The purpose of our investigation is to define the security issues related to this complex network environment, and to determine the tradeoffs related to possible approaches and mechanisms which could resolve these issues. The end result of the study, as reflected in this report, is to be a pre-development specification with the scope as defined in the statement of work: "Analyze several computer network configurations with respect An excellent starting point for the investigation was available in the paper by D. K. Branstad, "Security Aspects of Computer Networks" (BRA-73)*, which discussed many of the relevant issues. However, our study extended his efforts both in depth and by including a broader scope of issues. Figure 1-1 is the general configuration of a secure network assumed for the purpose of this study. A set of computer systems (HOST computers), and terminals are to be interconnected via an arbitrary communications network, but under the control of a local "Security Controller and cryptographic devices. Assuming that each of the individual HOST systems is secure when operated in its own separate environment, we investigate the set of problems that occur when they are integrated into a loose federation, with certain global constraints and controls being placed over these otherwise autonomous local centers. * All bibliographic references will be made by this abbreviated form of author and year of publication. The need for cryptographic devices is apparent since the communications net is "open" to any would-be penetrators, but the cryptographic devices can provide much more than communications line security. Unfortunately, many people feel that the use of cryptographic equipment "solves the security problem," while in reality this equipment should be viewed as only one element of a larger total system design for security. An Air Force Security Study panel summarized this matter as (AND-72): "Though considerable financial resources and management attention "Currently, most secure computer systems achieve their security An Conceptually, the network can be viewed as a "supracomputer system." The network security requirements then are different than most of its members because the "supra computer" operates essentially as a multi-level, multi-compartment, multi-user computer system. The network's security vulnerability is that each network node (i.e., the computer system operated by a participating agency) is unprepared for multi-level, multi-compartment use by users over which it exerts limited, if any, control. Furthermore, the problem often goes unrecognized since management erroneously assumes security integrity because the supracomputer interconnections are via secured (often crypto) communications lines." As mentioned in the preceding quote, the real problem area in network security is lack of global control over users, where "users" must be interpreted as any combination of persons and systems operating on their behalf. This loss 1. of control can be reflected in any of several security problems, including: Problems due to the large number of possible combinations of persons operating from different terminal stations at different sites with different authorizations for different resources at different sites, each of which has different classifications and compartments, etc. 2. N-th party problems in which processes operate on the 3. The autonomous nature of each network participant creates 4. The problem that one compromised HOST may be used to 5. The problems in which one operating system (or data base) work HOST's (the network cancer problem; either accidental 6. The potential problems related to a distributed attack on These examples are by no means all of the network security problems, but represent the larger scope of the problems above and beyond that of individual resource-sharing systems. The examples also indicate that mechanisms are needed to prevent, or at least constrain, the spread of security compromises within the net. If this is not done, the network may not be any stronger than its weakest node, an unacceptable condition in any federation of entities. Network security must, therefore, be as independent as possible of the security of the separate autonomous nodes. At this time, it seems appropriate to define what we mean by "computer network security." First, a computer network can be defined as an interconnected set of independent (or dependent) computer systems which communicate to share information and service resources in order to provide needed user services.* Dependence among computer systems may come about in any of several degrees, e.g., either directly dependent processes such as in a distributed computer system (FAR-73) or more subtly when computer centers begin to become increasingly dependent upon each other for services that would normally have been provided locally. Another area of emphasis is the definition on meeting user needs; A mechanism is of questionable value unless it meets the needs of its ultimate users, and this is one of the fundamental concerns in the investigation and specification of a secure network. The definition of security in the sense of a secure computer network involves three basic aspects of protection: (1) providing controlled access to resources, (2) providing controlled use of those resources, and (3) providing assurance that the desired level of protection is maintained. At This definition was extended from that of Peterson and Viet (PET-71) and |