The purpose of our investigation is to define the security issues related to this complex network environment, and to determine the tradeoffs related to possible approaches and mechanisms which could resolve these issues. The end result of the study, as reflected in this report, is to be a pre-development specification with the scope as defined in the statement of work:

"Analyze several computer network configurations with respect
to their ability to support end-to-end security (protection of
information from originator to final destination) on all possible
communication paths in the network. The effort shall yield
specifications which include communication protocol, switching
techniques, and protection techniques at such a level that a
secure network development may be specified and initiated."

An excellent starting point for the investigation was available in the paper by D. K. Branstad, "Security Aspects of Computer Networks" (BRA-73)*, which discussed many of the relevant issues. However, our study extended his efforts both in depth and by including a broader scope of issues.

Figure 1-1 is the general configuration of a secure network assumed for the purpose of this study. A set of computer systems (HOST computers), and terminals are to be interconnected via an arbitrary communications network, but under the control of a local "Security Controller and cryptographic devices.

Assuming that each of the individual HOST systems is secure when operated in its own separate environment, we investigate the set of problems that occur when they are integrated into a loose federation, with certain global constraints and controls being placed over these otherwise autonomous local centers.

*

All bibliographic references will be made by this abbreviated form of author and year of publication.

The need for cryptographic devices is apparent since the communications net is "open" to any would-be penetrators, but the cryptographic devices can provide much more than communications line security.

Unfortunately, many people feel that the use of cryptographic equipment "solves the security problem," while in reality this equipment should be viewed as only one element of a larger total system design for security. An Air Force Security Study panel summarized this matter as (AND-72):

"Though considerable financial resources and management attention
are drawn to the communications security aspects of networking (an
important but well understood technology) the security problem of
computer networking is not a communications problem but another
more sophisticated instance of multi-level computer operating system
security.

"Currently, most secure computer systems achieve their security
integrity by prohibition of multi-level and multi-compartment
security operation. The computer is operated at a single, appro-
priately high security level for its needs, with all personnel and
operating procedures controlled within the USAF/DOD established secu-
rity framework. Networking ties two or more of these computer systems
together; more often than not, systems dissimilar in equipment, con-
figuration, purpose, management, and security control procedures.
example of the networking problem is the connection of the SAC SATIN
network with AUTODIN network for both the receipt and transmission
of information.

An

Conceptually, the network can be viewed as a "supracomputer system." The network security requirements then are different than most of its members because the "supra computer" operates essentially as a multi-level, multi-compartment, multi-user computer system. The network's security vulnerability is that each network node (i.e., the computer system operated by a participating agency) is unprepared

for multi-level, multi-compartment use by users over which it exerts limited, if any, control. Furthermore, the problem often goes unrecognized since management erroneously assumes security integrity because the supracomputer interconnections are via secured (often crypto) communications lines."

As mentioned in the preceding quote, the real problem area in network security is lack of global control over users, where "users" must be interpreted as any combination of persons and systems operating on their behalf. This loss

1.

of control can be reflected in any of several security problems, including: Problems due to the large number of possible combinations of persons operating from different terminal stations at different sites with different authorizations for different resources at different sites, each of which has different classifications and compartments, etc.

2. N-th party problems in which processes operate on the
behalf of a requestor, perhaps many levels removed, and
may spawn other sub-processes, etc. (perhaps on several
different HOST's).

3.

The autonomous nature of each network participant creates
problems in that each domain of control may have differing
methods, interpretations, etc. for providing security.

4.

The problem that one compromised HOST may be used to
penetrate yet another (the "domino-effect").

5.

The problems in which one operating system (or data base)
may become faulty in a manner that spreads to other net-

work HOST's (the network cancer problem; either accidental
or malicious).

6.

The potential problems related to a distributed attack on
one system by two or more other systems (analogous to the
asynchronous attacks on conventional multi-user systems).

These examples are by no means all of the network security problems, but represent the larger scope of the problems above and beyond that of individual resource-sharing systems. The examples also indicate that mechanisms are needed to prevent, or at least constrain, the spread of security compromises within the net. If this is not done, the network may not be any stronger than its weakest node, an unacceptable condition in any federation of entities. Network security must, therefore, be as independent as possible of the security of the separate autonomous nodes.

At this time, it seems appropriate to define what we mean by "computer network security." First, a computer network can be defined as an interconnected set of independent (or dependent) computer systems which communicate to share information and service resources in order to provide needed user services.* Dependence among computer systems may come about in any of several degrees, e.g., either directly dependent processes such as in a distributed computer system (FAR-73) or more subtly when computer centers begin to become increasingly dependent upon each other for services that would normally have been provided locally. Another area of emphasis is the definition on meeting user needs; A mechanism is of questionable value unless it meets the needs of its ultimate users, and this is one of the fundamental concerns in the investigation and specification of a secure network.

The definition of security in the sense of a secure computer network involves three basic aspects of protection: (1) providing controlled access to resources, (2) providing controlled use of those resources, and (3) providing assurance that the desired level of protection is maintained.

At

This definition was extended from that of Peterson and Viet (PET-71) and
Farber (FAR-72).