TO
2:
LANS
Given the
and
ADP
Cryptography applies
determine the degree of security of system cryptography.
TOP SECRET, SECRET
be requested for
of communication signals to monitoring.
susceptibility
test
[Ref. 29: pp. 2-3]
exist.
will
be separated into waivers
rule does not apply.
Additionally, this thesis will assume a waiver
general
communications, and
abandoning a known
or
address
is
A
right,
waiver
is
or
claim,
equal to a "temporary
[Ref. 31: pp. 432,1325]
Sensitivity
Sensitivity waivers deal mainly with time limits and/ or extensions.
a.
Waviers
(like
AR
380-380) recognizes the need for temporary exceptions with intent to obtain
full
In reference to security operating
security compliance.
modes general
ADP
guidance
Moreover,
may be authorized by the.
Designated Approving
Authority.
for specific 'security measures which they have determined would
impair operation and mission effectiveness, provided thev assure that continuous
progress is made toward the ultimate full compliance with the Directive at the
earliest practicable time.
temporary exceptions
.
Also,
the
.
.
.
approving
authority
should
[Refs. 13,32: pp. 9,5]
48
not
delegate
authorization
authority.
b.
Exceptions
In
AR
MACOM -commander
380-380 the
Conversly, for
direct higher sensitivity levels.
may
designate the
DPA
one
at
level
CS2
or heads-of-Army-elements
may
systems: "the accrediting authority
of sensitivity lower than that prescribed.
.
.
if all
the following conditions exist".
"The volume of information
in the hieher level of sensitivity requires less than 5
percent of total processing (wall clock) time."
•
Hieher
•
level sensitivity
mode (AR
(paragraph
380-380
1-
processed in the local operational service
and Dedicated Security Mode
is
l-llb(l))
13d).
•
"Additional security and protective measures
information of the Higher level of sensitivity."
•
"All personnel have the securitv clearances for the highest level of classified
information to which they may Be exposed. (AR 380-5 applies)." [Ref. 13: p. 6]
The higher the
to
information
paragraph
sensitivity level, the higher the
ACSI";
all
and but
taken
safeguard
to
the
approval authority required
For instance, in the multilevel security mode, exceptions are
approve an exception.
"prohibited for
are
CS1
or
CS2 systems without
this
is
not
applicable
to
the specific written approval of the
CS3
and
lower
sensitivity
systems.
[Ref. 13: pp. 7-8]
In general, exceptions must be reviewed biennially and specific security
requirements
may have
to
be
interpreted
when applying
security
level
criteria.
[Refs. 21,32: pp. v,5]
General Communications
2.
Exceptions
transmission requirements
to
must
offer
protection as approved components, processes and procedures.
provided
it
may
be possible to go to the next higher approval
depend on characteristics unique
to the system,
information, the characteristics of approved
substituted equipment, the results of a risk analysis,
addition, exceptions for
ADP
before actual connection.
3.
level.
Exceptions
is
will
sensitivity of the
equipment, the characteristics of
and the organizations involved. In
systems becoming part of a network must be addressed
[Refs. 13,32,20]
Configuration Control
a.
Waivers
General
•
If less protection
which may include the
ADP
same degree of
the
ADP
security waivers are listed
"Accreditation authorities
may
below
[Ref. 13: p.
9].
grant waivers or exceptions to existing svstems
regulation is not tecnnicallv, economica'llv or
operationaflv feasible. HoweverT all changes, updates, and procurements' will
have as an objective elimination of waivers or exceptions."
when compliance with
this
49
•
"The condition or situation for which the waiver or exception is requested will
be described and the justification given in order for the request to be evaluated."
•
"Waivers or exceptions will be limited to a specific period of time, not to exceed
year. Exceptions or waivers will not be renewed or extended without the
1
written approval of the accreditation authority.
This extension will detail
specific actions taken to correct the situation or circumstances necessitating the
extension."
"Waivers will be included in the Executive
accreditation documentation." Reference Appendix
•
b.
Summarv
in
I
of
portion
AR '380-380.
the
Exceptions
Discretion should be used in applying security provisions to automated
administrative systems because not
all
of the guidance requirements are applicable to
However, "the provisions of Chapter.
them.
systems processing classified information." [Ref.
CATEGORY
E.
this thesis is the
Guidance topics addressed
the literal sense because usually the
force until a revised version
world
is
ADP
general ADP
and
most current available
at the time of
not considered "outdated" in
most recently dated regulation,
produced.
of developing
processing, etc.)
directive, etc.,
For
technology.
instance,
(word
administrative
configurations seem to be addressed in terms of the
environment, but ignores a distributed network environment [Ref.
pp. 9-10].
exists as a
fact that
this
AR
"main"
With
category are subjective.
affect use
of rapidly changing technology. In
states
"this
secure a particular system must
level
of protection."
substitutes
technology
fact,
is
always
site
detail as
an
entity, topics in
it's
objectives could adversely
guidance as early as 1973
(DoD
dynamic and the methods chosen
accommodate new developments without degrading
The same manual notes
must be cost
From
[Ref. 13]
the guidance referenced recognizes that
Manual 5200.28-M)
mainframe
the above points in mind, and, as pointed out earlier, the
networks are not specifically addressed in great
Some of
13:
380-380 seems to give the impression that a central
site.
in
are outdated or perhaps "old fashioned" in
ADP
information,
is
Certain aspects of the guidance referenced
old mainframe type of configuration, which does apply in a true
all
all
pp. 2-10]
13:
in this category are
some requirements
give the impression that
the
380-380) are applicable to
OUTDATED REGULATIONS AND GUIDANCE
3:
Guidance addressed by
writing.
AR
5 (of
effective,
production
[Ref. 22: p. 2]
50
that
effective,
new technology
or
to
the
security
and meet basic security
levels.
Points
of interest
in
this
category
relate
to
and
physical/ environmental
configuration control topics.
1.
Physical/ Environmental
In reference to the above points,
much more
is
directed toward the
For example, the construction of a
"central site" verses a true distributed network.
"central"
attention
computer complex and the "mainframe" computer room
definitely applies to
mainframes, which
and
exist
still
will for
many
is
addressed.
This
years to come.
In
terms of networks and recent increases in desktop capacity and capability, more
specific
should be developed and integrated into,
guidance
guidance [Ref.
13:
configurations, but
2.
12-16].
pp.
is
Thus, guidance in
this area
still
or
added
applies to
mainframe
not totally complete in terms of networks and PCs.
Software considerations
There are references
applications (very
requirements that
common
in
to configurations that involve over the counter batch
the
1960's).
References also address media handling
include requirements for
still
punch card
decks.
Is
the operational
age range of Army equipment so vast that modern punch card applications
numbers?
significant
Or,
Stand- Alone
b.
AR
systems.
exist in
a general indication
added to
Army
is
guidance.
that "new" technology strategies
[Refs. 13,20]
PC Duplication
380-380 states that stand alone systems should not duplicate standard
Again,
There
capacity.
to be
still
has the acquisition process slowed replacement of such
Whatever the reason,
and applications need
Army
current
Configuration Control
a.
systems?
to,
may
AR
380-380 seems to ignore distributed processing and desktop
be (or are) standard
Army
systems that could be transferred to
desktop computers to provide emergency processing, backup processing, increased
capacity or production, or any other unique innovated tests or processing that can be
devised to improve productivity.
c.
[Ref. 28: p. 2-2]
Summary
Some
areas of the guidance appear to be outdated in terms of today's
desktop and distributed processing capability.
Also, there
is
guidance and even reference to punch card requirements.
covered in
distributed
this
section
is
outdated because
it
In essence, the guidance
does not address considerations for
computing protection and security of PCs.
51
a mainframe flavor in the
CATEGORY
GUIDANCE
F.
1.
LAN
4:
AND TOPICS NOT COVERED BY
AREAS
Overview
Again,
of the
majority
the
components, not network
much
Thus,
specific topics.
mentions network related
guidance
security
to interpretation in terms
is left
of LAN/network security in areas not covered by the guidance.
2.
ATSs
Chapter
an
ATS
Networks
11 in
AR
much
very
is
ADP
vs.
like a
380-380
entity.
Is
it
a
LANs)
Above,
devoted to ATSs.
is
[Ref. 13: p.
of semantics?
question
but hardly mention
5],
at best a hybrid
ADP
assume an
ATS
literally
network equates
and topically
as
Again, nothing specific
Only general
an
ADP
is
assumed that an
ATS
is
a hybrid
ATS. As mentioned
closely parallels the definition of a general
ADP
to
an ATS?
is
to
safe
it
network?
If so,
why
Again, an
ADP
network
not at
is it
is
not
entity.
components are addressed.
Software
security officer
(NSO)
is
general purpose; executive;
software.
is
program provided by
many
specific
not referenced.
utility;
network terms
a
The software
and software tools
Protocols would probably
required by
in
is
that
the network
to ensure that protocols are developed for networks.
network protocol guidance
"a
network
it is
mentioned about network component combinations.
The only thing mentioned
is
ATS
networks as
Configuration Components
3.
4.
that
lists
has the exact same needs as an
stated that a
addressed
ADP
ADP
In today's rapidly changing technical environment
purpose network.
least
network or an
beginning of the chapter, an
at the
was assumed
Given there are network check
(mentioned above) and other limited references to networks,
is
it
network. The regulation implies that a network consists of
two or more automated systems
an
(i.e.
fall
under the
for
utility
Specific
categories identified are
development of applications
program category.
computer center or vendor
to
A
utility
perform a task that
of the programs using the system." Because
"utilities" is
is
a general
category, a protocol could be thought of as a communication or interface
utility.
[Ref. 13: pp. 20-22,389]
5.
Network Audit Procedures
Again networks are not
specify
mandatory audit
specifically
trails for all
new
mentioned
in
AR
teleprocessing systems.
52
380-380, but
[Ref. 13: p. 24]
it
does
Peripherals vs. System Approach
6.
a.
Accreditation
A
device
must be accredited with a system
system more than 50 percent of the time [Ref.
if it is
connected to the
ADP
Network configurations can
13: p. 9].
have many personal computers that do not need to access the network 50 percent of
the time.
in terms
damage
With current desktop
of network capacity and throughput.
to a
network with a PC.
Is this
updated and made more network
impact of PCs
This
really addressed?
is
Considerations"
and
another area that could be
access.
NCSC-WA-002-S5, published by
PC
security issues,
government
policy,
but
the
"Personal
Computer
National Computer
an area not thoroughly mentioned
of todays network technology in the guidance addressed in
NOT
directly
PC security
Security Center, covers
is
Not
specific.
Issues related to networks are penetration
Security
presence noticed
it's
In addition, a hacker/spy could do real
in terms of the guidance referenced for this thesis.
b.
make
capability, a desk top could
this thesis.
an information memorandum.
It
in
terms
This document
addresses
PC
penetration, communication access, and transmission to networks, and other general
information.
G.
[Ref. 33]
THE NEXT STEP
ADP security guidance (1986) does not
LAN security features. Given the preceding
This chapter indicated that even recent
mention LANs, but must be used
to shape
overview of security guidance, the next step
for the
is
to take a closer look at security guidance
system hardware, software, and transmission components found in a
53
LAN.
IV.
NETWORK SECURITY DEVELOPMENT CONSIDERATIONS
PERTAINING TO COMPONENT GUIDANCE REQUIREMENTS
BASIC
PART
A.
As
OVERVIEW
1:
indicated in the previous chapter, a "need-to-know"
sensitivity levels
and the ultimate
classification of
Guidance indicates that the need-to-know
determining a sensitivity
However, a
pure sense
sensitivity level
how
it is
III
is
is
determined,
the driving force behind
system, including
really the driving factor in
is
not within the scope of
will
LAN
assume a
valid
at sensitivity considerations.
looked at guidance areas that applied and did not apply to LANs.
In contrast, Chapter IV looks at the same guidance in terms of
various
LANs.
a major consideration for
must be assigned, thus we
need-to-know can be determined, and look further
Chapter
ADP
Whether the need-to-know
level.
every network now, or in the future, or
this thesis.
in the
any
is
components,
and the
LAN
configuration
as
a
how
applies to
it
From
whole.
all
information, the accreditation authority will have the ultimate approval, and at least
share responsibility, in terms of what actually applies because each system
Chapter
V
chapter
component
divided
is
into
four
parts.
The overview
categories and a basic regulation planning strategy.
guidance requirements for networks derived from the
guidance referenced for
this thesis.
ADP
(Part
material in this chapter
is
explains
1)
Part 2 presents general
and telecommunication
Part 3 and 4 review general network requirements
pertaining to multilevel and system high (respectively) security modes.
based on the regulations covered
in
Chapter
Note
that
all
3.
Chapter IV Component Categories
Chapter
II
is
structured around functional network categories like topology,
protocols, internetworking, etc.
components
guidance.
For better identification of component
in this chapter are listed in terms
The major
of general
ADP
The
categories and
Configuration
Sensitivity
Mode
54
ADP
components are
SYSTEM/MISCELLANEOUS CONSIDERATIONS
topics,
LAN
topics presented in the
categories are general system considerations,
transmission hardware, and software.
•
unique.
addresses accreditation.
This
1.
is
hardware,
listed
below.
Procedures
•
HARDWARE
-
Computers
Mainframes
Minicomputers
Microcomputers
•
HARDWARE
-
Interface
Controler Devices
Switches
-
(CBX/PBX)
Protocols (hardware aspects)
Bridges
Gateways
Modems
Multiplexers
HARDWARE
•
-
Terminal devices
Smart terminals
Computer
terminals
Microcomputers
PCs
-
Printers
Electronic Storage (disk, tape, etc.)
•
TRANSMISSION MEDIA
Twisted pair
Coaxial
Fiber optic
SOFTWARE
•
Application
Interface (Protocols like Ethernet)
Operating system (general functions)
2.
A
Strategy for Applying General
Strategy
defined
as
a
ADP
"careful
Guidance
plan
or
to a
Network
method."
[Ref
31: p.
1165]
Understandably, system designers and accreditation authorities must be careful
in the
is
way each unique system
security guidance
is
is
analyzed with regard to guidance requirements, because
not and cannot be hardware and configuration
given an application and configuration, the strategy listed below
terms.
55
is
specific.
Thus,
also in general
1)
Determine
2)
Identify tentative operation
range of information.
components
Place
3)
sensitivity
performance
in
capabilities.
mode
alternatives.
appropriate
category;
includes
4)
Identify general system level requirements relating to categories.
5)
Identify general
6)
Identify operation mode requirements
system" high, dedicated, etc.)
7)
Re-evaluate
component requirements
relating to categories.
five,
and
mode
each
for
operation mode alternatives
organization's unique requirements.
This chapter covers steps four,
and
selected
(multilevel,
based
select;
on
each
Steps one, two, three, and seven
six.
organization, and vendor/ system specific and must be performed by the
are user,
LAN.
organization planning to implement the
In reality, step three
would be done
component guidance
categories above
would be used
each particular component and system
are illustrated in this chapter in a general
LAN
B.
security.
PART
Only two modes are chosen
GENERAL LAN
2:
WORK COMPONENTS
to point out
a.
five,
and
six
guidance areas important to
for brevity.
GUIDANCE REQUIREMENTS FOR NET
-
Configuration {Includes Topology)
LAN
system
configuration
operation (coordination and control),
requirements
telecommunications,
LAN
ADP, and ATS components
These component requirements are addressed
and transmission hardware used
level
in
LAN
security
are
The
LAN
all
enough
in
great
detail.
design,
Guidance
Various
detail to be applied to the
ADP
Guidance
for
LAN
and telecommunications
components.
derivation idea in the above paragraph can be seen in the regulations
For instance, ATSs and administrative systems are the only unique
systems addressed in contrast to miscellaneous network comments.
areas not covered under
addition,
with
used to establish LANs.
configurations.
requirements can also be derived, just as
guidance can be derived and applied to
themselves.
in
concerned
are
and hardware considerations.
facility,
addressed by this thesis does not address
system
Steps four,
System/Miscellaneous
1.
ADP
to isolate guidance that pertains
level consideration.
way
in
The
terms of specific components with consideration of associated specifications.
to
of
identification
administrative
ATS
guidance, are subject to general
ADP
Configuration
requirements.
In
systems are not affected by security guidance unless they
56
handle sensitive information or communicate with other computers. Thus any
ATS
subject to
LANs
because
system,
Keep
is
in
mind
requirements, even
of
consist
telecommunications. [Ref.
It
ADP
and general
13:
ADP
is
Chapter
III
purely an administrative
if it is
and
components
that the "system", or total configuration,
applied [Ref. 13:
is
always
include
pp. 9,31]
the responsibility of the organization
380-380
LAN
commander
or
must be approved.
manager
see that
to
AR
The temporary exceptions and waivers addressed
p. 12].
in
should be addressed as early as possible. The approval process, referred to
as accreditation, will be addressed in Chapter V.
LAN
System security features should be incorporated into any
Design.
(1)
from
configuration
very
the
beginning.
requirement features that should be part of a
Individual accountability
Environmental control
System
Data
stability
integrity
Svstem
-
-
all
-
-
who
is
LAN
Minimum ADP
system
security
design include:
accessing and what they are doing
physical protection of hardware.
components protected
to provide steady operation.
accurate and timely data.
reliability
-
minimize down time caused by securitv breaches and
identify prevent unauthorized penetration.
Secure communication links
These
should
features
Standardization should
be
also
-
identify; prevent
applied
to
unauthorized penetration.
upgrades
future
system performance
be incorporated where possible with the ultimate goal of
may
be affected by security software or hardware.
involving encryption and shielding are presented
If
later.
system security features are to be included early
communication need should include
of change or upgrade because
current "system".
need for encryption.
Thus,
all
components of the system.
Emanation
it
is
is
life
security requirements
cycle.
fiber optic cable
the
in
design
For instance, any
whenever there
new equipment could impact
For example, the use of
Some examples
[Refs. 13,32,34]
process, they should be followed throughout the system
hence
expansion.
Performance measures must allow for security needs because overall
interoperability.
all
and/or
is
some
sort
the total security of the
media could reduce the
applicable security requirements should be followed for
[Refs. 13,17,28]
the radiation of signals from a transmission cable media,
another major system security design area to cause concern.
guidance sources indicate that some form of encryption
57
is
Generally, the
desired for sensitivity levels
starting
CONFIDENTIAL
at
and above.
include
encrpytion
link
encryption key control.
policies,
end-to-end
or
the
network system design
overall
encryption,
and
manual
to control storage, issue,
procedures
software and associated storage
and control of encryption key information. All
of
the
COMSEC
cryptographic
system,
name
of
"TEMPEST"
media and interface hardware
methods;
protected
communications protection
must be protected
facilities,
given the unclassified
All transmission
one
for
and
facilities,
at least at the highest
Additionally, investigations and studies of compromising
security level for the system.
is
will
Manual procedures
key information and handling procedures, encryption hardware and
these emanations
the
Either form of encryption will require extra hardware for key
generation and encoding at the node interface to the network.
must be used
is
In order to conform to
transformation of information into a unidentifiable code.
compromising emanations control
Encryption
36-37]
[Ref. 20: pp.
National
distribution
Security
system
[Ref. 13: pp. 5,78].
achieve security via
will
(NSA)
Agency
(PDS),
produced
commercial
or
(for unclassified national security information).
A PDS
is
an approved telecommunications system that has the required physical and electronic
safeguards for safe transmission of unencrypted sensitive information [Ref.
These methods are to be used
for
transmission
all
13: p.
76]
hardware interfaces and are
addressed in more detail under the transmission hardware section of this chapter.
[Ref. 13: p. 18]
System planning should not
isolate physical
considerations from other system security considerations.
and environmental
Topics
security
sturdy building
like
construction, adequate electrical power, well constructed cable media supports, and
proper routing and shielding of cable must be considered.
The goal
is
to protect the
system from unauthorized access and physical damage. [Refs. 13,23]
Finally,
duplicative,
accomplish
and cost
this,
future
system improvements must be
effective, as well as
state-of-the-art,
not
approved by the accreditation authority. To
the design should be modular to the extent that additional connections
are possible for extra security hardware
and software features that may be required.
Security upgrades and/ or additions of existing security features should not degrade
overall system performance.
(2)
Operations
[Ref. 13: p. 9]
-
Coordination
and
Control.
System
interoperational
security considerations concern intra-system as well as inter-system activities.
configuration control must be rigid, well established and enforced.
58
LAN
In addition, a
comparison between the baseline configuration and a proposed modification must be
made
component
before any system
The comparison must include
modified.
is
a
system security evaluation that includes audits of hardware, software, and firmware,
and
risk,
Also, auditors should be involved in
assessment.
process to assure that audit
network. [Ref.
network security
terminals, the
location,
but
coordination within a
(ADPSSO),
officer
TASO may
gateway
security of one
subordinate to the
terminal
terminal area security officer (TASO), network
In contrast to standard mainframe
mircocomputers,
NSO
because their
ADPSSOs. ADPSSOs may have
security at the internet
site is a
Therefore,
user.
level
particular
a
at
ADPSSO
hardware
control
would be responsible
Yet he/she would be
site.
remote user of the network
NSO may
a
his/her remote
at
network
or
In terms of a network, the
more computers
or
ADP
should be between the
not only be responsible for "terminals"
hardware,
remote
a
is
LAN
(NSO), and the network manager.
(switches, controllers, etc.).
for
the
13: p. 32]
Security
security officer
properly designed and integrated into
are
trails
phases of the design
all
own TASOs
just as a
manage many TASOs and
for their local equipment.
Also,
could be handled by the network manager or
NSO.
their
[Ref. 13: pp. 4-5]
Special attention should be paid to requirements of organizations that
maintain
telecommunications
gateways.
This includes requirements for data link interfaces, message link interfaces,
networks,
Data
and encryption requirements.
transmission.
Message
link
especially
link
security
deals with
security
handled by the protocol. [Refs. 35.23:
the
to
is
in
transmission
terms
of pure
bit
stream
encryption of the message
actual
p. 7]
Network configurations
are the
most vulnerable
ADP
because of their on-line, interactive, and distributed nature [Ref.
continuous safeguards are a must.
interface
In essence, networks are systems
operation
13: p.
mode
Thus,
7].
composed of ADP
hardware components, software components, and transmission media components
working together. Similarly software
security,
hardware
security, procedural security,
physical and environmental security, and communications security must
to provide efficient
network "system"
In terms
security
profile
relationships,
that
the
security.
of system operations security, the
describes
physical
work together
equipment
structure,
and
59
components,
general
NSO
must compile
equipment
operating
locations
environment
a
and
of the
automated system. This
PDS
especially important in a
is
without encryption, because
physical protection and electronic shielding could be penetrated at almost any physical
point of the network.
[Refs. 13,23: pp. 76,6]
environmental
General
Facilities.
(3)
and emergency measures
effective detection, protection systems,
(fire,
flood,
vulnerability
etc.)
protection.
that
would
The goal
from a
result
properly designed and constructed.
In
to
is
networks
contains the network control components.
network
all
facilities
ADP
especially
if
it
is
a
to
all
Hardware
Hardware.
LAN ADP
Hardware
systems.
central
Given
a
facility
it
must be
is
usually
is
the
any location that
network can have distributed
for the highest
The
central
approved system security
operated system or a
system under
[Ref. 36: pp. 177-178]
security requirements for
LAN
hardware and
computers controlling protocols.
Army
the
In a network
contractor
contractor development and implementation.
(4)
facilities
"central facility" requirements.
must always equal the requirements
classification,
and information
housing network control components and gateways
should be protected according to
facility
cost
to provide disaster
system
Thus, network
disaster.
room/ building that contains the computer.
control,
minimize
include
[Ref. 13: pp. 10-12]
ADP
stand-alone
must
protection
interface devices;
ADP
equipment apply
controllers,
gateways, and
These requirements must be considered
in all future
features required in terms of the "system" configuration are
internal isolation of users, user port and/ or channel identification, internal protection
mechanisms
for
memory and
include facility security
Sensitivity
System
be designated.
identify
External security features
as insertion
of keys or
[Ref. 13: pp. 19-20]
Levels
sensitivity
and
Applicability
must be determined before a secure operating mode can
In addition, a risk
management program must implement procedures
to
weaknesses so effective counter measures can be devised.
(1)
III
-
and error detection.
and physical locking devices such
magnetically encoded cards.
b.
storage,
In sum, requirements identified in Chapter
Sensitivity determination.
(of the thesis) indicate that sensitivity
information processed to the overall
Army
is
determined by the importance of the
mission, a need-to-know, and unique system
features or applications that warrant protection.
Sensitive data includes personal data protected by the Privacy Act of
1974.
In short, personal data of
all
personnel maintained on any
60
ADP
system
is
considered
"highly
information
sensitive"
preseented in Chapter
of the
terms
in
categories
sensitivity
[Ref. 13: p. 6]
III.
In addition to Privacy Act data processing, sensitivity
is
determined by
A
the user, dollar value, and/or value in terms of national interest or defense.
know
applies to
all
system.
Also, a system Accreditation
aspects of the system configuration.
Authority can impose more rigid sensitivity
levels for
reasons unique to a particular
[Ref. 13: pp. 6-7]
Chapter
Sensitivity requirements identified in
may
"compilation" of unclassifed items
system unique analysis to determine
This requires
require a higher classification.
if in
compilation of information
fact a sensitive
Given the system
consideration in a network.
approval authority makes the
final classification
required for compartmented data.
As mentioned
is
analysis,
the
original
security
classified
determined by the sensitivity
apply
requirements
Stand
requirements.
to
ADP
a LAN
accredited [Ref.
13:
alone
requirements,
like
amounts and types of
classified
not be subject to
systems
administrative
sensitivity
may
handling
that
do
not
ADP
process
However, given teleprocessing
considerations,
and
Privacy
Act
supporting administrative processing would probably have to be
Moreover, cryptographic capabilities apply
pp. 9-12,18].
system with a confidential or higher
(2)
Hence, things
level.
systems
all
information do not have to be accredited.
requirements,
is
physical requirements are based on the security
Certain (usually older) administrative systems
requirements,
classification
[Ref. 13: pp. 12,40]
Security
information.
always a
determination, but special approval
the physical facility security profile (FSP) should be based on the
sensitive processing.
is
[Refs. 20,32]
earlier,
operating mode, which in turn
each
also indicated that
III
Because of network, distributed processing and access, compilation
exists.
need-to-
Designation.
Once
system component can be
designations must be assigned.
classification.
to
any
[Ref. 20: p. 36]
sensitivity levels are set, detailed requirements for
identified.
Also,
all
ADP
operation
and
facility
Nonsensitive systems are the only systems that don't
Sensitivity level designations affect
require accreditation [Ref. 13: pp. 5-7].
all
aspects
of the configuration, not only the physical aspects mentioned above, but also the
control
of
system
data
[Ref. 32: pp.
communications security requirements
control
of information
transmissions
3-8].
For
example,
there
are
different
for different sensitivity levels that apply to the
[Ref. 20: p.
include:
61
6].
Designation
considerations
•
The type and
•
Who
•
Physical location of network, components.
•
Who
will access
[Ref. 13: p.
each
for
5].
A
Management.
Risk
automated
Risk management
objective
is
be
formal risk management
system
handling
sensitive
information
defense
and
conducted
to
experts
The general
the entire system configuration.
in
to prevent unauthorized system access
(by
program must be
intended to provide a means to identify, measure,
is
and minimize weaknesses
control,
should
information at each network location.
has ofilcal control of specific data bases.
(3)
established
of information handled by each component.
sensitivity
possible)
if
use.
A
specialized risk analysis
determine
vulnerabilities.
The
expenditure of resources to determine the most cost effective safeguards should be
supported.
c.
[Ref. 13: p. 29]
Modes
Security Processing
modes were discussed
Security processing
multilevel
security
mode,
controlled
security
mode,
dedicated security mode, and periods processing [Ref.
and
modes
multilevel
A
considerations.
detailed
Additionally, both these
presented
are
analysis
modes
(later)
of
all
the
in
in
Chapter
system
high
13: pp. 7-8].
this
chapter
They
III.
are the
mode,
security
Only system high
identify
to
basic
modes would prove
to
be lengthy.
background
for
an example
are reviewed. to provide
presented at the end of Chapter V.
In contrast to standard
Army
guidance,
DoD
contractor security guidance
only approves the dedicated, system high, controlled and concurrent security modes.
The most notable
difference
is
that the multilevel
mode
is
not addressed.
Nonetheless,
concurrent processing of multiple classification categories closely resembles multilevel
mode requirements
addressed later in
this
chapter.
applies to networks that are developed and/or operated
Contractor security guidance
by contractors.
[Ref. 36: pp.
173-175,181-182]
Physical security requirements for contractor security
based on
sensitivity.
Above
all,
modes must
also be
physical security protection must meet requirements for
the highest sensitivity level processed by the system at each facility and remote terminal
area.
The only exception
terminals
may
is
that in
an approved controlled security mode, remote
be secured at the highest
level for that site.
all
systems
SECRET/CONFIDENTIAL must meet
than those required for CONFIDENTIAL.
processing with a system high sensitivity of
physical security requirements no lower
Nevertheless
[Ref. 36: pp. 171-190]
62
Procedures
d.
ADP
procedures
system
implementation, access,
facility
apply
that
LAN
to
configurations
management,
construction, risk
involve
and emergency
audits,
plans.
Implementation.
(1)
and then accounting and audit
Network
security
trails
and software
to
Once
performance.
system
develop system-wide security
and are cost
hardware,
security
of implementation.
in terms
and analyzed along with system hardware
tested
sure they are compatible
the
security standards for the network,
should then be used to
standards
make
minimum
must be established
The procedures should be
procedures.
approved
First,
effective in terms
software,
of system
and procedures are
All user and operator training
for operation, personnel should be trained.
should include identification of security responsibilities as well as security procedure.
[Refs. 2,13: p. 11]
Given a network manager and
and monitor design of security
to assist
are appointed in the design stages
features, a
appointed before implementation and testing
Mutual agreement on
NSO
TASO
for each site
should be
at their specific site.
security responsibility
between the organization
controlling remote devices and the remote user organizations
must be
finalized before
remote devices are implemented or allowed to access the system. Naturally, established
agreements
security
user
procedures
are
also
required
before
internetworking
In addition, security/implementation requirements should be checked for
[Ref. 13: p. 5].
each
and
organization
and
chain
organization
identification of unique user requirements
and
of
command
priorities.
level.
who comes on
and what they can do. Unique user requirements may also have an impact on
implementation/installation schedules, testing,
(2)
Access procedures.
areas must be identified.
design or risk
etc.
Before access procedures are developed, vulnerable
Vulnerability information should be available from the system
management documentation.
Controls for personnel access to
and
allows
For example, the type of
organization (headquarters, post, etc.) affects user priorities in terms of
line first
This
after
ADP
facilities
and hardware during
normal duty hours may include physical and/ or manual procedures.
examples are control of keys, control of combinations, continuous closed
monitoring, intrusion
detection
systems,
exterior
lighting
during
Some
circuit
darkness,
TV
second
access doors, and fencing. Access procedures should also include visitor controls that
63
include escorts as a
security checks.
minimum, and depending on
[Ref. 13: pp. 12-16]
LANs
require protection of system documentation
highest system classification level.
know".
work
the processing mode, pre-arrival
In addition,
access
file
and media
at the
based on a "need-to-
is
In addition, there must be sanitization procedures before and after contractors
at sensitive levels
ADP
on any
system.
[Refs. 13,36]
Password generation should also be based on
system.
Special
care
must be given
sensitivity value of the
password generation,
to
and
issue,
control.
Transmission media channels for sending passwords should equal their classification
level.
[Ref. 13: p. 19]
(3)
Risk
Management
management program must be
Above
Procedures.
it
stated
is
that
Only phases of evaluation are
activities.
To determine
identify the resources to
damage, and
theft.
(4)
procedures
are
the
Audit
command
minimum
is
job
for
responsible for
communications and
own
it's
risk
management
of protection needed, management must
level
General
accounting,
Data control
through the network.
and network system accounting
and
accounting,
resource
manual and automated
verification programs.
distributed systems.
ADP
customer
Audit and evaluation procedures required for the accounting
categories can be separated into
is
trail
The network manager and
Minimum
own
records for data as
NSO
addition, each
logs.
it
is
routed
who
ADP
equipment and location
arrival times.
to record receipt
of data.
This includes arrival
reports, traffic classification logs, etc.
Identification of
Journalizing of each
is
network user that processes
Separate accounting procedures for classified products.
Console
internal
controls include:
Automation summary reports
summary
logs,
should always monitor
data control for their
Watching schedules and workload
records,
and
an important aspect of network environments and
Networks require audit
information should have their
rosters
[Ref. 13: p. 25]
on the system and what they are doing. In
[Ref. 27: p. 2-1].
includes
unique.
be protected and analyze the risk of espionage, sabotage,
Procedures.
required
and security
This
standardized.
is
[Ref. 13: p. 29]
accounting categories.
audits,
risk
established for systems handling sensitive information.
Risk management procedures are not standardized because every system
emanations. As a result each
a
file
all
users and time of access.
accessed by each user and what the
64
file
was used
for.
Input control
-
determine the
accessed and and
file
all
restrictions (read, write,
etc.).
Identifiable output linked to the correct recipient.
Printouts produced only at attended printers.
Output control logs
remote devices.
at
Scheduling procedures for user requests of large amounts of network, resources.
Logs must be retained
60 days.
for at least
must be retained
Sensitive audit trail data
for 90 days.
Over-the-counter batch input/outputs must be reviewed before entering
leaving the network
facility.
All system security incidents
the above audit procedures
or
[Refs. 13,27]
must be investigated
would be an important part of an
[Ref. 13: p.
Thus,
8].
investigation, as well as
routine system control.
(5)
system
failure
Emergency
Emergency.
procedures
must be planned because the network
enforced and intensified during these times.
mode
is
In other words,
as transparent to the users as possible.
failure takes place
all
When
like
power
(if
Security plans/procedures are needed during
any).
The Continuity of Operation Plan (COOP)
sufficient
operations
reestablish
copies
in
the
of documentation
event the
originals
sensitivity requirements for the storage area
item stored there.
surges, keeping
an emergency shut-down or system
system recovery to prevent further damage and vulnerability. [Ref.
for
System software
an investigation must begin immediately to determine the cause,
impact, and corrective measures
storage
strictly
areas must be secured
normal operations begin.
level until
and
especially vulnerable during
should provide minimal protection for minor interruptions
them
shut-down,
Operational security controls must be
unscheduled termination of operations.
at the highest operating
start-up,
for
Proper
off-site
material,
are
13: pp. 24-25]
requires
and
data,
damaged
must be equivalent
or
secure
off-site
software
destroyed.
to the
most
to
The
sensitive
storage requires on-site and off-site rotation and
storage of documentation, data, and software to ensure the most recent versions are
available.
System documentation should include network system recovery plans and
procedures.
[Ref. 13: pp. 24-25]
In addition, emergency text transmission procedures are required for
national
available.
security
information in the
event
[Ref. 29: pp. 10-12]
65
secure
modes
are
deactivated
or
not
2.
ADP
Hardware
Computers
a.
In terms of the actual computer,' security guidance
operation,
concerned with
management, and access of facilities and hardware.
(1)
secured to
the
Facilities.
facility
Note
should
also
was mentioned above
It
system sensitivity
highest
hardware within the
etc.)
is
must be
that the central facility
In addition, direct
level.
must be
access to
the
controlled.
that supporting facilities (utilities, air conditioning equipment,
be secured
at
the
same
the
as
level
central
computer
facility.
[Ref. 13: p. 15]
(2)
ADP
Physical access to
Access.
hardware
system access section. Some additional requirements are
is
listed
covered above in the
below.
Regular inspections.
Restrict access to network, control facilities.
Tight control of identification devices (badges, keys,
Change of keys and
Proper disposal of
Applicable
locks on a regular basis.
classified
TEMPEST
[Kef. 27: pp. 3-3
-
etc.).
media and documents within a
site.
requirements to prevent unauthorized electronic access
TEMPEST
3-4].
the unclassified
[Ref. 13: p. 7SJ.
is
and study of emanation compromise
name
for the investigation
In terms of the "access" procedures in the system procedure section
above, data
file
access
is
controlled by user passwords and identification procedures.
Thus, access to the generic
LAN
network center, while another
set
is
controled by passwords and procedures at the
of controls
computers or computer systems connected
where a user has access
to a
may
to the
computer with
a
be required for access to specific
LAN.
network
This would apply to situations
interface, but the particular user
does not have a need or clearance to access the network via that computer.
In addition, access to audit
file
information should be limited to the
network manager, NSOs, and network center operators with a need-to-know.
In certain situations a system
security operating
approved
disconnection
level
to system(s) with a lower
mode. The system with the lower security operating mode must use
techniques
whenever
classification of the "connected" system.
system
may connect
sensitive
The same
66
exceeds
the
basic requirements needed at the
apply to the component level (sanitization,
software disconnects for sensitivity levels at or below
processing
etc.).
Contractors can only use
SECRET. The network manager
and
NSO
should predetermine specific channels and/ or transmission links for both
hardware and software disconnects so they can be monitored during the disconnect.
[Refs. 22,36]
In terms of sensitive information, "privately
used only in a stand-alone configuration."
in a
LAN,
unless
first
accredited.
Understandably,
property of the Army. The objective
facility.
will
owned computers cannot be used
Any PC
is
all
information
processed
becomes
to prevent penetration of a secure area or
could contain emanation collection equipment, or
if
ADP
connected to a
system, enable unauthorized collection, destruction, or alteration of information.
contrast,
be
network, or any type of remote connection to a mainframe configuration
is
it
Privately
owned computers
PCs owned
or leased by the
Army
can be connected to any network or
In
Army
stand-alone system provided they meet system accreditation requirements, assuming
Army owned PCs
b.
are secured
and controlled properly.
[Ref. 13: p. 10]
Terminal Devices
Understandably,
the
sensitivity
terminal device requirements as well as other
of
information
processed
determines
component requirements. General
ADP
terminal requirements that apply to the generic configuration are physical area, access,
emergency, and accreditation requirements.
(1)
The Physical Terminal Area.
protected before and after duty hours [Ref.
Networks terminal equipment must be
13: p. 14].
Normally,
remote terminal area requirements will be based upon the highest classified and
most restrictive category and tvpe of material which will be accessed through the
terminal under system constraints.
[Ref. 22: p. 16]
However, remote terminals
in
must continuously operate
in the highest security class except for terminals
approved
ADP
hardware
for the controlled security
systems controlled or under development by contractors,
mode. Basic physical needs are
and general system considerations addressed above
similar to the
(lights, locks, construction, etc.).
[Ref. 36: pp. 177-178]
Terminal media storage
where the remote terminal device
areas
all
is
far
is
especially important in
from the network
disk packs, tapes, etc., as well as terminal devices,
maximum approved
security level for the
center.
LAN
In remote terminal
must be secured under the
remote location. [Refs. 13,22]
67
configurations
Terminal Access.
(2)
can
be
by
controlled
identification
Direct access to a terminal device at any location
combination
a
of
mechanisms
locking
time-outs,
Logon time-outs must be based on
verification.
sensitivity
and
levels.
Physical and software terminal locking and unlocking must be controlled by system
operators and authorized by the
security officer
ADP
(TASO), or a network
access identification
is
security officer
officer
(NSO)
and
situations
smart
connection.
approved
terminals
eliminated because
By consequence,
it is
terminal area
[Ref. 13: pp. 18,21].
Thus,
22: p. 16]
were covered under computer access above.
accoustic
connection
or
sanitization before
and
temporary'
for
disconnection procedures, must undergo some type of
after
(ADPSSO),
accomplished before processing begins. [Ref.
Disconnect
Microcomputers
system security
memory
coupling
should
minimized
be
or
harder to audit and control. [Refs. 13,36]
Internetworking requirements mentioned above for computer hardware
Terminals accessing a system or network must meet that
also apply to terminals.
networks
minimum
requirements and be approved by network authorities.
terminals that access commercial time sharing computers or
Lastly,
networks, must have a lockout mechanism or be located in a separate secure room.
Accredited terminals used for access of commercial systems should be sanitized before
accessing a classified network.
same network must
(3)
also
Terminal software and hardware interfaces into the
meet accreditation approval.
[Ref. 13: p. 14]
The same general requirements mentioned above apply
Emergency.
terminals in terms of start-up, shut-down, and failure procedures.
includes
full
downs. [Ref.
documentation and investigation of system
short,
this
and emergency shut-
13: p. 24]
(4)
accreditation
failures
Remember,
to
is
Chapter
Accreditation.
in terms of
III
its
One
major
point
concerning
terminal
device
relationship to the system or network configuration.
of the thesis mentioned that terminals, PCs, micros, minis
In
etc.
connected to a system more than 50 percent of the time must be accredited with the
system [Ref.
13: p. 9].
Thus, terminals that access a network must have accreditation
equal to the networks requirement for the sensitivity processing
accredited with the system.
Accreditation
is
68
covered in Chapter
V
level, if
of the
they are not
thesis.
Transmission Hardware
3.
General Transmission Media Considerations
a.
LANs
Transmission media considerations that apply to
are ecryption, non-
encryption security methods, telecommunications plans, teleprocessing audit controls,
and communications
Encryption.
(1)
conceal
before
its
it
security monitoring.
meaning.
Encryption
transforming information into a code to
is
End-to-end encryption
enters the transmission
leaves the transmission
encryption of information at the origin,
is
medium, and then decrypting
medium.
Link encryption
encrypted."
is
[Ref. 13: p. 74]
other higher classifications, and
media or electronic emanations.
is
approved
by
Moreover,
all
all
information passing over
Encryption applies to confidential as well as
used to prevent unauthorized access of transmission
[Ref. 20: pp. 36-37]
All telecommunications transmissions of
secured
it
"the application of on-line crypt o-
is
operations to a link of a communications system so that
the link
at the destination after
encryption
in
cryptosystems
ADP
PDSs
by
or
"record" data must be
telecommunications must meet communication security
the information security requirements,
when supporting
ADP
[Ref. 29: p.
criteria
systems.
3].
equal to
[Ref. 32: pp.
6-7]
Systems under contractor control and/ or development that process
classified
information
transmission
links.
must be encrypted
However, an approved
both
for
level
awareness.
security
Authentication
is
are
and
intra-facility
in addition to encryption include a
discipline,
and general communications
under
discussed
non-encryption
methods.
the process of verifying the eligibility of a system (or network) user
to access information.
(2)
PDSs
skills
and
of physical security can be substituted.
Other measures that can be used
PDS, authentication, proper operator
inter-facility
[Ref. 13: p. 72].
Methods.
Non-encryption
In
a
multichannel
telecommunications
system (and our generic LAN), the interconnecting transmission links that carry
classified data
configuration
within
a
protection
and pass through unrestricted areas must be protected.
may meet PDS
controlled
is
area
required for
Thus, a
approval requirements for classified processing
with
all lines
appropriate
physical
routed outside the
safeguards.
facility
.
PDS
If not,
Special routing, physically isolated from other
69
non-PDS
it
is
physical
physical protection
requirements include:
•
if
LAN
cable media.
Cable media must be routed within a secure perimeter or have guard patrols
•
assigned.
on
media must be contained
commander's control. [Refs. 13,29]
Cable
•
the
installation
under
PDS
Because of varied security techniques, locations and applications, each
unique
requirements
authorities.
on
evaluation
requiring
a
mentioned
procedures
material by hardware and/ or software methods,
approving authority. [Ref.
by
approval
protecting
classified
case-by-case
may
support plan requirements,
enhance
LAN
and cost
effectiveness.
for
earlier
basis
be authorized by the designated
Telecommunication
Plans.
contain general topics, not specific security information.
that
ADP
Still,
communication
transmission
plan.
link, resulting in a
impact on the
Encryption requires one more interface process for a
slow
down
Also, a given encryption process
network responsiveness on the encrypted
in
may
require that security- oriented headers be
to transmission packets resulting in a net decrease in efficiency.
is
may
an impact on performance
security planning. Security plans can have
communication support
referenced
of the telecommunication plan,
part
a
are
plans
For instance, encryption requirements may have an
there
have
32: p. 7]
Telecommunications
(3)
added
will
[Ref. 29: p. 10]
Disconnect
links.
using
the
extra cost associated with extra components.
In addition,
In sum, the communication
support plan includes data transmission formats, area and range of transmissions,
volume of
data,
and transmission
rates with
the associated security requirements.
[Refs. 23,35]
In terms of internetwork planning,
all
requirements for the generic
configuration's gateways (and other interface components)
security requirements of the
Teleprocessing Audit Controls.
(4)
auditable
network to which
and
Accounting
controllable.
transaction logs.
is
CO MSEC
telecommunications security.
it
may
meet the
to be connected.
include
audits
internal
LAN
and
configuration
Remaining teleprocessing audit controls are
[Ref. 13: p. 25]
Communications
Monitoring.
not required but
to
Batch teleprocessing systems must be
procedures
covered above under system audit procedures.
monitoring
was going
These procedures would be applicable to a
supporting batch oriented functions.
(5)
it
would have
security
(COM SEC)
provide information for improving network and
National Security Agency (NSA) approval
[Ref. 30: pp. 4-5]
70
is
needed.
Interface
b.
Hardware
There are no
components.
specific
device requirements mentioned for interface
requirements
Interface
telecommunications
LAN
would
on
depending
requirements
standard
parallel
device
the
ADP
or
For
characteristics.
example, a controller could resemble a minicomputer and would be subject to the same
secure protection.
Naturally, network and
standardization should be a goal of
required to accomplish
any internet
is
this, so
planned.
all
telecommunication interoperability and
services
requirements of
and agencies. Inter-agency awareness
all
agencies must be reviewed whenever
[Ref. 13: p. 32]
Even though each organization involved
must be aware of each
provides approval.
other's security requirement, there
From
all
ADP
thesis
one organization that
is
information presented, the system supporting the most
[Ref. 22: p. 20]
Software
The software requirements addressed by
is
telecommunication network
in a
sensitive processing has the ultimate security authority.
4.
is
oriented; there
involves
statements about
was no mention of network
identifing
utility,
the guidance reviewed for this thesis
guidance
security
application,
protocols.
pertaining
to
The purpose of
LANs.
Thus,
this
general
and operating system software are presented here
with comments about their relation to protocols.
a.
General System Software.
Utilities,
executive routines, security routines, and operating systems
support the objective of obtaining a secure system.
all
In general, each must maintain
separate user and master modes, identify and verify terminals before they are allowed
to
process,
provide
time
maintain
outs,
prevention of unauthorized access.
audit
trails,
etc.
The ultimate goal
Thus,. this type of software must be protected and
controlled at the highest sensitivity level associated with the system, whether
located on or off (disk, tape, or other media) the system.
effect as long as the software
is
is
it
is
Protection levels remain in
used on the classified system.
These restrictions also
apply to contractors.
Use of software
security
protection
security packages should be based
provided.
Moreover,
commercial software alone.
71
classified
data
on cost versus
cannot
be
level
protected
of
by
General Operating System Functions
b.
In simple terms a computer system
which
essence,
in
is
a
collection
controled by the operating system
The operating system and
of system programs.
many of
system software provides
associated
is
the
basic
internal
required for a computer and the system in general [Ref. 13: p. 75].
include partioning areas of
of interrupts in a
way
memory by
Basic requirements
classification level with capabilities for control
in the
memory.
that will enable preservation of data integrity within
Also, an operating system should have the capability to provide
when information
checking
is
features
security
Identification of
transferred.
all
memory bounds
users and devices active
system must be provided.
Application Software
c.
Commercial/purchased software approved
unclassified
for
or
lower,
or
contractor produced software, can only be introduced into the system during classified
processing in a read-only or write-protected manner.
[Ref. 36: pp. 182-183]
Data base management systems (DBMS) must include protection
down
to the record level to be
audit
DBMS
Also, a
preferred.
trail if
it
used for classified data, but the element or
must have
by-passes the system audit
trails.
to the lowest possible level [Ref. 13: p.
procedures (logs,
files,
10].
It
The goal
field level is
and produce
a journalizing capability
at least
own
it's
to be able to track activity
is
should be noted that software audit
can be automated, manual, or a combination of both
etc.)
[Ref. 22: pp. 26-29].
d.
Protocol Software
For the purpose of
this thesis, interface software refers to protocols,
before proceeding with protocols a review of
software
controls
equipment.
include
input; output
Utility software
definitions are in order.
controllers,
Application software
Operating systems consist of a
set
of
utility
control hardware resource allocation and programs,
computer system.
II,
a protocol
communications transmissions.
and
ADP
i.e.,
is
strictly
functional user
and executive routines that
the basic functions of the
individual
is
defined as a set of rules that govern data
Actually, the rules transform into requirements and
specifications for the executive, utility,
First,
systems,
[Refs. 3,13: pp. 303,71-78]
In Chapter
interaction.
operating
Executive
handles routine merges, sorts, and other processes for
executive and applications software.
applications.
some
but
and application software that control network
systems accessing the network must have their
72
own
operating system that handles protocol hardware and software requirements.
would
ADP
be
and
transmission
interface
requirements.
In
Included
ADP
turn,
and
transmission interfaces would be required to have appropriate security features. This
provides functionally secure transmissions throughout the system.
causes a network, synergy. In other words,
produce an "operating system
rules
protocol
when
all
Hence, the protocol
specifications are met, the protocol
effect" that controls the entire
network.
Thus, the
protected via the implementation of the other system components and their
is
corresponding security requirements.
PART 3:
MULTILEVEL OPERATION MODE
REQUIREMENTS FOR NETWORK COMPONENTS
C.
Component
GUIDANCE
-
areas addressed in this section are multilevel security
mode
specific.
Reference the previous sections about general requirements for topics not covered here.
1.
Configuration Considerations
The
multilevel security
and categories of
possess
a
consists of concurrent access to various types
and accessed by users with
classified information, concurrently stored
clearance
different
mode
security
and need-to-know.
levels
equals the
clearance that
Consequently,
level
many
required for
users
the
most
may
not
sensitive
information processed and stored on the system.
The operating system and associated system software
handles multilevel processing [Ref.
13: p.
75].
is
the
component
However, there are multilevel
that
LAN
configurations that use a combination of hardware and software to obtain a secure
environment
multilevel
[Ref. 37: p.
75].
It
possible
is
that
either
of
these
hardware/ software configurations could be accredited.
In addition, network configurations are considered
ADP
the
more vulnerable than other
configurations because they "require precise control of complex interactions, and
probability
of system error
distributed processing
attention
to
ADP
greater."
[Ref. 13: p.
7]
In
other words,
the
and storage of data makes the system more vulnerable. Password
generation, for instance,
stand-alone
is
may
system.
be more complicated to manage on a network than a
Yet,
in
a
multilevel
network configuration even more
password generation, assignment, access
restrictions,
etc.
is
required.
[Ref. 13: p. 19]
2.
Sensitivity and Operating
Multilevel
security
Mode
processing
is
prohibited
for
any CS1
or
CS2 system
without the written approval of the Assistant Chief of Staff for Intelligence (ACSI).
73
This
mode would be
appropriate for separating
SECRET/CONFIDENTIAL
(CS3),
highly sensitive (includes Privacy Act data), sensitive, and nonsensitive information.
As mentioned
multilevel
security,
although,
it
segregation of security classifications.
user
actual
processing
It refers
As
same system.
classification within the
The
interaction.
literally
mention
mention concurrent processing of multiple
does
Concurrent
categories.
classification
contractor security guidance does not
earlier,
means
to storage of
a result,
it
requirements
security
proper
and
controlled
more than one
security
does not specifically address
multilevel
parallel
guidance.
[Refs. 32,36]
3.
Procedures
In a multilevel environment continual system reviews are required to ensure
that system access control limits users to only the resources they require to perform
and
duties
their
classification
is
to
information
"need-to-know".
they
terms
In
"according to the system access to which the user
terminal from which
the
activitiy
is
[Ref. 13: p.
initiated."
is
19]
of passwords,
authorized and the
Moreover, remote
terminals can have access to the system "only from terminals designated and protected
for the appropriate level of classified processing."
4.
Software
-
Different
sensitivity levels
approved for
effect"
may
Operating System
multilevel
by NSA.
all
[Ref. 13: p. 19]
systems
operating
have
been
Yet, a particular multilevel operating system
applications at a given classification level.
reduce over
all
approved
multilevel sensitivity performance.
operating system approved for a particular sensitivity level
at
different
may
not be
Moreover, the "system
As
a result, a multilevel
may
not maintain that
sensitivity level for all applications.
D.
PART
SYSTEM HIGH MODE
4:
-
NETWORK COMPONENTS
Component
specific.
areas
addressed in this
Reference previous sections of
about general requirements
1.
for topics
GUIDANCE REQUIREMENTS FOR
section
this chapter,
are
system high security mode
excluding the multilevel section,
not covered here.
Configuration Considerations
A
system high configuration requires
the highest security processing level.
"system high" security clearance, but
on the system.
all
system components to be protected
All personnel accessing
may
the system have the
not have a need-to-know for
[Ref. 13: p. 75]
74
at
all
information
The system high mode
can be applied to the generic
that
requires
LAN
implementation, and operation in terms of
waviers are possible. [Ref.
2.
Sensitivity and
The
configuration.
peripherals/ systems approach
must be addressed during development,
considerations
security
all
lends itself to the "peripherals/systems" approach which
components.
all
Remember
that temporary
13: p. 32]
Mode
of Operation
Guidance requires that need-to-know controls must be contained within the
ADP
Unlike true multilevel operating
system's operating system hardware/software.
system requirements, system high does not require
memory unique
configuration operating in a system high
network with a higher
network connected
to a
LAN
LAN
exceeds
Another possible mode of operation
it's
identified
requirements for that level are met and approved.
original state (declassified)
when
System high operating mode
•
No SIOP-ESI
processing
is
the
Likewise, a system or
when
own. [Refs. 13,36]
by guidance involves actually
temporarily adjusting the total system operation to a higher security level
•
to a system
with a higher classification could be disconnected
the processing classification level of the
it's
other
be physically disconnected at
could
classification,
mode connected
gateway/interface during processing at the higher classifications.
to
or
partitioning
control functions in the multilevel sense.
A LAN
or
memory
if all
security
The system must then be returned
complete.
[Ref. 32: p. 4c]
restrictions include:
processing.
SCI can be processed when requirements of
DIAM
50-4 or
DOD
C-5030-58M
are met.
•
Adequate
•
Can be
•
security for
CS2 and CS3
systems.
specificallv approved by
sensitive" systems. Password security
Can be
systems.
the
is
accreditation
authority
for
"hishlv
mandatory.
approved by the accreditation authority
Password security is mandatory. [Ref. 13: pp. 7-8]
specifically
for
"sensitive"
Thus, procedures for password generators and control should be carefully planned and
implemented.
E.
SUMMARY
LAN
particular
guidance requirements
configuration
so
the
hardware, software, transmission
design and implementation.
covered in ths chapter must be
proper security features can be
medium and
In doing
this,
75
interfaces,
and the
applied
mapped
into
to
a
the
overall system, during
the ultimate degree of access flexibility and
system security
objective
is
will
depend on the
sensitivity
level
and mode of operation.
to apply security guidance requirements to a particular
accreditation.
76
LAN
The
to obtain
V.
A.
LOCAL AREA COMPUTER NETWORK APPROVAL
METHODOLOGY
INTRODUCTION
Once
the network objectives are set and risk
adequate sensitivity
mode
operating
only after
analysis
is
can be determined that eventually leads
for the network.
The
final
operating
mode
meets the guidance requirements presented
it
V
Chapter
level
management
complete, an
designation
is
Chapters
III
in
security
a
to
approved
and
IV.
refocuses the guidance reviewed in the previous chapters by highlighting
some important
areas of the guidance and the generic configuration in terms of the
accreditation process.
The purpose
is
to point out general
network areas that must be
addressed for accreditation and their basic impact on the configuration/system.
First the accreditation process
of
is
defined and summarized in a general sequence
This includes a review of accreditation policy makers; organizations; and
steps.
ADP
network and
security positions at the operational level.
The
last
part of the
accreditation review addresses the part of the accreditation process covered by the
thesis.
System configuration considerations and requirements
management, procedures,
control,
covered next.
software,
significant
More system component
applications,
and future upgrades are
and terminals.
designated network security
mode can
alternatives that
illustrate
how
the
affect the configuration design.
ACCREDITATION OVERVIEW
1.
Background
a.
Definition
In a pure sense, accreditation
or
network
considerations are then presented for hardware,
The chapter ends with two examples of
B.
for sensitivity,
classified
data.
In
the
implemention, accreditation
real
is
the actual "approval" to process sensitive
is
world
of automated
the process of collecting
system
development
and analyzing
and
security related
information for approval of security requirements for networks, ATSs, and computer
systems.
It
includes submission of specific information to an approval authority for
77
The
review and analysis, and any required system review meetings and inspections.
process ends
when
the accreditation authority grants a specific system permission to
process specific level(s) of sensitive information.
designated
official
As mentioned
information.
processing
Chapter
in
sensitive
critically
commanders
an automated
approve
to
(general
At the
centralized
on
depending
officers),
field
automation
the
of sensitive
accreditation authority for systems
the
is
HQDA
system.
the
For
or
highly
sensitive level the heads of the data processing activities
office
is
MACOM
sensitive
operation commanders can be the accreditation
may
agencies
Nonsensitivity systems do not need accreditation.
b.
accreditation authority
system for processing
of information
levels
information, installation, post, or
authority.
The
I,
The
be
accreditation
the
(DPA)
or
authority.
[Ref. 13: pp. 6,30,71]
General Accreditation Goal
The goal of
accreditation
is
to ensure that the
system has security features
that correspond to the level of protection required for information processed by the
The
system.
idea
the protection
is
is
to provide
enough
flexibility in accreditation
requirements so that
affordable and has minimal impact on system efficiency and capacity
given the unique circumstances of the system.
c.
Applicability
Accreditation
and ATSs, except
is
applicable to
all
Army networks
as well as
Computers embedded
•
Unclassified data or signals processed on analog computers
•
Programmable calculators
storage and text processing
in
combat weapons systems.
and
mathematical
capabilites.
processors
without
external
[Ref. 13: p. 30]
Categories
Sensitivity levels identified in
systems.
DPAs
for:
•
d.
computer
The
variation
in
types
different accreditation standards
each unique system.
Chapter
used to categorize automated
of systems, functions, and installations requires
and procedures
for
each sensitivity
Single-sensitivity level system accreditation
forward in terms of security requirements
the entire system.
III are
However,
at the highest level, but
-
maximum
their individual sensitivity levels.
may
establish policies
[Ref. 13: p. 30]
78
relatively straight
category requirements apply to
system
will
be accredited
and procedures
to operate at
for multiple sensitivity levels the
subsystems
is
level as well as
—
2.
|
»
The Accreditation Process
Accreditation
is
AR
explained in
ATSs, and networks as stated above.
chapter
are
C.
is
found
summarized
in
AR
380-380.
380-380 and applies to
Army DPAs,
all
All accreditation information covered in this
The
basic requirements of the accreditation process
in the next section.
ACCREDITATION REQUIREMENT SUMMARY
The
basic
requirements of the accreditation process follow.
diagram of the process that represents these requirements
is
A
general flow
illustrated in Figure 5.1.
[Ref. 13]
SYSTEM IDENTIFIED
JNEED. SENSITIVITY.
ETC.)
^
j
»
IDENTIFY ACCREDATION
Z
OBJECTIVES AND
SYSTEM GOAl S
o
»
h-
<
<
Q.
RISK ANALYSIS
t
VERIFY VULNERABILITIES
'
z
*
IDENTIFY SECURITY
r*
REQUIREMENTS AND MODES
o
»
*
*
DEVELOP SECURITY
— ALTERNATIVES
AND MODES
ID
O
o
*- SELECT MODE. SECURITY
"EATURES AND PROCEDURES
SYSTEM SECURITY
— DEVELOP
IMPLEMENTATION PLANS
-*
*
DEVELOP TEST PLANS
<
i
-
DOCUMENTATION OF PROBLEM
AREAS, WAVIER REOUESTS, ETC.,
IF THEY EXIST
Figure
5.1
<
\—
Z
LU
*
t
LU
CO
a.
—
Q
Z
o
<
t—
Q
NOT
APPROVED
/
NOT
APPROVED
^APPROVED/
—*\y/SPONS
AGE NCY
\
>w
REV IEW
N.
V-KACCREDITATION >
\AUTHORITYx /
/
s
\r-ttvitw
APPROVED
i
r
WAVIERS. ETC.
LU
<r
o
— o<
General Accreditation Process and Requirements.
79
.
_
,.
APPROVED. WITH OR
WITHOUT
Validated System
1.
Identify
requirements.
Need and Requirements
and validate the
In
short,
a
need
the
for
network and
determine
system
need for a system has been determined because of a
deficiency, outdated system, technical opportunity,
change in
reduce operating costs. Moreover, a tentative system
is
chance to
threat, or a
at least designed.
Statement of Accreditation Objectives and System Goals
2.
Preparation of a statement of accreditation objectives and system goals
required.
It
must include a validation and review of the need
is
for the system, the nature
of mission, and other factors concerning accreditation.
Risk Management Analysis
3.
Conduct a
and then formulate
risk
management
a detailed cost
and countermeasures,
analysis to identify risks
and benefit
analysis.
When
conducted so commanders/managers can determine system
complete, a review
sensitivity
is
and appropriate
countermeasures. Risk assessment and analysis must be documented and protected at
the appropriate sensitivity level.
System Configuration and Operation
4.
Documentation must be compiled with the key
security considerations forming
Note
the basis of accreditation, and a detailed description of proposed operations.
that
planned procedures used between processing modes/levels must be included for Periods
Processing and Controlled Security Modes.
Implementation Plans
5.
In addition to the
initial
for additional security features
term goals,
overall
mission
implementation plan, and review plans, similar plans
must be developed and include near term
related
goals,
and
future
plans
in
goals, long
relation
to
the
and
test
organizations the system supports.
6.
Standard Test and Evaluation (ST&E)
ST&E
methodology.
identified.
plans must include purpose, scope, objectives of the
Test
team
and
organization
Actual testing must validate
all
responsibility
test,
assignments
must
be
procedures and data processing (includes
applying inaccurate data), and challenge security features with and without knowledge
of
site
personnel.
Emergency
testing procedures
as well as other adverse conditions.
80
must include unscheduled shutdowns
Plans for
7.
ST&E
plans for results of
Separate
must
Results
comparison
include
and
conclusions,
ST&E must
of expected
to
results
must
recommendations
also be
be
documented.
actual
Test findings
Test
results.
with
submitted
findings,
accreditation
documentation.
Problem Areas
8.
A
not
statement of continuing problem areas must be prepared for vulnerabilities
covered (or not addressed) by security features.
fully
disapproval
may
Waviers or accreditation
result.
Other Documentation
9.
Documentation description of the DPA, ATS, or
outside agencies, FSP,
ST&E,
LAN
such as reports of
etc. is required.
Accreditation Documentation
10.
Preparation of accreditation document in the format presented in Appendix
of
AR
380-380
is
mandatory.
It
must be prepared and submitted
authority so she/he has enough time to review
accredidation
level.
The
accreditation
document
it
will
I
to the accreditation
before the formal review at the
contain information identified in
the requirements above and also factors motivating accreditation and nature of the
mission, reasons for rejecting other system and security alternatives, and attachments.
Required attachments include the automated data processing system security
(ADPSSO) appointment
of
copies
orders,
all
inspection
reports,
officer
and supporting
documents referenced by the accreditation document.
11.
System Operating Level Command Review
Formal command authority review
MACOM
12.
the
operating level
is
required.
A
statement must be attached stating the accreditation document package was
reviewed and examined,
HQDA,
at
or higher.
A
but
only
when
the
accreditation
recommendation must be included
authority
is
the
ACSI,
at these levels.
Accreditation Authority Review
Formal command authority review by the accreditation authority
a decision
is
mandatory.
If
approved, a written accreditation statement
from the accreditation authority.
temporary wavier or exception.
discrepancies are corrected.
A
Or,
the
system could
be
future accreditation review
Most of
81
is
required
disapproved with
is
a
required to ensure
the process must be repeated
disapproved.
resulting in
if
the wavier
is
System Implementation and Operation
13.
Implement system or begin operations
operating
must maintain
site
the accreditation process
a
At
(existing system).
this point, the
copy of the formal accreditation document. Note that
must be complete before
sensitive or higher level operations
can begin and the appropriate authority must issue a formal dated statement.
NSO
addition, the
must periodically review,
and reevaluate network,
test,
In
security for
periodic accreditation reviews.
ORGANIZATIONS INVOLVED WITH APPROVAL AUTHORITY
D.
Accreditation
is
managers, and staff
operators of
The
command
is
ADP
addressed at
who
many
of the Army, from the commanders,
levels
develop and implement policy to
accreditation authority for a specific system
that the system
The
commanders and
systems.
falls
The
under.
level
selected
is
sensitivity levels
addressed below.
from the chain of
of rank (and organization) in the chain
determined by the sensitivity designation of the information
network.
the
in the
ADP
and corresponding accreditation authority selection are
For example,
in
systems processing
critically
sensitive
information, the accreditation authority would be a general officer from the
MACOM.
The system
summarized below.
system or
sensitivity
and corresponding accreditation authority
levels
HQDA
of
or
levels are
[Ref. 13: p. 6]
CRITICALLY SENSITIVE
•
CS1 — Headquarters, Department of the Army (HQDA)
CS2 —
MACOM
commanders and heads of DA
staff elements
CS3 — Same
as CS2 except can be delegated to general
of their subordinate elements.
HIGHLY SENSITIVE — Commanders
•
support
ADP
•
SENSITIVE
•
NONSENSITIVE
NOTE
(above
E.
activities, or staff
--
--
--
support
officer
of installation, post,
commanders
field
operation
activities.
and centralized
office
automation
activity heads.
Accreditation not required.
Multilevel systems require
ACS
I
approval regardless of sensitivity
level
NONSENSITIVE).
SUMMARY OF ADP SECURITY POSITIONS
General
lists
of the
ADP
policy and security hierarchy, and
ADP
security positions are listed in this section for the reader's information.
82
operating level
ADP POLICY AND SECURITY HIERARCHY
ASSISTANT
SECRETARY
OF
THE
ARMY (FINANCIAL
MANAGEMENT) (ASA (FM) senior policy offical for Army ADP.
ASSISTANT CHIEF OF STAFF FOR INFORMATION MANAGEMENT
a.
:
) -
•.
(ACSIM)
•.
-
manages
overall
Army automation
program.
ASSISTANT CHIEF OF STAFF FOR INTELLIGENCE (ACSI)
develops
-
and implements the AASP: ensures compliance with ADP directives; identifies
and addresses ADP problems; determines applications of new technologv:
provides guidance for preparation of new svstems; and manages overall
automation security.
•.
MAJOR COMMANDS (MACOM)
ADP
ADP
HEADS
OF
manage; administer all
aspects of
within their relm for kev
personnel wfiich include data
processing activity (DPA) commanders and managers, SSMs, ADPSSOs, NSOs,
and TASOs.
•.
SECURITY PROGRAM
agency and
•.
MACOM;
MANAGER
(SPM)
-
appointed for each
manages AASP; appoints SSMs and ATSSVIs.
HQDA
DEPUTY CHEIF OF STAFF FOR PERSONNEL (DCSPER)
provides
policy and procedures for phvsical securitv plans; advises ACSI on ADP related
-
security fraud.
•.
COMMANDING GENERAL.
ARMY INTELLIGENCE AND
U.S.
COMMAND
SECURITY
(CG, INSCOM) - implements Automated Data
Processing Svstem Securitv Enhancement Program (ADPSSEP); provides tech
guidance and assistance for communications security, emanations control, and
counter intelligence.
b.
•
ADP OPERA TING LEVEL SECURITY HIERARCHY
SYSTEM SECURITY MANAGER (SSM)
Svstem Securitv Manager (ATSSM)
and Automated Telecommunication
ADP
advisor to commander on
securitv
matters; integrates securitv actions of individual svstem ADPSSOs and TASOs;
maintains inventory of 'post, installation, and' tenant
accreditation,
including
's their status.
-
ADP
•
SYSTEM SECURITY CONTROL OFFICER
(SSCO)
appointed
-
bv
organization as primary point of contact for all securitv matters for central
system development activities; reports to ATSSM; responsible for all aspects of
policy and procedural guidance for systems assigned to him/her.
•
AUTOMATIC DATA PROCESSING SYSTEM SECURITY OFFICER
basicallv the same responsibilities as a SSCO. except for ADP
(ADPSSO)
-
equipment at a single'site; would report
was connected to a" network.
•
NETWORK MANAGER
•
NETWORK SECURITY OFFICER
- designated when two
or
linked together for network or distributed operations.
network
•
to or coordinate with a
security; reports to the
(NSO)
-
more
SSCO
ADP
responsible for
all
if
the site
systems are
aspects of
network manager.
TERMINAL AREA SECURITY OFFICER (TASO) responsible for all
aspects of terminal and network securitv in an assigned area; mav report to
SSM, ATSSM, SSCO, ADPSSO, or NSO depending on the tvpe ofsvsfem the
-
terminals are connected
to.
83
THE ACCREDITATION PROCESS
OPERATION
F.
SYSTEM CONFIGURATION AND
-
This thesis has addressed the security guidance considerations that apply to the
system configuration and operation; the fourth requirement in the overall summary of
requirements described above.
identifying
In short, the thesis
is
intended to serve as guide for
network guidance requirements for the system components addressed
summary above.
fourth item of the requirement
would be applied
In a real network the requirements
components and
to the specific
generic configuration described in Chapter
II,
in the
Here, given the
their specifications.
actual application considerations will be
general.
Activity for satisfying the fourth requirement item in the
with a description of proposed operations.
minimize
risk
and procedures
and system
applications
operational and security
interfaces,
modes
Moreover, areas
used throughout the network.
location of
in existence
begins
This includes explaining actions taken to
must include description of system hardware and software,
addressed
and
all
significant
remote devices, and features of
implemented including requests
to be
Features that must be included in accreditation documentation are listed
for waviers.
below.
to be
summary above
[Ref. 13: pp. 40,58]
Security features and
management of components.
Major executive and application software.
Encrypted/ non-encrypted terminals and devices.
Procedures
log-ons,
for
changing
sensitivity
processing
levels
(periods
processing), etc.
Communications
Personnel
-
-
transmission links and associated components.
not addressed by
thesis.
Security of system documents/documentation.
Physical and Environmental security.
A
completed Facility Security Profile (FSP).
Also, problems must be identified that are disruptive of accreditation processes,
tasks,
and time
tables.
In terms of the system, acceptance of each risk that cannot be
minimized must be identified with a description of the situation and waiver request
appropriate).
Once
completed.
description
•
(if
[Ref. 13: p. 58]
descriptions
Such
a plan
are
is
complete,
an
initial
beyond the scope of
of:
Security phases.
84
implementation
this thesis,
however,
it
plan
must
be
must provide
a
•
Milestones.
•
Initial/ final
•
Task, interdependencies.
•
Organizations responsible for accomplishing milestone-related tasks [Ref.
operational capabilities.
13: p.
58JT
In addition to normal accreditation reviews, reaccreditation
networks and
ADP
systems within
3
months when any of the following
1)
Major system or "mainframe" addition or replacement.
2)
"An
3)
"A
all
occur:
increase in sensitivity category or level."
significant
chanae
DPA/ATS
in the
which requires a more complex mode
more complex operational service mode (para
of operation (para 1-13), or a
G.
required for
is
4)
Major operating system or executive software.
5)
Internal and external security violations, integrity violations, or
that invalidates the accreditation.
6)
Significant changes to the
DPA/ATS
physical structure.
any situation
[Ref. 13: p. 31]
METHODOLOGY IN RELATION TO SECURITY REQUIREMENTS:
SYSTEM CONFIGURATION CONSIDERATIONS/REQUIREMENTS
In sum, guidance presented in the earlier chapters
most automated systems and
easily applied to
Thus,
flexibility.
apply
should
guidance
derive guidance
in general
terms so
it
can be
same time provide the appropriate
at the
to
However, because networks are not
component.
most
of each
aspects
specifically addressed,
system
LANs must
from standard computer (ADP) and teleprocessing requirements. This
much
that
indicates
the
is
of
the
responsibilities
specific
determinations, for accreditation of a specific network, are
security
for
left
requirement
with the ultimate system
user/ sponsor.
The
thesis
has
presented
"generic"
the
LAN
and associated
configuration
components (Chapter
II) to
match the "generalness" of the guidance reviewed.
approach
more
system
generates
hardware/ software analysis
considerations
and
is
level
considerations
beyond the scope of
requirements
for
sensitivity,
because
this thesis.
network
specific
This
vendor
Consequently, system
control,
management,
procedures, significant applications, and future upgrades are covered next.
1.
Sensitivity
It
is
mentioned throughout
thesis
this
behind any secure processing mode. As a
that sensitivity
is
the driving force
result, the official sensitivity
designation sets
the scope for system development and implemention in terms of accreditation.
85
In the generic
the
LAN,
vulnerable
ultimate
determination
The
requirements are
pertaining
security
basic
sensitive, highly sensitive, etc.)
etc.)
guidance
All
area.
applies.
any system, the information contained
as in
sensitivity
and security processing mode
In a network context,
clear.
would involve the same considerations. Thus,
LAN
there are
definitions
level
no gaps
(critically
system
(multilevel,
sensitivity
is
designation
sensitivity
to
therein,
.high,
mode determination
"non-network"
in the
oriented guidance in terms of functional sensitivity determination.
The areas addressed
the
in
three
first
requirements in the
accreditation
requirement summary should result in an adequate system sensitivity designation.
Nonetheless, the component parts of the network should
NOT
be ignored.
In other
words, sensitivity of each component part should be considered in terms of the overall
system sensitivity designations.
security needs for specific
would
In doing
this,
component areas
may
it
be better to
first
concentrate on
to identify variability or constraints that
affect the overall system, before settling
on
a final system designation.
In terms of accreditation, the purpose of the system sensitivity designation
to protect information
mode which
the
is
from unauthorized penetration
most cost
effective.
impact of the designation, not
would be the actual
dollar cost
cost
might
be
in
Cost
used here in relation to actual system
price of
might
affect
utility
For example, the actual
some cryptography hardware, while the impact
manpower, diverted from "productive"
the
level
the functional sensitivity
via
terms of actual dollar cost.
Impact
manually distribute sensitive crypto-keys.
sensitivity
is
is
in
terms
refers,
required
activities,
for example,
of configuration
to
how
to
the
operating
design,
procedures, and the range of system applications.
Each of the designated modes have
different operating requirements
turn vary the cost of a desired configuration.
flexibility
would require
technology.
a
is
one
mode with
to determine the "need-to-know".
require, for example,
more.
Moving on
affect
sensitivity level dedicated to
similar to the dedicated
levels
and access
the generic configuration the
one group of
users.
System high
In contrast, the controlled security
more procedural controls and more complicated
to the other
least
is
the exception of extra procedural controls required
mode would
audits,
i.e.
"cost"
end of the spectrum, multilevel would cost more
terms of the number of sensitivity levels and the
was achieved.
sensitivity
in
more complicated system given todays guidance and
The dedicated mode would
because there
More
which
way
in
that the multilevel environment
In other words, via a true multilevel operating system; or separately
86
configured
LANS,
one system transparent to the
for each level, acting as
In
For example, the ACSI must know of
addition, extra approval activities are required.
intent to use a multilevel environment before milestone "zero".
2.
user.
[Ref. 13: p. 7]
Network Control
Network control
device interfaces and connections.
monitoring
activities
LAN
in the generic
context should be most concerned with
Administrative and electronic access, audits, and
must be well planned and designed. The generic
central control facility for tight control of these activities.
and other systems alternate control
facilities
may
LAN
requires a
In the generic configuration
be desirable as well.
The Central Control Facility
a.
Just as
is
a
computer room
central
network control center (NCC)
is
in
a
stand-alone
ADP
system, the
vulnerable in terms of physical and electronic access,
and environment preservation.
All physical requirements for a normal
generic
LAN NCC
ADP
computer center apply
to the
of which devices work together or separately in
facility regardless
terms of network control and the classified operating mode.
This includes proper
construction materials and design of the building(s) and room(s), physical hardware
and
protection,
TEMPEST
must be protected
shielding.
same
at the
requirements pertaining to
and
in the facility, apply.
because
it is
level as the
facility
A
Remember
NCC,
i.e.
system high. In addition,
all
access and physical storage of media, both offsite
system high security environment must prevail in the
NCC
the physical location that not only monitors and controls the network, but
also maintains the
There
network security features
is
no gap
in
guidance
mentioned above
for standard
ADP
system software,
(audits,
in
control of a distributed system through a
NCC
that the supporting utility facility
etc.).
terms of physical central configuration
NCC
because
all
the requirement areas
systems apply to the generic
LAN.
should be protected at the system high sensitivity level in the same
mainframe environment would
be.
Performance and
reliability
Thus, the
way
are enhanced
equipment supporting the control of the network are secure to a
that a
when
level that ensures
continued operation at a given security mode.
b.
Remote Control
Facility
If the generic configuration did consist
would require the same basic requirements
back-up, alternate, or replacement
when
of an alternate control
as the central
the central facility
87
NCC.
is
It
facility
it
could serve as a
destroyed or damaged.
Obviously,
therefore the
c.
would require the same type of network control components and
it
same
security requirements.
Interfaces
From
a system standpoint, an interface could be a simple
port on the back
of a terminal, or some sort of trusted interface processor that performs buffering and
security functions
on the information passing
to
and from the system. Vulnerabilities
are further magnified in terms of a gateway or bridge to another network.
Vulnerable
areas include penetration of interface software and possible signal emanations.
Requirements
LAN
for encryption, disconnects,
way
configuration in one
requires security by either
reality,
PDS
and a
PDS
apply to the generic
Army communications
or another.
security policy
or encryption for automated sensitive information.
In
combination of varying degrees of both are acceptable depending on the
a
system sensitivity
the
level,
situations a disconnect
is
application,
As
acceptable.
and the actual configuration.
a result of this range
and
In
some
variablity,
the
accreditation process requires a description of significant interfaces.
Given the nature of the guidance reviewed, there are no
ADP
way
in a
a
network
interfaces, but
from
all
direct references to
information they are, again, treated in the same
ADP and telecommunications networks. This point is a major concern because
LAN environment a major interface, like a trusted interface unit or a gateway, has
as
major impact
communication
on the
to
security
of a
LAN.
These
control
units
and from various parts of the network. Thus,
they are protected at the network system high.
Assuming the generic
encryption, requirements for a
LAN
PDS,
it
is
and
restrict
important that
[Ref. 37]
will process sensitive data, as
mentioned above,
or a combination of both will be required for
accreditation.
(1)
Interfaces
components require
in
a
shielding
PDS.
Interfaces
between
and physical protection
all
just
network devices and
as
the
other
network
components. In addition to the physical device or cable, the device ports can emanate
signals
that can be compromised.
medium,
as well as every
Low
some
applications.
ADP
Thus, every port, interface device, transmission
device must be physically shielded and protected.
voltage processors
may
These processors
do
emanations are so weak, but any attached
processors
may
replace
TEMPEST
be an alternative to tempest shielding
not
need
CRT
TEMPEST
screens would.
shielding
in
because
Thus, low voltage
shielding in "black box" or stand-alone processing
88
In essence
devices like controllers or interface units.
it
would require system high
protection with the only access being surveillance and maintence.
Note
lines leaving the
[Ref. 35]
that the generic configuration (Figure 2.1) illustrates separate
NCC.
In reality, these
routed by a single trunk
line to
group of communications
lines
lines:
would pass through
other rooms and buildings
a multiplexer
(Figure
A
5.2).
and be
trunk
is
a
enclosed in a single casing that usually connects two
switching centers or multiplexers.
[Ref. 3: p. 381]
NETWORK CONTROL CENTER
Ethernet
_l_
COMPUTER
COMPUTER
•
•
•
COMPUTER
COMPUTER
TERMINAL
DEVICE
PERSONAL
COMPUTER
GATEWAY
MULTIPLEXER
MULTIPLEXER
MULTIPLEXER
MULTIPLEXER
>
7
COMPUTER
Figure 5.2
(2)
Interfaces
alternatives that has
PERSONAL
COMPUTER
PERSONAL
COMPUTER
The Generic Configuration with
and
Encryption.
an impact on the system
Encryption
interfaces.
Multiplexers.
is
one
of
Assuming the
requires encryption for the entire system, an encryption device
89
TERMINAL
DEVICE
TERMINAL
DEVICE
other
major
sensitivity level
would be required
for
each
CBX,
going into or out of the
line
on the network (Figure
as well as each device
Extra fine tuning of the network would be required for synchronization between
5.3).
encryption
the
and the CBX, and
devices
device
all
interfaces
on the system.
Moreover, each encryption device requires a special key for encryption.
key
is
An
encryption
a sequence of
symbols that control the code scrambling mechanism within the
The
actual key could be a series or combination of symbols, letters, or
encryption unit.
A common
numbers.
procedure
is
Synchronization
with the other devices.
The
farther
at least
communicate because
the correct key, a device cannot
devices.
change the key
to
is
on
Without
a daily basis.
would not be synchronized
it
further complicated by the distance between
any two devices are apart, the harder
it is
to synchronize.
[Refs. 13,35]
Impact of System Interface Protection on the LAN.
(3)
overall
Thus
network configuration, interfaces are the glue that
their overall
the system together.
impact on network security must be addressed.
In a pure
LAN
tie
In terms of the
performance
in
LAN
PDS, physical protection of interfaces should not
terms of through-put or efficiency.
required to physically reach a device because
Extra procedures
may
major concern would be ensuring that metal protection devices do not emanate
filters,
composed of sections of nonconductive
[Ref. 35]
In contrast to a
PDS,
LAN
a
that
signals.
and conduit may have
For instance, power sources may require noise
was
entirely
be
The
physically protected or guarded.
it is
material.
affect
be
to
encrypted would
experience an overall reduction in reliablity and performance in terms of slower data
rates
and response
reliable
times.
Historically,
less
than they would otherwise be, because cryptographic synchronization requires
more maintenance and
fine tuning.
more hardware/ software
An
fail
From
or
manual
specially secured
one
network would also require procedures and plans
site
or device
this is critical, the
must have the
key
right key to operate
Crypto-key restart procedures would also be needed in case a key
by any network
electronic
is
[Ref. 35]
and generation. As mentioned above
should be changed regularly because a
on the network.
a system view, cryptographic device
point in the network.
entirely encrypted
for "crypto-key" changes
lost
networks with cryptographic devices are
user.
Still
distribution
and approved
the
most important procedures would be
of keys.
line.
Above
Electronic distribution
all,
software must be protected at the system high security
90
level.
[Ref. 35]
for the
would require
any "crypto" procedure,
is
a
device, or
NETWORK CONTROL CENTER
Ethernet
CRYPTOGRAPHY
HARDWARE
COMPUTER
CRYPTOGRAPHY
HARDWARE
CRYPTOGRAPHY
HARDWARE
COMPUTER
COMPUTER
CRYPTOGRAPHY
HARDWARE
COMPUTER
TERMINAL
DEVICE
GATEWAY
MULTIPLEXER
MULTIPLEXER
CRYPTOGRAPHY
HARDWARE
CRYPTOGRAPHY
HARDWARE
CRYPTOGRAPHY
HARDWARE
CRYPTOGRAPHY
HARDWARE
MULTPLEXER
MULTPLEXER
PERSONAL
COMPUTER
PERSONAL
COMPUTER
>
PERSONAL
COMPUTER
z
TERMINAL
DEVCE
TERMINAL
DEVICE
CRYPTOGRAPHY
HARDWARE
CRYPTOGRAPHY
HARDWARE
PERSONAL
COMPUTER
CRYPTOGRAPHY
HARDWARE
COMPUTER
Figure 5.3
Do
PDS
The Generic Configuration with Cryptography.
not forget that a partial or total combination of cryptography and
techniques can be used. The major advantage of cryptography
91
is
that encrypted
information can be transmitted over any transmission link as long as the receiver
same
the
disadvantages of encryption were addressed above.
a pure
PDS
is
The major
of protection as the transmitter (and the right key).
level
that in
most cases system
Conversely, the major advantage of
reliability
and efficency are not
affected.
However, every part of the network must be contained within a secured physical area
and
Thus physical access procedures and emanations may make access
shielded.
cumbersome.
Disconnects
d.
Accreditation documentation must account for any disconnects planned in
Access and connection/disconnection procedures must be included for
the system.
connecting to networks/systems of higher, lower, and equivalent security classifications.
Moreover, the devices to be connected or disconnected and the type of disconnect s)
must be
specified.
Overall impact on operations should also be addressed.
Physical
e.
LAN
Physical
straight forward.
of
all
It
considerations
was mentioned
for
accreditation
are
and locations
in earlier chapters that descriptions
devices are required in the accreditation package.
most part
the
for
This includes floor plans as
well as configuration diagrams like the generic configurations presented in this thesis.
If the generic
TEMPEST
required.
LAN
shielding for
all
was
to be secured
by meeting only
PDS
hardware and/or rooms and even buildings would be
Again, depending on
sensitivity,
unshielded rooms with shielded hardware,
a
may
combination of shielded rooms and
exist within the
same
special attention
must be paid
Cable
building.
media running outside of shielded rooms or buildings would also have
and protected. Moreover,
requirements,
to be shielded
of conduit
to certain types
and other media protection devices because they can cause emanations.
In addition,
The
proper physical controls would have to be maintained in terms of area security.
physical area could range from a
One major
building,
consideration
to
is
an area containing many buildings.
the physical placement of the
NCC
and depending on the physical distance from other network
installation.
area
room
within a
sites,
on an
Obviously a central location within a sturdy building or within a protected
perimeter
environment.
[Ref. 35]
is
ideal.
Realistically
LANs
are
not
always located
Variations in physical controls and access barriers
adjusted to meet a given security operation mode.
located in a building that
was not located
92
For instance,
in a central position
in
an
may have
if
a
ideal
to
be
network was
on the post, maybe
emphasis on physical perimeter safeguards (fences, guards,
lighting, etc.)
along with the
Remote
normal building security requirements, would meet accreditation needs.
would be subject
to the
same
basic requirements as the
is still critical
because any node or terminal
would be required
actual physical security
system high.
Remember placement
power source
are equivalent to the
On
done
be
in a
way
unless the network
With more than one
operating in a controlled or multilevel mode.
placement
NCC
is
was
mode,
security
a penetration target, but less
approved
for sites
sites
than
to operate at less
protection considerations for the network's
and,' or
NCC.
a lower physical level, placement of devices within a facility should be
that will
noted in the
maximize protection. In addition
accreditation
documentation
to "where",
terms
in
placement should
of doors,
and
windows,
transmission media routing.
Physical routing of transmission media should indicate what transmission
links,
of the
or parts
protection
may
shielded,
protected, and/or encrypted.
mode of
vary with the security operating
which the media
accreditation.
are
links,
and accessed should
are protected
links
For example,
if
a
a particular link.
LAN
trunk
also
Note
that
The way
in
be addressed in the
routed under or near a well traveled
is
road to provide better surveillance, detailed procedures would be required as to how,
when, and why the trunk should be accessed
3.
for inspection or maintenance.
Network Management Appointments
In relation to accreditation of the generic
would be needed. That person may be part of an
LAN
LAN
internet
maintained an active gateway to such a system.
requites a
NSO
connected computers
and TASO.
is
environment outside the
A
to large
ADPSSOs
enough
large
only one network manager
management hierarchy
the
In terms of security, the generic
are warranted
to operate
if
where ever one of the
and support a standalone mainframe
NCC.
situation could exist
where there are
a large
number of terminals
in addition
numbers of PCs that are not accredited with the system, but are accredited on
an individual basis
PCs could promote
to be
used with the system.
A
better security for the system
follow network procedures.
In addition,
unique and powerful capabilities.
for
LAN
separate
by ensuring
all
(or
TASOs)
for these
users understand
and
such a person could better manage their
For instance, a
each type of terminal approved for the network.
93
TASO
site
could have at least one
TASO
In
addition
documentation
should
implementation and
4.
management
to
include
the
of
network
of network
role
components,
security
accreditation
management
in
all
test plans.
Network Procedures
There are obvious procedures for the
must be described
in the accreditation
personnel and other outsiders
secure network
NCC
They include
package.
who have
and the network
escorts for maintenance
a temporary need to access the
Other procedures include password control and
site.
in general, that
procedures for regular review of network
However,
traffic.
gap
a
NCC
issue,
or any
and audit
exists in the
guidance
concerning control procedures for transfer of control to alternate control centers
(AAC) when/if the
NCC
alternate control center
is
is
destroyed or damaged.
not identified.
Yet,
if
In the generic
LAN
there was, there are
(Figure 5.2) an
no guidelines or
requirements for transfer of system control in a distributed computing evironment.
Thus, there
is
much
another center.
flexibility
in
developing procedures for transferring control to
Plans and procedures developed for this kind of activity should be
integrated into emergency plans and the
COOP.
Basic accreditation considerations for procedures were brought out above in
terms
of crypto-key
handling and disconnects.
Besides
standard
key storage and
handling procedures, key procedures could be used to simulate a disconnect on an
encrypted network by simply not issuing the key to certain users for a designated
period of time.
Another accreditation consideration
may
is
that system auditing software
not be acceptable for monitoring software or hardware disconnects.
the fact that disconnects can or cannot be
should be noted.
made
at
may
or
In addition,
both ends of a transmission link
Thus, extra management procedures
may
be required for disconnect
procedures in addition to the associated sanitization procedures.
5.
Significant Applications
In
terms
of accreditation
of a
LAN,
significant
applications
software that handles/manipulates information or communications.
consist
of
In terms of the
overall network, these types of applications need to be explained in terms of their
compatibility and affect on overall network security and efficiency.
data base and message/mail sending applications.
later in the
chapter under software.
94
Two
examples are
These applications are addressed
6.
Configuration/System Documents Required
Two
important documents are the implementation plan and the
ST&E
These and other major documents required for accreditation are mentioned
plan.
in
the
beginning of the chapter.
7.
Future Upgrade/Expansion
LAN
Assuming the generic
expansion
require
will
Reaccreditation
is
the
required
is
accredited, any type of
LAN
entire
when
there
configuration
network upgrade or
be
to
reaccredited.
is a:
Significant change to the phvsical structure of anv facility containing network
components. However, it would not apply to devices that were not accredited
with the svstem unless the reaccredited process increased the sensitivity level
1)
of the entire network.
Major
system
hardware
addition
or
replacement.
Examples
are
addition/replacement of switches, encryption devices, interface devices, major
large mainframe, and switching from coax to fiber optic cable.
2)
Change
3)
are
in sensitivity processing level or operation mode category. Examples
to
and system high to controlled security
SECRET
TOP SECRET
operating mode.
In addition, even
if
an upgrade; expansion
and review of additional
security features
is
is
not planned, a plan for implementation
Reference step
required for accreditation.
5 (requirement 5) in the analytical process outline presented in the beginning of the
chapter.
8.
Waivers and Exceptions
Waivers and exceptions must be included
If
any part of a network cannot meet security guidance requirements, accreditation
documentation must
describe
circumstances
the
operation and mission effectiveness.
continuous
progress
toward
full
and reasons
next higher accreditation
that progress toward
full
level.
compliance.
All exceptions
compliance
that
would impair
Plans must be included that describe and assure
The accreditation authority cannot
delegate authority to grant temporary exception, but
H.
documentation.
in the accreditation
is
may choose
to
submit
must be reviewed biennially
it
to the
to ensure
made.
ADDITIONAL SYSTEM COMPONENT CONSIDERATIONS
1. ADP Hardware
Many
of the basic device accreditation requirements are addressed above
under system configuration considerations.
In addition to the physical descriptions
required by the FSP, hardware device descriptions should emphasize inherent security
features
and how they work with the network
95
security
features.
Other areas to
emphasize are the
of network, security features on device performance, internal
affect
hardware control features,
2.
TEMPEST
features, and/ or
level
emanation.
Terminals.
One
point of interest
is
that terminals attached to the network
With
of the time must be accredited with the system.
Army
low
[Ref. 38: p. 4] this could
mean
A
is
PC
obtained for each
PC
powerful
LAN
and
processing
distributed
Much
activity.
operating in this manner even
connected to the
LAN
of the time.
less
network
traffic
resulting
from these PCs.
reduced,
is
than
50%
and disconnect procedures.
required for each security
level.
This could be an advantage
if
the expense of accrediting each, or a group
in a
separate accreditation and procedures would be
For example,
sanitization
level.
be
they were
These considerations would be further complicated
mode because
controlled or multilevel
another security
could
Other considerations include development of access, connect,
of terminals separately.
LAN,
if
for the
along with an increase in overall network processing,
The major disadvantage would be
if
a
PC was
accredited for system high in
procedures would be required before switching to
Conversely, a multilevel
PC would
not require sanitization and
LAN.
could be used anywhere in the multilevel
3.
connected
enough
just long
many powerful PCs
multilevel
in the
functions in a stand-alone mode, then
and communicate with other devices
exchanges
data
many
could perform
accomplished by
a
PCs
LAN.
connect to the
necessary
the proliferation of
great flexibility in a network context provided
accreditation and approval for network connection
to the generic
more than 50%
Software
Accreditation
executives,
and
documentation
utilities)
must
include
major
software
(applications,
with descriptions of the impact on network security features.
General categories that should be included follow, however, there
may
be more
depending on unique system requirements.
a.
Protocols
The most
significant
gap
in
terms of network software
security considerations exist in the guidance referenced.
also
ignored
by
the
guidance.
is
that
no protocol
Communication software
is
Communications software implements the actual
functional requirements for the transmission and reception of "coded" data for a device
according
to
the
rules
of a
specific
protocol
96
[Refs. 3,39: pp.
104,449-450].
A
description of the protocol and associated communications software should be included
in
the
documentation.
accreditation
Thus,
protocol
analysis
security
be
should
integrated with utility and operating system requirements in a
way
maximum
and system software
was addressed
major
network
overall
Chapter IV.
in
on
applications
The
security.
relationship of protocols
Effects of encryption, audit
the
protocol,
should
be
also
trail,
that will allow
and
security features
included
accreditation
in
documentation.
b.
Data Manipulation Software
Data
management
manipulation
user
locations.
considerations
in
a
generally
maintenance categories.
or data
Commonly,
computer-run resource today.
among
software
The data base
System developers and managers must be sure
security functions.
access
of data
Data maintenance
anywhere
in
is
another
system
the
base
one of the major
is
via
DBMS
Thus,
where information
network,
data
the
distributed systems distribute the storage
464-465]
[Ref. 39: pp.
under
falls
is
it
accessed
has
locally
important
and remotely.
provides, supports audit trail
and
consideration because
the
critical
system
software
it
is
executives/utilities.
Obviously operation and control of data manipulation software must be addressed
in
the accreditation documentation.
c.
General System Software
As mentioned
control as possible.
A
earlier,
unique situation
computing device may have
should
make
it
easy to add
network. [Ref. 39: p. 457].
activities.
operating systems must provide as
Descriptions of
different
new
exists in a network,
internal
environment because each
operating systems.
Ideally,
system software
applications and security features throughout the
Similarly, each operating
all
much
system should compliment network,
types of operating system,
utility,
and executive software
should be in the accreditation documentation.
Software used for testing of the network and network, security should also
be described in accreditation documentation. [Ref.
I.
39: p. 450]
TWO ALTERNATIVE EXAMPLES
Chapter IV presented considerations
system high and multilevel.
for
the
Here, both operating
two operating mode extremes;
mode examples
will
step further by looking at high level configuration alternatives for each.
97
be taken one
.
Generic Configuration
1
There
is
System High or Dedicated Design
-
much change
not
in terms
The
high or dedicated operating modes.
of the original configuration for the system
security issues concerning the configuration at
a "high level" design stage include determining if
or
all lines will
it
will
be a total PDS, whether some
be encrypted, and what buildings and/ or equipment should be shielded.
In addition, combinations of encryption, shielding, and physical protection can be
Figure 5.2 illustrates an unchanged generic configuration; in terms of a
considered.
PDS, any
example, cryptography equipment can be put at each end of major trunk
encrypt a particular
5.2 to Figure 5.3
buildings,
link,
If this encrypted configuration (Figure 5.3)
could be configured as depicted in Figure 5.4
it
hardware, would have to be shielded.
hardware components.
totally encrypted.
Multilevel
The
Example
was implemented between
Given the major trunks are
containing network
or room(s)
Another alternative would be
to shield all the
encrypted in Figure 5.4
lines are
High-level Design
-
multilevel configuration takes
The reason
generic configuration.
is
on
a
whole new shape
in contrast to the
that the multilevel configuration
example does not
base system control on trusted sophisticated operating system mechanisms
kernels [Ref. 37: p. 283].
The
"kernel"
main memory while the computer
security
kernel
consists
is
is
operating, and consists of routines that handle
of the software,
firmware,
[Ref.
112,113].
However, the major element
all
in this
pp. 209,263].
3:
and hardware
computing device that can be protected from modification, mediate
verifiable [Ref. 21: pp.
like security
the nucleus of the operating system kept in
and other basic system functions
input/ output (I/O), scheduling,
A
to
Figure 5.3 illustrates the generic configuration
In contrast,
Only the trunk
lines
Compare Figure
without affecting the original configuration.
protected by encryption, each individual building,
2.
For
part of this (Figure 5.2) could be encrypted, shielded, or protected.
in
a
accesses,
example
trusted
and be
is
the
trusted interface unit (TIU).
a.
The Trusted Interface Unit
In short, a
mode
level,
[Ref.
3:
is
a
TIU)
enables a user to be at just a single security operating
or a range of security levels (multilevel).
and enforces control
packet
TIU
(
group of
pp. 276-277].
labels/fields
bits that
The TIU
is
a device that checks
on each information packet transmitted
make up
all
it.
A
or part of the message to be transmitted
Messages longer than the network's packet
smaller sections, and consequently are distributed over
98
to
size are
broken into
more than one packet. Control
NETWORK CONTROL CENTER
BUILDING A
Eth«mat
CRYPT OGRAPHY
HARDWARE
COMPUTER
CRYPTOGRAPHY
HARDWARE
CRYPTOGRAPHY
HARDWARE
COMPUTES
CRYPTOGRAPHY
HARDWARE
COMPUTER
COMPUTER
GATEWAY
MJLT1PLEXER
MULTIPLEXER
CRYPTOGRAPHY
HARDWARE
COV^T OGRAPHY
HARDWARE
BUILDING B
CRYPTOGRAPHY
HARDWARE
MULTIPLEXER
CRYPTOGRAPHY
HARDWARE
H
PERSONAL
COMPUTER
BUILDING C
CRYPTOGRAPHY
HARDWARE
MULTIPLEXER
z
CRYPTOGRAPHY
HARDWARE
Figure 5.4
TERMNAL
COMPUTER
DEVICE
L
.
.
TERMNAL
DEVICE
The Gerneric Configuration Between
99
Buildings.
">
labels
and
fields
network to
identify
information required for routing the packet through the
Packets not meeting requirements cannot pass
ultimate destination.
its
through the TIU.
All computers transmitting to the
send packets at the security level they are approved
Each
Each
multiple levels.
single level
TIUs
individual
TIUs
level
TIU can
of security
be
set
to
TIU
for.
monitor a
traffic is isolated
are restricted to one
and only one
single
from the
level.
security
However, variable
TIUs must contain
operate in a multilevel
mode
fully
or
level
The range
of adjustments correspond to the approved security levels for that particular
Multilevel
level
other. Consequently,
are adjusted by electrically linked terminal switches or keyboard keys.
terminal.
and
are trusted to receive
TIU and
trusted software, but a network can
using only single and variable level TIUs.
See Figure 5.5
[Ref. 37: pp. 281-285]
TOPSECRFT
SECRET
UNCLASSIFIED
MULTILEVEL
HOST
HOST
HOST
HOST
L^l
TIU
pii
TIU
MULTILEVEL LOCAL AREA NETWORK
f^
TIU
TIU
& &
TOP SECRET
UNCLASSIFIED
Simple Multilevel
LAN.
The Configuration
The
the-shelf'
i§)
SECRET
Figure 5.5
b.
"J
1
1
overall design strategy
hardware and protocols.
subnetwork for each security
is
intended to be easily implemented with "off-
In reality the
sensitivity level.
100
TIU
design strategy creates one
Each subnetwork
is
protected at the
system high
level
designated for that subnetwork.
form the multilevel network.
Bridges connect each subnetwork to
See Figure 5.6 for a detailed example of the subnetwork
[Ref. 37: pp. 281-2S6]
configuration.
UC«IT
4
IA)
I
ED
\z3
EJ3
—^^
-<]—^
i
HCST
Eg
pjp
mo:*
most
W
r~~.
to' sEcaer
—
host
1(F)
(c)
**~~i
^
EJ3
KtY
^)
—
f
Chapter
II
definition.
1
H60O0HOSTOR
j
Ui£R UHMiN*l(SU8SC«tB£«)
H0ST1
l
B
- cuAisinro cwvi»»oNMtNT
BOUNDARY
definition
rrhl TAUSTfD/LINTRuSTEDl.AN
l^jLjiJ .NTT^ACCUN.Tl
IANCA1U
Figure 5.6
The
rr*??!
cnrrro units
B>
BRlOGE MAirtRlDCES
Multilevel Subnetwork Configuration.
of a bridge in the
Like the Chapter
II
7
TIL network
definition, the
that identical protocols are used to route packets between
addition, the
TIL-base
definition requires that the bridge
101
varies
slightly
TIL-based
LAN
from the
definition states
subnetworks. But in
perform security checks to
prevent sensitive information from flowing from a higher to a lower level subnetwork.
The bridge functions
are transparent to the
TIUs and
other devices.
bridge only checks security levels between the two networks
doing
this,
it
is
connected
does not verify the level of the packet in terms of the source
subnetwork destination. Note
where
it
What's more, the
encryption
might
in Figure 5.6 that split bridges are
be
implemented;
for
instance
it is
to.
In
from, or
used to identify areas
between
two
buildings.
[Ref. 37: pp. 282-287]
This design example
is
based on the Ethernet protocol.
be applied to the same environment as the generic
would be
Figure
5.7.
Figure
5.2.
drastically changed.
Note the
difference
A
LAN,
The concept could
but the overall configuration
possible high level configuration
illustrated
in
between Figure 5.7 and the generic configuration
in
[Ref. 37: p. 283]
102
is
TOP SECRET
COMPUTER
SECRET
COMPUTER
CLASSIFIED
UNCLASSIFIED
MULTV
LEVEL
COMPUTER
COMPUTER
COMPUTER
TOP SECRET
SECRET
CLASSIFIED
TIU
TIU
TIU
UN-
CLASSIFIED
VARIABLE
TIU
TIU
ETHERNET
TOP SECRET
TIU
MULTV
PLEXER
SECRET
CLASSIFIED
TIU
TIU
UN-
CLASSIFIED
VARIABLE
TIU
TIU
MULTI-
MULTI-
MUL^
MULTI-
PLEXER
PLEXER
PLEXER
PLEXER
jrXTJTJTJ
/
T
TERMINAL DEVICES
Figure 5.7
Multilevel
LAN
-
103
High Level Configuration.
\
T
VI.
A LAN
CONCLUSIONS AND RECOMMENDATIONS
is
a
general-purpose
local
network
that
is
minicomputers, microcomputers, and terminals, but can support
LAN
applications and
numbers are growing. One reason
and resource sharing of limited hardware resources.
is
normally
many
used
for
other devices.
that they provide flexibility
Unfortunately their distributed
nature increases their vulnerability in terms of securing the information they contain.
Thus technical computer
configurations.
security
guidance must
be
applied
effectively
LAN
to
[Refs. 13,1,4,40]
In general, application of technical security guidance requires that the vulnerable
LAN
areas must be identified and categorized as
development.
system
factors early in the
Next, these factors must be quantified so the overall system sensitivity
can be determined, which
system.
risk,
in turn allows identification of security requirements for the
[Refs. 13,40]
A summary
of the
with
thesis
conclusions
follows.
Then,
some general
recommendations are presented.
A.
SUMMARY AND CONCLUSIONS
Sensitivity
1.
Requirements identified
in
Chapter
III indicate that sensitivity is
by the importance of the information processed
Army
to the overall
determined
mission, a need-to-
know, and unique system features or applications that warrant protection.
sensitivity determination controls the type of
could be tied into the network, or
LAN.
The
information and thus the databases which
Sensitive information can range
from mission
oriented data to non-mission oriented data like large dollar volume inventories and
personnel data covered by the Privacy Act of 1974.
The need-to-know
requires a "need-to-protect" information contained in the
Protection determines
system.
who
will access the
network and how they
well as the physical protection of hardware components.
features
must be cost
effective
and production
effective.
efficient security features is to correctly select the
for the
network based on information presented
an adaptable security operating mode.
104
in
The protection
The
first
maximum
will
(i.e.
do
it,
as
security)
step to implementing
sensitivity level required
Chapters IV and V, and then
select
on a "need-
All guidance referenced stressed that sensitivity of data be based
to-know" which
on damage
a valid approved need, based
is
required for performance of duties [Ref. 20: p.
Army
10].
to national security
sensitivity designations are
SENSITIVE,
SENSITIVE,
SENSITIVE,
HIGHLY
CRITICALLY
NONSENSITIVE. These designation categories have the same requirements
"Orange Book" but
different labels.
when
combined
certain types of data/information
There
11].
as the
is
Compilation of
by compilation.
and large dollar volume
to yield a higher security classification than they
individually [Ref. 20: p.
and
[Refs. 13,21]
Sensitivity determinations are also affected
data occurs
and
assets are
would normally be assigned
great potential for compilation in a network
because information can be extracted from distributed locations and combined or
"compiled".
As mentioned above,
designated network sensitivity
the operating
mode
classification
Security operation
level.
modes
that apply to
The more
systems are dedicated, system high, controlled, and multilevel.
levels
and access
and technology.
For instance,
mode
dedicated
the
administer, but only provides one level of security.
requirements
multilevel
could
mode
is
be
all
types of
sensitivity
more complicated the system, given today's guidance
the
flexibility,
dependent on the
is
applied
more complicated
the
complicated
least
Also, dedicated operating
network
any
to
is
mode
Conversely,
configuration.
to
the
administer (with current technology), but
to
provides simultaneous operation/processing of more than one security classification on
the
same network.
In addition,
configurations; an example
high,
multilevel
was presented
should be noted that
It
the
DOD
at the
mode may not
end of Chapter V.
all
[Ref. 13]
contractors are limited to dedicated, system
The
and concurrent processing modes.
controlled
be applied to
mode
multilevel
is
not
addressed for contractors, but concurrent storage and processing of multiple levels of
information
approved
is
173-175,181-182].
2.
contractor
for
and approved systems
Generally, system high protection
is
required for
all
[Ref. 36: pp.
components.
Configuration
LANs
have emerged as a practical way to turn mainframe environments into
distributed networks [Ref.
combination of a bus and
9: p.
star
69].
the
CBX
forms
the
The
topology to
administrative network configuration.
while
run
star
An
generic configuration in the thesis uses a
illustrate a
LAN. The
Ethernet bus
configuration used
105
to
is
design
is
a practical
used to handle host
control
user
device
traffic
traffic.
Expansion
LAN
possibilities for the generic
and wide area networks, and
LANs
include multiple gateways to other
installation
of multiple switching
User
locations.
applications could be expanded into expert systems, graphics, and relational data base
systems.
It
beyond the scope of the
is
effectiveness analysis of configurations
reader a better
feel for security
The goal
To do
network.
specific
The purpose
and components.
boundaries in an
cost
security
is
to give the
Army LAN.
this,
system vulnerabilities and the impact of system security features
must be
Vulnerabilities
design
impact on
little
of the network components, as well as the overall
efficiency
on network performance must be
limited.
identified so a sensitivity level
of development.
stages
penetration of network security.
terms
into
and implement a secure system that has
to design
is
and
responsiveness
the
go
to
The Security Goal
3.
in
thesis
is
established early,
must be limited
Vulnerabilities
In addition, the access threat
is
and
prevent
to
growing, especially in
of communication taps and microwave signal interception from equipment
emanations.
Considerations
and data
integrity
operation
mode
identified.
is
like
accounting and audit
trails,
must be included along with physical
individual accountability,
security.
Once
a security
chosen, security requirements for each network component can be
[Ref. 1,5]
Impact of security features must be a major concern of system developers,
because network components usually do not have inherent security features.
instance, in Ethernet, encryption
and general security
user processes."
When
processing
[Ref. 18: p. 54]
mode
a
LAN
the responsibility of the "end-
is
security features are
combined with
dedicated
It
showed
mode
configuration
Again,
illustrated in
that a multilevel system configuration versus system high or
can
configuration
structure
a security
configuration can take on a very different appearance.
an example of the impact of security on a network configuration was
Chapter V.
For
and
be
very
different,
terms
components,
associated hardware
it's
in
of the
like
the
resulting
trusted
interface unit (TIU).
The
multilevel operating
therefore the hardest
system
may
mode
to secure
not be approved
Moreover, the "system
mode was
effect"
for
may
identified as the
and maintain.
all
applications
A
most complicated and
particular multilevel operating
at
a
given
classification
level.
reduce over-all multilevel sensitivity performance.
106
This
is
because the operating system
is
main component
the
in a true multilevel system,
although a multilevel environment can be achieved with conventional hardware and
software.
In contrast to true multilevel operating system requirements, system high and
dedicated
modes do not
memory
require
partitioning or other
control
System high and dedicated modes do require
functions in the multilevel sense.
procedures (sanitization. disconnects, approval,
security operating
memory unique
to
etc.)
move
to
special
a higher or lower
mode.
In the final analysis a system must meet user requirements and be robust and
Again, security features and the designated network
responsive as well as be secure.
operating
mode can have
The ultimate goal
is
to
have
Lack of network
the users.
on the design and operation of
a major impact
all
and procedures
security features
a network.
totally transparent to
security guidance allows flexibility in pursuit of this goal,
but at the same time interpretation and accreditation
may
cause frustration for the
developer.
may
Additionally, this goal
ADP
never be fully realized in the real world of
and network system application.
problems with development,
constraints,
system acquisition,
and general implementation,
impact on the resulting system and
scope of
The reader should recognize
this
to address
thesis
security implementation
it's
time
or speculate
how
At
ideas for regulations
may
beyond the
network
affect
the accreditation process forces
least,
ADP
some way.
systems and continually update software,
and system protection have been sidetracked
almost nothing in the guidance reviewed for
specifically,
the
it is
significant
Accreditation
In the rush to modernize
is
Nevertheless,
these factors
the system sponsor and developers to address security in
4.
resource/money
constraints,
security features.
and accreditation.
that possible
mention a few, can have a
to
Army
and very
little
guidance reviewed
in terms
does
LAN/network components.
AR
reviewed for this thesis because
security in the
ADP
380-380
it
There
[Ref. 2: p. 3].
"LANs"
this thesis that pertains to
of direct references to "networks" in general.
address
is
is
security
topics
that
used as the focus for
currently the
relate
all
new
to
But,
general
other guidance
number one guidance
for
ADP
Army.
The guidance does not address
telecommunications,
LAN
ADP, and ATS components
107
security
are
all
in
great
detail.
Various
used to establish LANs.
In
addition
himself)' herself
Any LAN
is
ATS
subject to
telecommunications [Ref.
and general
13:
LANs
complying with
is
ADP, ATS, and
many
that
the
obtained as a result of a synergistic effect from
13]
However, there
security
modes apply
Any computer
50%
ADP
ADP
system,
network, the
is
terminal/ device,
ADP
system, device,
or
a
etc.,
component, and the agency operating the network
(micro, mainframe, etc.)
collocated or connected to the
that privately
13: p. 9].
owned computers cannot be used
network environment or any type of remote connection to a
mainframe computer.
and
shielding, encryption,
of the time must be accredited with the system [Ref.
noteworthy example
Site
for the highest level of information processed at
specific
DOD
all sensitivity
networks, including compilation.
Before an
security.
must meet approval of the
network more than
to
For instance,
components must be protected with
All network
[Ref. 22: p. 20].
Conversely, nonsensitive
topic areas are not covered or inadequately covered.
appropriate physical
sensitive
components and always include
regulations that apply to network components.
site.
purely an
if it is
many network
of system
must equal the requirements
final
ADP
other types of guidance.
network can access or interface a
A
requirements, even
and eventual accreditation,
terms
designations and operating
security
requirements
Consequently network security guidance for
systems don't require accreditation. [Ref.
component and
ADP
consist of
pp. 9,31].
accreditation of sensitive systems
are
LAN
most
derive
because only a few checklists reference networks directly [Ref. 24,25].
administrative system, because
In
must
developer
the
interpretation,
to
in a
sensitive
[Ref. 13: p. 10]
In contrast to regulations that apply, regulations that do not apply take on
two forms
apply [Ref.
waviers and exceptions.
-
31: p. 432].
which may include the
ADP
An
exception
depend on
is
a case to
which
a rule does not
characteristics unique to the system,
Exceptions
will
sensitivity
of the information, the characteristics of approved
equipment, the characteristics of substituted equipment, the results
analysis,
and the organizations involved.
security
solutions
intentionally
are
abandon
a
not
feasible.
security discrepancies.
A
wavier
fix
is
full
A
may
wavier
[Ref. 31: p. 1325].
The
is
result
a
intent
because
privilege
is
to
to provide
and operate the network; not an excuse
to ignore
used when complying with guidance would impair
operation and mission effectiveness.
toward
[Refs. 13,32,20].
known requirement
an opportunity to simultaneously
In short, exceptions
of risk
Note
that continuous progress
guidance compliance and that just one
wavier for the entire system.
108
critical
must be made
component could
require a
In addition to guidance that does and does not apply to networks, there are
outdated regulations and network, topics that are not covered.
mainframe
for instance, there are references to
flavor,
Mainframes
there are few direct literal references to networks.
and
still
cards.
In contrast,
exist,
but networks
their applications are increasing, especially in administrative applications [Ref. 41].
LAN
Thus, specific network and
The
thesis also
Much
guidance.
guidance would be valuable.
looked at network security topic areas not covered by the
interpretation
from
ADP
and
ATS
guidance
noted throughout the
is
Notable topics not covered include protocols and the impact of PC's on
thesis.
The only
security.
specific
connected for more than
fact
50%
is
PCs must be
that
of the time [Ref.
cases does not apply to
LANs,
there
still
The accreditation process
accreditation.
is
accredited with the system
if
13: p. 9].
Even though the guidance reviewed does not
its
punched
Guidance has a
literally address,
enough guidance
and
to prepare a
consists of designing a system,
in
some
LAN
for
documenting
operation and security features as required by the guidance, and preparing the
documentation
reviews
for review
by a designated approval authority.
includes a series of
It
and meetings and ends with the designated approval authorities written
approval.
awareness,
More
risk requires higher
because the
approval
command; management
levels
the
next
level
is
raised
to
of responsibility and
higher
authority
if
accreditation requirements can't be met at a given level.
5.
Physical Protection
There are no gaps
in
environmental and physical security requirements;
physical requirements apply to
protected distribution
One method of
LANs.
A PDS
system (PDS).
is
physical protection
is
all
the
an approved telecommunications
system that has the required physical and electronic safeguards for safe transmission of
unencrypted sensitive information. [Ref.
Physical
certain degree.
a
protection
It is
varies
13: p. 76]
emanation protection
with
(TEMPEST)
Consequently, a
encrypted, or be a combination of both.
PDS
could have either shielding or be
Price/flexibility trade ofls
must be determined
by the organization developing the network to determine which alternative
and
The
accreditation.
will
is
most
allow expansion, for the desired level of protection.
Facility Security Profile
It is
a
not unreasonable to require encryption or shielding, or even have
combination of both.
affordable,
to
(FSP)
is
one of
the physical security description of
109
many documents
all facilities
required for
containing network
hardware and includes a
of hardware, hardware locations and relationships, and
list
general functional operation of the network environment.
In
physical
general,
processed at the network
corresponds to
security
Power supply
site.
ADP
Obviously a network and
without a power supply.
sensitivity
system or network
information
it's
level
network must be
the
for
facilities
physically protected at the system high too, because any
requires electricity to operate.
highest
the
useless
is
Moreover, any security features supported by the same power
source would be useless.
Also,
ADP
requirements parallel standard
interface
or
telecommunications requirements depending on the device characteristics.
6.
Network Access
and intranet gateways and other
Security procedures are required for internet
interface devices.
The procedures should be
Audit procedures and
involved.
audit
and monitoring
data
as
is
it
the result of an agreement by
password controls
form of
in the
features, should provide operators
network
flexible
and managers easy tracking of
and users on the system.
routed through the network,
networks
all
Audit
file
information should be limited to network management.
In terms of physical controls, personnel access to network sites can be limited
by physical
TV
barriers, security identification badges,
monitors, and visitor escorts.
Emergency procedures
Moreover, access can be limited during emergencies.
up, shut-down, and system failure must be planned because the network
vulnerable
during
unscheduled
physical
addition,
access
termination
of operations
must
procedures
consider
documentation and media must be protected
includes disks,
tape,
everything (disks,
controlled,
at
in a
tape,
system
classification level.
used
etc.).
Nonetheless,
data,
high.
etc.)
This
that
if
at
the
protection
the
especially
system
the
any input
is
In
24-25].
of
system
system high for the location
goes into
includes
[Ref. 13: p.
is
for start-
(this
not multilevel approved,
system comes out, and
that
has
a
lower
is
system
For example, consider an unclassified floppy disk brought into and
network control center that operates
at the
SECRET
level in a
system high
mode. From that point on the floppy must be labeled and handled as SECRET.
Encryption and/ or shielding
is
required to
secure network devices against
access via emanations. Isolation transformers and powerline
signal
emanations via the power source and
ADP/ATS
available
its
components.
encryption devices and software, there
for
PCs
[Ref. 38: p.
4].
filters
is
a
lot
are used to prevent
In addition to normal
of encryption software
Major encryption considerations include
110
extra
procedures for maintaining signal synchronization throughout the network, and crypto-
key distribution.
Given the
sensitivity level
of the network
site,
ADP
hardware security features
require isolation of users in regard to the designated security level for internal controls.
Various external device access controls
etc.,
may
7.
like
locking mechanisms, keys, electronic cards
be external device requirements.
Software
The software guidance
protocols.
is
ADP
Thus, general statements about
how
software were presented in terms of
secure network operating environment.
transform
oriented; there
into
and
requirements
utility,
was no mention of network
work with
they must
and operating system
application,
a protocol to maintain a
In short, a protocol
specifications
for
is
a set of rules, that
executive,
the
and
utility,
applications software that control network interaction.
Use of software
on cost versus
security packages should be based
In other words,
security protection provided.
does work as the vendor claims.
Moreover,
should be analyzed to verify that
it
classified data
For instance,
8.
issue of
passwords the particular commercial software
Miscellaneous Network
Management can
it
cannot be protected by
commercial software alone, so proper management procedures should accompany
use.
of
level
may
it's
require.
Management Considerations
best control
network security by taking advantage of
system security features. Continuous controls,
like audit
all
the
and monitoring hardware and
software, can be of great value because networks are inherently unsecure due to their
distributed nature.
But before network management
features should be verified
and
tested.
When
relies
on
security features, the
determining the security
mode and
actual
network components, security system verification should be a major consideration.
For example, verification of "true" multilevel network security
may
or
may
not impact a given implementation
effort,
however
is
it
in
it's
infancy.
This
should at least be a
consideration.
Given the extra procedures often required
distributed nature of
users.
sharing
LANs,
it
may
(with
security
features
and the
be wise to give more security responsibility to the
In any application, pure distributed data
of responsibilities
for
users)
movement, and storage of information.
for
management
managing
[Ref. 7: pp. 6-8]
111
involves the increased
functions
of
processing,
B.
RECOMMENDATIONS
General Protection of the Generic Configuration
1.
and requirements should be
Security considerations
possible
the
in
design phase
of the network.
V
Chapter
configurations can result from different security needs.
as
identified
early
showed how
Guidance
application of security features to the overall network design.
as
different
also stresses early
System security impact
should be analyzed in terms of procedures, physical requirements (fences, surveillance,
etc.)
cryptography,
Moreover,
security
software,
configuration
and management personnel. At
(TASO)
and management
must
considerations
manager, a network security
officer
training
officer
include
minimum
a
(NSO), and
and monitoring.
of network
responsibilities
a network should have a network
at least
one terminal area security
during the design phase as well as for implementation and operation.
Given that network guidance
non-existant
practically
is
documents, general guidance pertaining to individual
For instance,
followed.
control
ADP
LAN
the
in
guidance
components should be
guidance for network computers and
ATS
guidance for
network transmission media.
Internet access should be tightly controlled and limited as
preferably using only one tightly controlled gateway.
eliminated
networks
in
alternatives provide
processing
many
as possible,
Dial-up capability should be
information,
sensitive
much
because
entry
multiple
opportunities for unauthorized access.
In addition, security procedures should provide tight control of
ADP
storage
media, especially removeable floppy disks; possibly using classified document control
procedures. Floppy disks are easy to load, copy, conceal, and
If encryption
used to
simulate
approved
for a
a
is
used throughout most of the
software
disconnect where
temporary higher
LAN,
certain
classification operating
steal.
encryption keys could be
components could not be
mode, and
special procedures
are developed.
2.
Important Guidance to Reference
In general, this thesis should be read for an overview, followed by a review of
AR
380-380, by anyone about to be involved in
focus because
guidance.
it is
the current, major
In addition, the Orange
designations
-
LAN
development.
AR
380-380
document dealing with Army automation
Book
will
sensitivity
requirements.
112
the
security
provide more background on sensitivity
the key to ultimate network security requirements.
to-know and need-to-protect determine the
is
which
Remember
a need-
in turn drives the security
Note
that
some guidance encourages common standardized connections of
Army
hardware to promote
In addition, security features should
interoperability goals.
be part of any network interoperability plans and goals. [Refs. 13,28,29]
A
done on request. This should be mandatory
be
COM SEC
unique point in one regulation states that
verified.
for all
testing
networks so emanation control can
[Ref. 30: pp. 4-5].
In terms of organizational position and assignments of personnel,
provides
comments on separate assignment of
(software
physical
positions
currently
is
are
security,
determined
audits,
by
a
responsibility
security
etc.)
need-to-know
the
380-380
and non-
for physical
functions.
and
AR
personnel
Sensitive
operating
security
mode.
[Ref. 13: pp. 6-7]
3.
Future Research
One major
Desk top power
security of PCs.
now do many
is
the network impact and specific
form of PCs and other microprocessors can
in the
of the tasks that previously were only performed on mainframes and
minicomputers.
is
area not covered by guidance
This
is
moved and connected
should be done in
to a
network or another device
[Ref. 38: p.
same
Much
4].
regulation: Obviously, protocols are another
security guidance existed in
major
LAN
component
needs be analyzed in terms of Army security guidance and requirements. [Ref.
Many
research
this area.
Even though ATSs were addressed, no protocol
the
PC
an obvious threat when you consider the ease with which a
that
13]
areas were not covered due to the limited scope of the thesis.
First,
personnel security was not addressed, yet personnel security considerations should be
one of the most important.
Furthermore the
Personnel
guidance
thesis did not cover all aspects
aspects and details of contractor security.
components are suggested
can be found in
and
details
3SO-3SO.
of accreditation or
In addition, the following
for further security analysis
AR
LAN
topics
all
and
and research.
Operating systems.
Risk management.
Research into current regulations being drafted as opposed to what currently
applies.
System
sanitization.
Trusted and/ or smart interface units.
Distributed data storage procedures.
Suggestions for possible future guidance research areas are
113
listed
below.
•
More
detailed
operating
network security analysis into one or more of the securitv
designations, possiblv using this thesis and expanding it in
mode
detail.
Multilevel trends in security technology and their application to networks.
Distributed processing security.
Encryption of data over a network.
Apply
this thesis to a
specific
network and point out
specific deficiencies in
guidance.
Explore more aspects of the accreditation process in more
detail.
Development of an accreditation plan or regulation document
detailed requirements for
systems, ATSs, and networks.
that
Develop detailed guidance for LANs. Use
background for developing such guidance.
primer
ADP
Develop security guidance
C.
FINAL
New
for distributed
this
thesis
a
as
covers
and
network control.
COMMENTS
technology developments should be used when possible to enhance the
robustness, responsiveness and efficiency of any computer network.
limitations require that the
network yields cost
effective operation
User resource
and
installation.
Nonetheless, military requirements for protection of sensitive information processing
may
prove to
Performance
[Ref. 22: p.
2].
be
a
factors
challenge
should
in
not
terms
degrade
of network
the
level
operation
and performance.
of protection
of the
system
Conversely, the security requirements should not degrade the network
to the point of uselessness.
difficult, especially
Consequently, military guidance interpretation can be
when/if it does not keep up with technology.
114
APPENDIX
SECURITY GUIDANCE SUMMARIES
1.
INTRODUCTION
Army
regulations
Regulation 380-380
(AR
because
one regulation
the
is
it
380-380)
covered in more detail than the other
is
dedicated to
specifically
automation
security.
2.
REGULATION/GUIDANCE SUMMARIES
a. ARMY REGULATION 380-380: Automation
/.
MAR 85
Purpose.
AR
380-380 was developed to provide a
intended to duplicate higher guidance.
take precedence
many
minimum
and areas where higher guidance does not
conflicting areas
because
Security, 8
when
there
is
Thus,
all
non-
is
not
However, the more stringent requirement
will
exist.
it
Conflicts between agencies are possible
a conflict.
other agencies govern certain
the Defense Intelligence
standard for
Army ADP
systems.
Some examples
are
Agency (DIA), National Security Agency (NSA), and Defense
Communications Agency (DCA).
In general this regulation
is
designed to address automation security and
allow accreditation authorities and individual commanders to apply stricter controls
and procedures,
if necessary'.
[Ref. 13: p. 3]
Another major function
Program (AASP) which
subject areas.
software
communications
remote
ADP
describe
the
Army Automation
security,
security.
terminals
and
security,
hardware
personnel
security,
Automation resources
peripherals,
programs,
contractual services, personnel, supplies,
security includes:
microprocessors, and automated office systems.
procedural
security,
document
include:
data,
security,
all
security
security,
physical
and
computer equipment,
associated
facilities, intelligent
115
Security
system security and automation resource
Automated data processing (ADP) system
management,
environmental
consists of
to
is
documentation,
terminals, minicomputers,
General summary.
2.
AR
The following
related to
LAN
security,
guidance covered in
ADP
and network or security related ADP.
Chapter
(1)
AR
Overview.
1.
from the highest
Positions identified that apply to
(TASO), network manager,
This chapter
is
an overview of basic security
After the general purpose (explained above),
380-380.
responsibilities
security
380-380 chapter summaries identify important items
LAN
the lowest levels
to
basic
are explained.
security are the terminal area security officer
and network
security
TASO
The
(NSO).
officer
is
"appointed for the remote terminal(s) and interface devices(s) connected with a host
computer."
A
network manager
to participate in
is
"assigned
when two
He
networked operations.
or
more automated systems
or she will prescribe security
A NSO is
Note that NSO
join
mode and
requirements, protocols, and standards for the network."
"appointed for
each network processing sensitive defense information.
responsibilities
network access and connectivity control;
include
impact
security
evaluations
of
network changes and interfaces with other networks; and maintaining a network
security profile.
[Ref. 13: pp. 3-5]
Major
policies include that all
be designated either as
and that system
the long run.
AR
105-22,
AR
and
1000-1,
internetting operations begin (between both/all networks).
accreditation processes.
Minimum Department
more
DAR MISC
Additionally, network security measures
all
is
will
or nonsensitive,
critically sensitive, highly sensitive, sensitive,
18-1,
or higher, must pass
and operations
facilities
security applied at the beginning of the design
AR
as references.
computer
cost effective in
Pub 28-24
are cited
must be established before
Any
ADP
system, sensitive
[Ref. 13: pp. 5-6].
of Defense
(DoD) requirements
are identified
and include individual accountability, physical and environmental control, system
stability,
data integrity, system
reliability,
unclassified national security information.
General
levels,
ADP,
communications
links,
and
classified
and
[Ref. 13: p. 6]
information sensitivity determination, and sensitivity
can be changed to more restricted
limits if
an accreditation authority determines
that the sensitivity designations are too broad.
Conversely, an accreditation authority can
level
lower than prescribed,
information processed
area, adequate
is
if
the following conditions are met:
low, the sensitive information
and continuous protection
116
is
is
move
the
to
one
sensitivity
volume of
sensitive
always confined to a specific
exercised at each sensitivity level, and
personnel are properly cleared.
In addition,
all
sensitive personnel positions
must be
formally defined.
The four
Sensitive
sublevels:
(HS),
Sensitive,
Level
The CS
and Nonsensitive.
level
Plan-Extremely Sensitive Information (SIOP-ESI); Level 2
TOP SECRET;
Level
3 for
SECRET/CONFIDENTIAL.
Operational service modes for the purpose of
identified as local,
broken down into
is
(CS1) for sensitive compartmented information (SCI) or Single
1
Integrated Operational
(CS2) for
basic levels of security are Critically Sensitive (CS), Highly
remote batch, remote
interactive,
[Ref. 13: p. 6]
this
and networked.
regulation are
Local
is
the least
complicated service mode, remote batch and remote interactive are progressively more
complicated, with networked considered the most complicated.
operational service mode, the
more vulnerable
it
becomes;
The more complex
this is
one key factor
the
in
determining the vulnerability and risk of the system.
In short, access control topics are concerned with a need to
using only the resources needed and
dependent on security processing modes and
is
Also, requirements, characteristics, and basic features for the multilevel,
restrictions.
controlled, system high,
and dedicated security processing modes are addressed along
with periods processing. [Ref.
If
intelligent
13: pp. 7-8]
terminals,
minicomputers,
collocated or connected to another automated system,
terminals, etc.,
In terms
and microprocessors
more than 50% of the
must be accredited with that system.
system requires accreditation.
This assumes a
AR
configuration.
in
ADP
Word
processing
work
owned computers
are discouraged.
They must
380-380 and accreditation requirements, and be used in a stand alone
All information processed
which the computer
The
authority
or
[Ref. 13: pp. 9-10]
Additionally, privately
comply with
time, the
and should be part of the accreditation and
stations are considered remote terminals
management documentation.
LAN
are
of automated administrative systems, any
system attached to a sensitive system requires accreditation.
risk
know
designation
is
used.
first
becomes property of the Army organization
[Ref. 13: p. 10]
chapter
requirements,
of
AR
and
requirements.
117
380-380
waivers
also
and
addresses
exceptions
accreditation
of
security
Chapter
(2)
U.S.
AASP was
Army ADP
systems,
Army Automation
major
Some management
revisions
communications security
facilities
U.S.
Security
Program (AASP).
The
developed to achieve the most economical and effective security for
systems.
or
2.
of
existing
in their design";
"ensuring that
responsibilities include
systems
and
automation
include
new
and "that construction of new automation
conforms with the security requirements of this regulation."
[Ref. 13: p. 10]
AASP are implementation at the
Army (HQDA) and major Army command,
Other topics covered relating to
Headquarters,
Department
post/installation-level,
of the
and data processing
Automated Data Processing Systems
DoD
the
activity
Security
Enhancement Program (ADPSSEP) and
Security Evaluation Center are addressed.
Network processing and
(DPA). In addition, the U.S. Army
[Ref. 13: pp. 10-11]
security implementation includes [Ref. 13: p.
11]:
Ensuring "the establishment of minimum standards
operation of the network, and ensure adherence";
•
Ensuring
•
implementation of a system wide network
and network
risk
for
security
the
and
management program
security procedures;'
•
"Periodic review of network security";
•
Providing configuration management (software and hardware), and making sure
software and hardware is teste's and approved before use.
(3)
Chapter
3.
Physical
and Environmental
Security.
"This
chapter
provides standards and criteria for physical security measures required to safeguard
fixed
and mobile data processing
Physical security must be included in a
activities."
balanced automation security program.
The
objectives include:
safeguard personnel;
prevent unauthorized access; safeguard against espionage, sabotage, damage,
reduce exposure to threats that disrupt service.
Note
-
&
theft;
only limited aspects of Chapter
3 are addressed in the thesis.
Physical
security
principles
covered
construction standards, and physical access controls.
include
barriers,
Areas addressed
in
procedures,
Chapter
3
apply to remote terminals, nodes, peripherals as well as the central computer complex.
[Ref. 13: pp. 12-16]
(4)
Chapter
4.
Personnel Security.
included in the scope of the thesis.
policy,
Personnel security and surety was not
Nonetheless, Chapter 4 covers general personnel
implementation of the Personnel security and Surety Program (PSSP),
evaluation
and
screening,
selection
and
118
retention
criteria,
personnel
initial
security
investigations, local national employees, security briefing
maintenance. [Ref.
communications security
covered
in
Communications Security.
5.
(COM SEC)
will
LAN
of
security,
requires
that
record
all
be secured by either encryption in approved cryptographic
interconnect remotely located components of
provided
In terms
"policy
systems or protected distribution systems (PDSs)".
be
and PSSP
and terminal access are two important topics
COM SEC
Army
chapter.
this
telecommunications
will
debriefing,
13: pp. 16-18]
Chapter
(5)
and
COMSEC
protection
consequence, methods for achieving
In addition
Army automation
under
COMSEC
provision
the
"all
circuits
used to
systems or networks
of
are addressed also.
AR
By
530-2."
Topics relating to
terminal access include locking and unlocking, and physical and logical disconnects.
Other topics covered
and control, and communications
Chapter
(6)
Chapter
6.
6.
in
Chapter
3
security planning.
are system password generation
[Ref. 13: pp. 18-19]
The importance of hardware
security
is
relation to
in
In general, areas covered include guidance on hardware security policy,
CONUS.
hardware security features, and considerations outside the
desirable
stressed
LANs,
desirable
HW
In
security features are hardware/ firmware that isolate
users from each other and constantly monitor the system to identify terminals and
users logged into the system.
Chapter
(7)
software
is
categories.
security
7.
broken down
[Ref. 13: pp. 19-20]
Software Security.
into
general
For the purpose of
purpose,
executive,
utility,
AR
and
3 80- 3 SO
software
Areas addressed are general software security guidance, operating system
base management
data
features,
security packages.
(DBMS)
system
features,
and software
should be noted that "classified data will not be protected solely
It
by commercial software.
In addition, classified data processing requirements will not
be used as the sole justification for acquisition of such software."
Areas of Chapter 7 that apply to
address remote
terminals via software.
(8)
8.
of remote terminals,
Procedural Security.
and control of remote
[Ref. 13: pp. 20-22]
"The purpose of
and techniques which can be applied
and counter inherent
to
this
considerations.
Software design.
119
in this
chapter
is
to
improve control, reduce
vulnerabilities of a data processing activity
automated teleprocessing system (ATS). Areas covered
Management
security include items that
Also, shared data bases are addressed.
Chapter
prescribe procedures
risks,
identification
access,
LAN
(DPA)
chapter include:
or"
an
and system
Start-up, shutdown,
failure procedures.
Control of over-the-counter batch jobs.
Control of teleprocessing systems jobs.
Continuity of Operations Plan (COOP).
Accountability procedures.
Security of
ADP
media.
Topics that relate to
management; system
control of
for all
ATS
jobs.
new Army
(9)
environment
applied.
risk
.
[Ref. 13: pp. 22-29]
Chapter
9.
is
command
each
"because
each
Risk,
ATS
management must
computer
and
jobs are mandatory
and
site
identify the resources to be protected
of espionage, sabotage, damage, and theft to determine the
protection needed."
Generally the objective of risk management
against unauthorized access and manipulation of information.
be
a
operating
is
and analyze the
minimum
Chapter 9 include
level
of
to obtain safeguards
Note
that
addresses procedures for identifying vulnerability and penetration areas.
in
devices;
unique, there are no standard remedies or checklists which can be
Management must
.
Management.
Risk
on remote
failure affects
that requirements pertaining to
systems.
of
responsibility
security include facilities configuration
shutdown, and
start-up,
Note
LAN
Appendix
O
Areas covered
[Ref. 13: pp. 29-30]:
Risk Management Methodology.
Risk Assessment.
Management
decision.
Control implementation.
Effectiveness review.
Implementation.
(10)
of the
Accreditation.
10.
Accreditation
is
addressed in Chapter
V
thesis.
(11)
Automation
Two
Chapter
Chapter
security for
key areas of
Automated
11.
ATSs
telecommunication
systems
applies to contractor operations as well as
ATSs concern
configuration control
{ATS).
Army ATSs.
and the peripheral/system
approach.
Configuration control requires that rigid configuration management
procedures
software,
be
established.
firmware,
or
"Prior
hardware,
to
a
modification,
detailed
120
addition,
or
deletion
of any
comparison must be made with the
approved system baseline. In addition, an analysis
effects
on system
security."
hardware/ software,
except
when waivers
all
security requirements."
or
requirements in
assigned
processors,
level.
implementation,
remote
possible
ATS
regulations/ guidance
Army ATSs
all
applicable
[Ref. 13: pp. 32]
security
development,
security
all
of any
procurement
or Federal agencies requires an awareness of
In the peripherals/systems approach
the
be conducted of
Moreover, "interoperation of
or exceptions apply.
DoD
with those of other
development
Before
must meet
it
will
terminals,
"all
considerations
Security
system components share
must
be
addressed
and operation of modems, multiplexers,
video; graphic
devices,
and
during
front
input/ output
end
devices."
[Ref. 13: p. 32]
Other areas covered
ATS
in
Chapter
11 include [Ref. 13: pp. 31-32]:
responsibilities.
Processing modes and restrictions.
Protection of documentation.
Media
security.
Personnel security requirements.
Risk assessment and accreditation.
File access controls.
.
Interoperational requirements.
Maintenance agreements and contracts.
(12)
Appendixes.
The following
appendixes
apply
to
LAN
security-
considerations [Ref. 13: pp. 40-69].
Appendix
D
Facility Security Profile
-
Appendix F
-
Compilation of Security Protection Guidance for Processing
the Controlled Security
Mode.
Appendix
G
H
Appendix
I
-
Accreditation
Appendix
J
-
Privacy Safeguards For
Appendix
M
Appendix
O
Appendix
(FSP)
-
Periods Processing Procedures.
-
Automation Security
-
-
Checklist.
Document Format
[Ref. 13: p. 58)]
Automated Systems.
Operating System Security Features
System Vulnerabilities and Penetration Techniques
121
in
ARMY REGULATION
b.
Department of the Army (DA) Information
380-5:
FEB
Security Program, 15
85
In sum, "this regulation gives instructions and assigns responsibilities for the
effective
implementation and
policies at all levels of
classified
DA." For
ADP
major concern.
a
is
DoD
Information
ADP
LANs
and
ADP
[Ref. 20: p. 6]
in general.
combined or associated with other
development,
and data formats.
A
unclassified information."
LAN
messages
security
relates
TOP SECRET, SECRET,
addressed.
Encryption
may
Navy, Air Force, or Marine),
it
if
"certain
when
classification
This
important in
is
a
security
ADP
to
Marking of
transmission of data.
security
[Ref. 20: pp.
levels
19]
CONFIDENTIAL INFORMATION
and
for
transmission
of data
Component (Army,
some degree of protection.
All exceptions that
offers
in
chapter 8 must be approved by Deputy Under
Secretary of Defense (Policy) (DUSD(P)).
"The ACSI approves exceptions within the
[Ref. 20: pp. 36-37]
ARMY REGULATION 18-1: Army Automation
AR 18-1 sets the framework, for policy and
authority for
Army
configurations.
AR
Management,
15
SEP
80
and delegates
responsibility,
ADP
automation, but does not apply to embedded
systems or
18-1 goals include [Ref. 28: p. 1-1]:
MACOM
management
•
Permit
•
Shorten/ streamline acquisition process.
•
"Encourage decision making
at the lowest practical level."
•
"Stress decentralization as a
management concept
•
"Insure total systems requirements are integrated to the overall force structure."
Moreover, a valid mission need
a
when
380-5
be authorized by head of the
do not meet the minimum standards
c.
is
major requirement
a
is
[Ref. 20: pp. 36-37] Exceptions
Army."
require
AR
[Ref. 20: pp. 10- 12, 19]
transmitted
Transmission of
is
may
is
and evaluation where each program has
test,
topic directly related to
electronically
levels
one area of
Compilation areas covered include classification determination,
classification.
labels,
is
Compilation of information
information that would otherwise be unclassified
research,
all
of communications security
Classification of information in terms of compilation
that relates to
Program
Security
systems in general, this regulation applies to
Understandably,
information processed.
(COMSEC)
of
application
projected
deficiency
or
is
flexibility.
for
automation."
required to initiate a project and
outdated
system,
a
opportunity, or a chance to reduce operating costs.
122
change
in
may
threat,
[Ref. 28: pp. 1-1
-
be the result of
a
technological
1-2]
Once
a project
under development, "achievement of program goals, rather
is
than time-phased milestones,
Other
be the controlling factor."
will
life
cycle policies
covered include standardization and interoperability, communications support (defined
at
system
of
beginning
[Ref. 28: pp. 2-1
of
classes
administrative
ADP
d.
15
Aug
procedures.
It
management procedures
ADP
resources and
applies
also
Army
18-100:
acquisition
to
AR
1000-1.
ADP
telecommunications
terms,
automated systems are properly
The
AR
18-1.
LAN
acquisition.
to
18-100 specificly states that
to
insure
during the early stages of the
last
"it is
LAN
e.
to
AR
security topics
are
mission
and
identified,
[Ref. 34: p. 2-1]
TB
18-100 do not directly
mostly
is
LANs and ADP
much more
in general.
related
to
In terms of security,
expensive and difficult to add security
cycle."
1
SEP
This pamphlet
is
is
[Ref. 34: pp. 2-1
-
self
is
to include
were mentioned.
18-4:
it
2-4]
that telecommunication requirements
must be
No
other
[Ref. 34: p. 3-1]
Processing
Review/Evaluation
Installation
85
a series of checklists designed to be used
and major Army command automation management
by DPIs for annual
it
105-22 before acquisition can be processed.
ARMY PAMPHLET
Checklist,
staff
life
point of interest
approved according
major
that
mission terms and not in
in
systems
for
ADP
is
or introduce security into an already functioning system than
The
management by
However, standardization and electronic spectrum allocation are two
design considerations that relate to
TB
cycle
18-100 does not apply to
objective
requirements
secure.
life
For example, management strategy
security.
Cvcle
Life
TB
Planning and documentation topics covered in
address
Automation
and management development of
program/ project objectives and requirements are described
ADP
acquire
to
requirement documentation and acquisition
to
systems that are subject to
under
acquired
authority
81
18-100 provides a systematic approach to
cycle
life
and
authorities,
costs,
4-1]
-
TECHNICAL BULLETIN TB
TB
systems
decision
development
Cost estimates must include telecommunications cost and
systems.
Management,
tying
related topics, addressed in terms of
system
systems,
[Ref. 28: pp. 4-0
cost.
management.
computer
stand-alone
2-2]
-
Remaining network,
are
and
planning),
by heads of army
offices/ officers
(AMO), and
evaluation audits. The checklists in Pamphlet 18-4 will be used
when an equipment upgrade
takes place,
123
when
a
new
AMO
or
DPI manager
is
and
assigned, a major reorganization occurs,
Army
in those years
automatic data processing management review
Fifteen major
each category sub-checklists
CHAPTER
CHAPTER
•
•
1
-
2
-
Department of
a
not conducted. [Ref. 24:
is
p.
i]
categories (chapters) are identified by Pamphlet 18-4, within
list
checklists that relate to
when
Categories (chapters) and sub-
exist for specific areas.
LAN security are listed below.
GENERAL INFORMATION (addresses Privacy
ORGANIZATIONAL MANAGEMENT
Act of 1974).
management.
Security
Security planning.
Security coordination.
Accreditation.
CHAPTER 5 AUTOMATED DATA PROCESSING EQUIPMENT (ADPE)
OPERATIONS MANAGEMENT (includes Operations Security).
CHAPTER 11 DPI FACILITY MANAGEMENT
•
-
•
-
Physical security.
Access control.
Remote terminal
CHAPTER
•
15
Network
-
protection.
COMMUNICATIONS
configuration/ optimizations.
Communications security/emanations
Remote
f.
access security.
ARMY PAMPHLET
Guide, 3
DEC
(MR)
in reviewing
this
to
identify
difficulties,
Automatic Data Processing Management Review
pamphlet
is
to
and reporting on
organizations, and managers
are
18-7:
85
The purpose of
teams
security.
who
management
assist
efficiency
are having their
difficulties,
and develop recommendations
Army ADP management
and
ADP
determine
effectiveness of
areas reviewed.
the
causes
review
Army ADP
The
objectives
of management
for solutions to these difficulties.
[Ref. 25: p.
3]
In addition, Pamphlet 18-7 also points out that Pamphlet 18-4
be used as a point of reference and that
it is
9]
124
just a checklist,
is
a checklist to
nothing more. [Ref. 25:
p.
g.
ARMY REGULATION
"The Army's
Communications Security
530-2:
COMSEC
goal
and policy
COMSEC
for
COMSEC
applies to
all
Army
evaluation
(RDTE)
Many
the
in
DoD
Communications Security Directive and
that identify
AR
530-2
prescribes
Army and implements
Army
Directive 5200.5.
must conform
responsibilities
to
AR
this regulation.
COMSEC and telecommunications hardware. [Ref. 29: pp. 2-3]
of AR 530-2 pertain to LAN security; some general points follow.
because
encryption
today
effective
COM INT
may
technology.
Furthermore,
by
distribution
a
protected
Record
cryptosystems.
defense
best
all
COMSEC
measures
the
system
telecommunications
NSA
of
use
(PDS)
is
approved
cryptographic
AR
by
defined
unsecured
It
electrical transmission
also prescribes criteria
may
AR
security.
"COMSEC
must be
in use
530-2 "prescribes
DA
approved
in
530-2
equipment
and
as
AR
In general,
the
530-2
commercial
[Ref. 29: pp. 2-3]
Clear text transmission of national security information
LAN
foreign
encryption
or
communication equipment that meets Federal Standard 1027.
pertains to
against
record telecommunications will be secured
telecommunications or teleprocessing of record information.
requires
stressed
not be adequate in the future because of
Therefore,
continuously evaluated."
either
the
is
is
Yet the regulation points out that
exploitation of telecommunications.
advances in
and
of
530-2
measures that are
530-2
units responsible for conducting research, development, test,
areas
AR
National
publications
In terms of secure communications, encryption in an approved system
throughout
SEP
1
to provide total security for all electrically
is
transmitted information from the originator to the recipient."
responsibility
(COMSEC),
is
another area that
procedures to be used for the
of classified information during emergency situations.
under which
PDS
(formerly
known
as
Approved
Circuits)
be established and used for transmission of classified information under a variety
of situations."
PDSs
use physical and electromagnetic safeguards to obtain a secure
communications system and
is
defined by
AR
530-2 as a wire line or fiber optic system
that permits transmission of unencrypted information.
h.
ARMY REGULATION
Program, 30 NOV 84
18-7:
[Ref. 29: pp. 10,15]
Automatic Data Processing Management Review
Besides establishing policies, responsibilities, and procedures for implementing
the Automatic
review
Data Processing (ADP) Management Review (MR) Program,
of automation
installations (DPIs),
management
office
and the contractors under
125
installations
their purview.
(AMO),
1
data
[Ref. 23: p. 2]
it
includes
processing
AR
18-7 does not contain any specific guidance for
an overview of topics and a reference
management of
that affect
ADP
ADP
Topics
resources.
contains
and pamphlets
LAN
listed that relate to
management
it
security
plan, physical security
operations.
ARMY TECHNICAL BULLETIN TB
i.
security;
to general polices, regulations,
are the telecommunication plan, the configuration
communications, and
LAN
Army Automation Automatic
FEB 86
18-107:
Data Processing Equipment Operations Management, 3
The purpose of TB 18-107
ADPE, and
provide guidance for general purpose
procedures to manage DPIs.
basic
and
guidance
The major
provide
functional
staff
specific
is
if
it
is
basic
a
ADP
data control and
are
security
routed through the various stages of processing.
important in a service center operation, but
and distributed systems."
security
with
p. 1-1]
LAN
to
managers with
The data control function involves production of "an auditable
equipment sharing.
record of data as
topics relating
DP
management
and
11-2,
and prescribe
establish standards
objectives are to provide
understanding of ADP operations. [Ref. 27:
Two
AR
implement certain provisions of
to
is
it
also applies in
This concept
network environments
Equipment sharing may be done only
if
quality or
the
of mission-related support will not be degraded, and not cost too much.
[Ref. 27: pp. 2-1,7-1]
j.
J
ARMY REGULATION
NOV 84
380-53:
Monitoring,
Communications Security
J
s
This regulation sets forth, policy, procedures and responsibilities for
monitoring within the Army.
telecommunications systems.
Most of
15
COM SEC
the regulation deals with voice traffic over
Basic objectives which apply to
providing information for improving the security of
determining the amount of security achieved by
Army
US
LAN
security include
telecommunications, and
codes,
COM SEC
techniques,
crypto graphic equipment and devices, and other related measures [Ref. 30: pp. 3-4]
Procedures
for
determining
transmission
emanation surveys, are addressed.
k.
susceptibility,
as
vulnerability
and
[Ref. 30: p. 5]
DEPARTMENT OF DEFENSE
Industrial Security
such
Manual
(DoD)
MANUAL DoD
5220.22-M:
for Safeguarding Classified Information,
1
MAR
84
DoD
5220.22-M establishes the requirements
for safeguarding all classified
information to which contractors have access or possession.
situations
where a contractor needs access
to
classified
It
addresses
information
to
common
perform
requirements of the contract, and applies to pre/post-contract activity and government
sponsored
R&D
activities.
[Ref. 36: p.
1]
126
One
section provides security requirements for
LAN
to
systems.
when handling
are
security
classified information."
word processing systems,
ADP topics
ADP system
In general,
ADP
and prescribes security requirements under which
specifies conditions
be operated
ADP
systems will
addressed that relate
procedures,
security
and
security of remote terminals (including physical disconnects), physical security,
transmission security.
upgrading,
Topics for
ADP
"it
system security procedures include approval,
downgrading, and media/ equipment clearance procedures.
[Ref. 36: pp.
171,177-178,184,186-190]
DoD DIRECTIVE
5215.1 (DoD Dir 5215.1),
Evaluation Center, 25 OCT 82
1.
"This
Directive establishes the
(CSEC), provides
policy,
and assigns
computer system and network,
security,
The policy provided by
Security
Program (CCSP)
generic
computer
DoD
SUBJECT: Computer
computer Security Evaluation Center
responsibilities for the technical evaluation of
and related technical research."
this directive states that the
will include resources for the
security
activities
DoD
of
Consolidated Computer
operation of the
components.
In
development
specific
DoD
component systems.
Moreover,
products must complement established responsibilities of
to security, policy,
and evaluation of computer systems.
only policy guidance for
m.
DoD
security research,
and evaluation (RDT&E), and application-dependent research and
test
for,
CSEC and
addition.
components (Army, Navy, Air Force, and Marines) must perform
development,
Security
ADP
and network
security.
DoD
CSEC
activities
components
Thus,
and
in relation
this directive
contains
[Ref. 26: pp. 1-2]
MANUAL
5200.28-M: ADP Security Manual Techniques and Procedures
Implementing, Deactivation, Testing, and Evaluating Secure ResourceSharing ADP Systems, JAN 73
DoD
for
The major
and procedures
objective of
DoD
5200.28-M
is
to provide guidelines, techniques.
to be used to:
•
Prevent unauthorized access of classified information.
•
Develop,
acquire,
establish
methodologies,
techniques,
standards,
and
procedures for design, analysis, test, evaluation, and approval, of ADP systems
and components.
•
Establish methodologies physical protection of
•
Prescribe standards t criteria, and specifications for deactivation of secure
ADP
systems and components.
ADP
systems and for sanitization.
The manual
any
is
ADP
states that requirements within
"system under today's rapidly changing
dynamic and the methods chosen
it
ADP
could adversely affect the use of
technology.
to secure a particular system
127
.
.
This technology
must accommodate
new developments without degrading
Manual recognizes
techniques
that
described within
system.
may
be used to gain the
Techniques not included can be used
specified in
DoD
Directive 5200.28.
Topics covered in
Security, dedicated
this
may
it
not be economically
if
level
of security required to secure a
they provide the degree of security
[Ref. 22: pp. 1-6]
manual
relating to
LAN
ADP
security include
communications
security,
security,
hardware and software security features, and audit logs and
emanations
security,
[Ref. 22]
files.
DoD COMPUTER SECURITY CENTER CSC-STD-001-83: DoD
Computer System Evaluation
AUG
The
System
and multi-level security modes, remotely accessed resource-sharing
computer systems, physical
n.
the
So, appropriate subsets of the techniques
justified after a cost versus risk evaluation.
included in this manual,
By consequence,
the level of protection."
Known
Criteria (Also
as the
Trusted
"Orange Book"), 15
83
DoD
in
criteria
CSC-STD-001-83
provides
ADP
effectiveness evaluation of security controls built into
a
basis
for
The
systems.
security
criteria are
divided into four broad hierarchical divisions: A, verified protection (most secure); B,
mandatory protection; C, discretionary protection; and D, minimal protection
secure).
•
The
(least
criteria objectives:
"To provide users with a yardstick with which to assess the degree of trust that
can be placed in computer systems for the secure processing of classified or
other sensitive information."
.
•
"To provide guidance to manufacturers as to what security features to build
into thier new and planned commercial products, in order" to provide widely
available systems that satisfy trust requirements for sensitive applications."
•
"To
provide
a
specifications."
basis for specifying
[Ref. 21: p. v]
Orange Book evaluation
criteria labels
correspond to
AR
in
Verified protection (A) applies to the critically sensitive level (CS).
•
Mandatory protection (B)
•
Discretionary protection applies to the sensitive
•
Minimal protection applies to the nonsensitive
sets
security feature"
are
identified
and "assurance" requirements.
and involve the
interpreted
However,
specific
when applying
environments. [Ref. 21: pp.
the
for
to
128
processing:
"specific
Specific security feature requirements
feature
v,2]
secure
capabilities usually
security
criteria
level.
level.
that use general-purpose operating systems (separate
system).
labels:
applies to the highly sensitive level (HS).
of requirements
are application independent
acquisition
380-380 sensitivity
•
Two
the
requirements
security
found
ADP
systems
from applications programs on
requirements
specific
in
applications
may have
or
special
to
be
ADP
Assurance
environments;
ADP
to
all
ADP
full
range multilevel secure resource
Therefore, no special interpretation
is
systems
Processing
5200.28:
(ADP) Systems,
18
Security
AUG
and
computing
needed for application across
system or application processing environment. [Ref.
DoD DIRECTIVE
o.
apply
from dedicated controllers to
sharing systems.
any
requirements
21: pp. v,2]
Requirements
for
Automatic
Data
72
Purpose:
•
1)
2)
Set uniform policv to protect classified data stored, processed, used
communicated, displayed, or disseminated by ADP Systems.
in,
In addition to the controls required by the securitv classification of the
permit the application of access and distribution limitations
imposed on classified data and information.
material,
3)
4)
5)
Prescribes security requirements and specify conditions under which "ADP
Svstems will be operated when handline classified material and assigns
responsibility for the testing, evaluation, and approval of such systems."
Provide "for the application of administrative, phvsical. and personnel
securitv measures."
Authorized publication of "a DoD Manual of Techniques and Procedures
for
Implementing. Deactivation, Testing, and Evaluating - Secure
Resource Sharing ADP Systems.
DoD 5200.28-M." [Ref. J2: .pp 1-2]
.
Objectives
•
1)
-
ADP
.
to establish that:
svstem
securitv
controls
are
interrelated
normal
with
svstem
controls*.
2)
System securitv requirements/ controls enhance the
and operation of an ADP System.
3)
"The basic ADP svstem reliability and intesritv features prevent
unauthorized access 'and manipulation with reasonable dependabilitv.
reliability,
inteeritv,
[Ref. 32: .p 2]
Topics covered in
security, dedicated
computer
security.
p.
systems,
this
manual
LAN
relating to
security include
ADP
system
and multi-level security modes, remotely accessed resource-sharing
physical
communications
security,
security,
and
emanations
[Ref. 32]
NATIONAL COMPUTER SECURITY CENTER PUBLICATION NCSCWA-002-85: Personal Computer Security Considerations, 1985
This publication addresses issues that are pertinent to microcomputer security
in
the
home and
business
environment.
It
is
NOT
document, but rather an information memorandum.
NCSC-WA-002-S5
notes
personal
that
a
formal government policy
[Ref. 33: p.
computers
i]
offer
an
unlimited
opportunity for intrusion into mainframe computers and networks (assuming the
has communication hardware,' software).
information from a
PC
indicates that
It
to another device
is
129
PC
transmission of sensitive
the responsibility of the user.
In terms of
communication
security,
dial-back
procedures
are
encryption identified as a "sure method" of protection.
PC
to disconnect the caller, check a
list
considered
questionable,
with
Dial-back procedures cause the
of authorized IDs, and
call
back.
[Ref. 33: pp.
8,11]
Again,
publication.
PC. [Ref.
PC
data transmission and communication attacks are addressed in the
However, the publication
33: p.
is
most concerned with
1]
130
security of a stand-alone
LIST
1.
Schell,
Roger
Lt Col,
Force?" Air
R.,
Air
Electronic
OF REFERENCES
USAF, "Computer
bniversity
Review,
Security the
Vol. XXX,
Achilles'
of the
No. 2, pp.
16-33,
January-February 1979.
2.
3.
Defense Investigative Service. Department of Defense. Computer Securitv Securitv
Awareness Circular, DoD 5220. 2z-M, Defense Securitv Institute, Richmond, VA,
January 1986.
Websters
New World Compact
Schuster, Inc.,
4.
5.
6.
7.
New
Stallings, William,
Press, 1983.
Dictionary
of Computer
Terms,
Simon and
York, 1983.
Tutorial Local
Network Technology, IEEE Computer Society
Dupuv, T. N., Col USA. Ret., In Search of an American Philosophy of Command
and Control, preliminary draft, OS3636, Architecture of C3 Information Svstems,
course handout, Naval Postgraduate School, Summer Quarter, 1986.
Wohl. Joesph G., "Force Management Decision Requirements for Air Force
Tactical Command and Control, in IEEE Transactions on Systems, Man, and
Cybernetics, Vol. SMC- 11, No. 9, pp. 618-638, September 1981.
Rullo,
Thomas A.
(ed),
Advances
Distributed Processing
in
Management Volume
1,
Heyden, 1980.
8.
Cheong, V.
9.
Ulmen, Patrick
10.
Foss. Ronald W.,
"Processing Environments
Control," Signal, pp. 87-93, April 1986.
11.
Lackey, R. D., "Penetration of Computer Svstems
E. and Hirschheim, R. A.. Local Area Networks Issues, Products, and
Developments, John Wiley and Sons, 1983.
A.. "The Impact of
Signal, pp. 67-72, March 1955.
Computer Journal, Vol.
12.
8,
No.
2,
Commercial Computer Technology on C3I."
Dispersed
for
-
An
Command
and
Overview," Honeywell
pp. 81-85, September 1974.
Prevention Committee President's Council on Integrity and Efficiency, Computers
Crimes, Clues and Controls, U.S. Government Printing Office, Washington, D.C.,
March
1986.
13.
Department of the Armv, Headquarters, Automation Security, Army Regulation
380-380, U.S. Government Printing Office, Washington, D.C., 8 March 1985.
14.
Stallings, William, "Local Network Overview," reprinted from Signal, January
1983, in Tutorial Local Network Technology, pp. 7-11, IEEE Computer Societv
Press, 1983.
131
15.
Wood,
16.
Stallines, William,
David C, "A Cable-Bus Protocol Architecture", reprinted from
Proceedings of the Sixth Data Communications Symposium, November 1979, in
Tutorial Local Network Technology, pp. 1S6-194, IEEE Computer Society Press,
Company,
17.
Data and Computer Communications, Macmillan Publishing
1985.
Rosenthal, R., "Transmission Media," The Selection of Local Area Computer
Networks, reprinted from NBS Special Publication 500-96, November 1982. in
Tutorial Local Network Technology, pp. 19-34, IEEE Computer Society Press,
1983.
18.
Shoch, John F., and others, "Evolution of the Ethernet Local Computer
Network." reprinted from Computer, August 1982, Institute of Electrical and
Electronics Engineers. Inc.. in Tutorial Local Network Technology, pp. 39-54,
IEEE Computer
Society Press, 1983.
19.
Department of Defense Computer Institute, course material from "Managing
Automated Information Svstems Resource Protection. (RP-2-S6)," National
Defense University, Washington Navy Yard: November 1985.
20.
U.S. Department of the Armv, Information Security Program. Armv Regulation
380-5, U.S. Government Printing Ofiice, Washington. D.C., 15 February 1985.
21.
Computer
Department of Defense, Department of Defense
Evaluation
Criteria,
U.S.
Svstem
CSC-STD-001-83,
Government Printing Office, Washington. D.C., 15 August 1983.
Trusted
22.
Security
Center,
Computer
ADP
Assistant Secretary of Defense (Comptroller),
Security Manual Techniques
and Procedures for Implementing, Deactivation, Testing, and Evaluating Secure
Resource-Sharing^ ADP Systems.
Manual 5200.28-M, U.S. Government
Printing Office, Washington, D.C., January 1973.
DoD
23.
U.S. Department of the
Regulation 18-7, U.S.
November
24.
Army, Automatic Data Processing Management, Armv
Government Printing Ofiice, Washington, D.C., 30
1984.
Department of the Army, Data Processing Installation Review; Evaluation
Pamphlet 18-4, U.S. "Government Printing Ofiice, Washington, D.C., 1
September 198o.
U.S.
Checklist,
25.
Department of the Army, Automatic Data Processing Review Guide.
Pamphlet 18-7, U.S. Government Printing Ofiice, Washington, D.C., 3 December
U.S.
1985
26.
Secretary of Defense. Computer Security Evaluation Center. DoD
5215.1, U.S. Government Printing Office, Washington, D.C., 25
October 1982.
Deputv
Directive
27.
U.S. Department of the Armv, Automatic Data Processing Equipment Operations
Management, Technical Bulletin 18-107, U.S. Government Printing Ofiice,
Washington, D.C., 3 February 1986.
132
28.
U.S. Department of the Army, Army Automation Management, Armv Regulation
18-1, U.S. Government Printing Office, Washington, D.C., 15 September 1980.
29.
U.S. Department of the Armv, Communications Security. Armv Regulation 530-2,
U,
J.S. Government Printing Office, Washington, D.C., 1 September 1982.
u.
30.
U.S.
Department of the Army, Communications Security Monitoring. Armv
Regulation 380-53, U.S. Government Printing Office, Washington, D.C., 15
November
1984.
31.
Websters Ninth
32.
Deputy
New
Secretary
Collegiate Dictionary,
of
for
Automatic
Government
Data
Printing
1985.
U.S. Department of the Arm\' Armv Automation Life Cycle Management,
Technical Bulletin IS- 100, U.S. 'Government Printing Office, Washington D.C,
15
35.
DoD
Inc., 1984.
National Computer Securitv Center, Personal Computer Security Considerations,
NCSC-WA-002-85, U.S. 'Government Printing Office, Washington, D.C,
December
34.
Security Requirements
Directive 5200.28, U.S.
December 1972.
Defense.
Proces'sine (ADP) Svstems.
Office, Washington, D.C., IS
33.
Merriam- Webster
August 1981.
Brown, Thomas J., Maj, USAF. instructor, course lecture material from
Telecommunication Networks, CM4502, Naval Postgraduate School, Winter
Quarter, 1987.
36.
Defense Investigative Service, Department of Defense, Industrial Security Manual
Safeguarding Classified Information, DoD 5220.22-M, U.S. Government
Printing Office, Washington, D.C, 1 March 1984.
for
37.
Sidhu. Deepinder P., Gasser, Morrie, "A Multilevel Secure Local Area Network."
reprinted from Proceedings of the Symposium on Securitv and Privacy, April 19S2,
in Tutorial Local Network Technology, pp. 281-287, TEEE Computer Society
Press, 19S3.
38.
Lawrence, Capt, USA, "Microcomputer Security," C2 Mug Bulletin,
of the
Command Control Microcomputer Users Group,
Communications-Electronics Command, Vol. VI, No. 9, pp. 4-6, December 198:>.
Dietz.
Publication
39.
Chorafas, Dimitris N., The Handbook of Data Communications and Computer
Networks, Petrocelli Books, 1985.
40.
Naval Electronics System Command. Naval Research Laboratory, An Approach
to Determining Computer Securitv Requirements for Navy Svstems, by Carl E.
Landwehr and H.O. Lubses, 13 May 1985.
41.
Broestl,
Howard
E.,
Maj,
USAF,
Security Implications of Local Area Networks
Command and Staff College, Air
(LAN), paper required for graduation from Air
University, Maxwell AFB, 24 October 1984.
133
INITIAL DISTRIBUTION LIST
No. Copies
1.
Defense Technical Information Center
Cameron
Station
Alexandria, Virginia 22304-6145
2.
Librarv. Code 0142
Naval "Postgraduate School
Monterey, California 93943-5002
3.
Department of the Armv
Director. USA Combat "Developments Experimentation Center
Attn: ATEC-IM (Mr. R. Davis)
Fort Ord, California 93941-7000
4.
Department of the Armv
Director. USA Combat Developments Experimentation Center
ATEC-IM (CPT Peter J. Blaknev
Fort Ord, California 93941-7000
Attn:
5.
Jr.)
Department of the Armv
Director. USA Combat Developments Experimentation Center
Attn: ATEC-IM (Technical Information Center)
Fort Ord, California 93941-7000
6.
J. Brown, Maj, USAF, Code 62Bb
Department of Electrical Ensineering
Naval Postgraduate School
Thomas
Monterey, California 93943
7.
Joint
Command, Control and Communications Academic Group
Code 39
Naval Postgraduate School
Monterey, California 93943
8.
Jeffrev D. Avres, Capt,
Box
USAF
1'893
APO, New York 09021
9.
Michael G. Sovereign, Code 74
Command. Control and Communications Academic Group
Naval Postgraduate School
Monterey, California 93943
Joint
134
7
18 35
|f
DUDLEY KNOX LIBRARY
NAVAL POS
MONTE:
Thesis
A9955
c.l
Ayres
Applicability of Army
automation security guie to local area computer network security.