The computer network security problem is not merely a communications problem, but rather a complex set of problems that are due to the multi-system nature of nets. In effect, the network environment adds this new dimension to the multiuser, multi-resource problems of a single system, and therefore requires additional security controls beyond those of single systems. The most viable mechanisms proposed to date are the Security Controller and Intelligent Cryptographic Device, which were originally described by Branstad (BRA-72) in a paper which formed the starting point for our investigation. Initially, this approach looked very promising, and as our investigation proceeded, it appeared even more appropriate as a basic solution to the problems of network security. The deeper we probed, the more convinced we became that this approach does represent the correct solution, that the necessary technology is available, and that such mechanisms are needed now, and will be needed even more in future years as networks become increasingly prevalent.

The problems of network security are many faceted, and therefore presented us both with technical problems and with problems in how to organize this material for presentation. We chose to consider the network as consisting of several levels, and proceeded in a top-down analysis involving: (1) the policy and requirements issues, (2) the HOST/SC systems, (3) the ICD's, and (4) the communications network. Within each level, we considered the issues related to authentication, authorization, connection establishment, connection usage, security monitoring and security assurance. While this systematic scan of the network security considerations resulted in a large number of design issues and tradeoffs, the more salient portions of the analysis are felt to be those related to:

Determining the security vulnerabilities of a computer network

and defining requirements to ensure network security.

The controlled establishment of connections via the SC.

• The rigid adherence to maintaining the appropriate separation of protocol layers (at physical and abstract levels) in the design.

The preliminary design of the SC including its control program

and duplexed hardware considerations.

Error control considerations at each level.

• The network interface considerations for the user, HOST

computers, and ICD's.

Establishing the basic requirements for the ICD (e.g., control primitives, relay capability, buffering, multiplexing, and

error control).

An analysis of the various communication net architectures,

and their security strengths and vulnerabilities.

Defining auxiliary mechanisms for a secure net (Net Security
Center) and for networks of networks (Gateways).

In addition to technical considerations, we treated procedural, and economic aspects whenever possible. The cost of the SC and ICD's is difficult to estimate due to the large number of unknowns related to quantities, packaging considerations, testing, etc., but no unforeseen expenses were uncovered in the investigation. The performance impact due to security is also very dependent upon operational considerations, but is estimated to be very small. Some improvements may occur where the high level of system integrity reflects in improved reliability and availability, and some degradation may occur due to the security overhead.

In conclusion, the SC/ICD approach will provide the necessary control mechanisms to handle the complications of the network environment, and to provide a viable and evolutionary approach to achieving this goal in both existing and future

networks.

BIBLIOGRAPHY

AND-72 Anderson, J. P., "Computer Security Technology Planning Study,"
ESD-TR-73-51, Vol I & II, Oct. 1972.

AUE-74

Auerbach, K., "An Analysis of WWMCCS ADP Security; Vol 2 Data
Communication Networks," SDC Tech Memo TM-WD-5733/004/00, March 1974

AUP-73

Aupperle, E. M., "MERIT Network Re-examined," COMPCON 73, Feb. 1973 pp. 25-29.

BAR-64

Baran, P., "On Distributed Communications:

Vol IX, Security, Secrecy,

and Tamper-Free Considerations," RAND Memorandum, RM-3765-PR,
August 1964.

BBN-74A

Bolt Beranek and Newman, "Interface Message Processors for the ARPA
Computer Network," Rept. 2717, Jan. 1974.

BBN-74B Bolt Beranek and Newman, "Interface Message Processors for the ARPA Computer Network," Rept. 2816, April 1974.

BLA-73

Blanc, R. P., et al, "Annotated Bibliography of the Literature on Resource Sharing Computer Networks," Nat Bur of Stds, NBS Spec. Pub. 384, Sept. 1973. (See WOO-76)

BLA-74 Blanc, R. P., "Review of Computer Networking Technology," NBS Tech Note #804, Jan. 1974.

BOU-73

A New

Bouknight, W. J., et al, "The ARPA Network Terminal System
Approach to Network Access," Third Data Communications Symposium
(IEEE and ACM), Nov. 1973, pp. 73-79.

BRA-73 Branstad, D. K., "Security Aspects of Computer Networks," AIAA
Computer Network Conference, April 1973.

BUS-74 Bushkin, A. A., "A Framework for Computer Security," SDC Tech Memo TM-WD-5733, March 1974.

CER-74

Cerf, V. G., "An Assessment of ARPANET Protocols," ARPA Net Working
Group Note #635, April 1974.

CRA-73 Craig, D., "Computer Networks; A Bibliography with Abstracts,
Tech Info. Center, NTIS-WIN-73-087, COM-73-11977/8WC, Nov. 1973.

CRO-72 Crocker, S. D., et al, "Function-Oriented Protocols for the ARPA
Computer Network,' SJCC Proceedings, 1972, pp 271-279.

CRO-73

Crowther, W. et al, "Reliability Issues in the ARPA Network," Third
Data Communications Symposium (IEEE and ACM), Nov. 1973, pp 159-160.

DAV-73

FAR-72

Davies, D. W., and Barber, D., "Communication Networks for Computers,"
Wiley, 1973.

Farber, D. J., "Networks: An Introduction," Datamation, April 1972, pp 36-39.

FAR-72A Farr, M.A.L., et al, "Security for Computer Systems," Pub. by National Comp. Centre, Ltd., London.

FAR-73 Farber, D. J., et al, "The Distributed Computer System," Seventh
Annual IEEE Comp. Soc. Int. Conf., March 1973.

FAR-74 Farber, D. J. and Vittal, J., "Extendability Considerations in the Design of the Distr. Comp. Sys., UC Irvine Technical Paper, 1974.

GAR-73

Garwick, J. "Security Controller Design" and "The Security Profiles of
Users and Files and their use for Access Control," SDC Tech Memo
TM-5211 Vols 4 and 7 respectively, August 1973.

GAR-74 Garwick, J., "Programming the Security Controller," SDC Tech Memo

TM-5346/000, June 1974.

GRY-74

Grycner, H., "Fault Detection in the Sec ity Controller," SDC Tech
Memo TM 5346/001, August 1974.

HAR-73

Harrison, A., "Computer Information Security and Protection: Α
Bibliography with Abstracts," NTIS-WIN-73-052, Oct. 1973.

HAS-73

HIC-70

HIC-71

Hassing, T. E., et al, "A Loop Network for General Purpose Data
Communications in a Heterogeneous World," Third Data Communications
Symposium (IEEE and ACM), Nov. 1973, pp 88-96.

Hicken, G. M., "Information Network of Computers," in Fourth Gen.
Computer User Req'mts and Transition, F. Gruenberger (Ed), Prentice-
Hall, 1970, pp 31-58.

Hicken, G. M., "Experience with an Information Network," Fifth Annual
IEEE Computer Society Conf., Sept. 1971, pp 169-170.

JAC-69 Jackson, P. E. and Stubbs, C. D., "A Study of Multi-Access Computer Communications," 1969 SJCC, pp 491-504.

JON-73

Jones, A. K., "Protection Structures," PhD Thesis, Carnegie-Mellon
Univ., 1973.

KAT-73

Katzan, H. Jr., "Computer Data Security,' "Van Nostrand Reinhold Co., 1973.

KAU-74

Kaufman, D. J., "Access Control Information in a Computer Network,
SDC Tech Memo TM-5346/002, August 1974.

LAM-69 Lampson, B. W., "Dynamic Protection Structures," 1969 FJCC, pp 27-38.