this point we first encounter a question in defining the boundaries for "network security," which also reflects on our definition of a network--are the HOST computers considered part of the "network"? In theory, one should answer this question with an unequivocal "yes" (e.g., the supracomputer notion of the quoted ESD report); but in practice, one must often segment the problem into data processing and data communication aspects due to the autonomous nature of the local computer centers, and/or the administrative separation of data processing and communication areas. This investigation of computer network security is based on the following:

1. Both the data processing and communications functions will

2.

3.

4.

be considered as generally as possible,

The investigation will focus on the interface between
the data processing and communications functions; i.e.,

the intermediate layer of equipment required when separately
secure HOST systems are to be interconnected via an "open"
communications network.

The investigation will also consider the resulting impact
on both the data processing and communications in order
to provide this secure interconnection.

Globally-defined network security mechanisms should augment rather than replace local (individual HOST) mechanisms. Aside from the "political" reasons (due to the autonomous HOSTS), augmentation rather than replacement also provides an evolutionary approach to network integration and the development of centralized security mechanisms which can gradually assume more of the total security functions.

We are then faced with two questions: (1) what global security-related policies must be developed to ensure network security; and (2) by what global and/or local mechanisms can those policies be implemented? The basic policy issues can be derived directly from our three-part definition of security:

Provide controlled access to resources

All requesters of network services must be identified
and authenticated, and their access request must be
checked to ensure that it is authorized prior to
establishing a connection (logical or physical) between
the requester and the resource.

2.

3.

Provide controlled usage of these resources

Although this is primarily the responsibility of the HOST
providing the resource, the network interface must pro-
vide whatever functions it can to augment the HOST pro-
tective measures.

Provide assurance that the desired level of protection is
maintained

Two related areas of networking policy relate to maintaining
a desired level of security: (1) monitoring or surveillance
of network usage, and (2) ensuring the adequacy and integrity
of the security mechanisms.

These three basic policy issues will be discussed in detail in later sections of the report, as will various issues and tradeoffs related to mechanisms which can be used to implement policies. These considerations can be viewed in a top-down manner by first exploring the policy, administrative, and requirements issues, which then reflect downward into HOST-level mechanism issues. These, in turn, help to define the cryptographic device level issues, which then further define the issues related to the communications network. Each of the major levels forms a separate chapter of the report to clearly separate the functions and tradeoffs within the separate mechanisms.

For each of these levels, one must consider all of the categories from the definition of security:

These general topics become the sub-chapter headings within each of the top-down layers.

This report will (1) define the critical issues and problems that

relate to network security, (2) describe the various mechanisms which might implement the policy/solutions, and (3) discuss the tradeoffs which relate to these mechanisms at each of the various levels.

The organization of the report is such that it can be separated into reasonably independent discussions of the policy and requirements, the global security control mechanisms, the distributed cryptographic mechanisms, and the communications network. Alternately, the issues related to the individual topics of authentication, authorization, etc. can be separated by selecting the appropriate sub-chapters, e.g., sections 2.1, 3.1, 4.1, and 5.1 for authentication issues. However, it is recommended that the document be considered in its entirety since even the individual, separable aspects should be viewed within the scope of the overall networking problems.

2.

NETWORK SECURITY POLICY AND REQUIREMENTS ISSUES

The network security problem, like all security problems, exists because hostile elements would "misuse" certain valuable resources if given an opportunity. The nature of these hostile elements and the resources to be protected, leads to the development of appropriate policy issues and system requirements which, when implemented by security mechanisms, lead to some prescribed level of protection. This protection can never be absolute, and does not necessarily apply beyond some predefined set of threats.

We assume for this investigation that the nature of the hostile elements
and the resources to be protected in a DOD environment is well known,
and do not address these matters any further. However, the policy and
requirements issues related to how these threats are to be countered are
very much of concern since these matters establish the top-level con-
straints and requirements for our investigation, and thereby define what
functions our security mechanisms must provide. Subsequent sections of
this report will address the tradeoffs related to how these mechanisms
might operate, but for the present, we will discuss what general forms
of protection must be provided.

Many network security issues are straightforward extensions to those of any multi-user, resource-sharing computer, while others are unique to the multi-system environment of a network. These unique problems are the primary concern of this investigation, but in the interest of completeness, we shall also briefly describe the general problems. Similarly, other issues must be addressed if a secure network (or any network) is to be viable; for example, the concern for the user-to-network interface. These non-security issues will be discussed for areas which have been problems for other networks.

Certain matters under discussion must remain as generally open-issues*, since adequate solutions have not yet been defined (particularly in the areas related to heterogeneous systems). Where possible, we will recommend some action to close these issues, at least within a particular network environment.

the

If a network is to provide controlled access of requestors to resources,
control mechanisms associated with these resources must have some way of
determining and verifying the identity of the requestors. We use the term
identification to mean the process of determining who or what an entity
claims to be, and refer to the process of verifying this claim as authen-
ticating (e.g., by using a password). The security aspects of concern are
primarily those of authentication, since identification problems tend to
be based on operational issues (e.g., whether Social Security numbers
should be used as identifiers). Therefore, we will concentrate on authen-
tication, addressing the following topics:

• Authentication of persons and devices

Process and HOST level authentication

Distributed versus centralized authentication checking

N-th party authentication

2.1.1

Authentication Of Persons And Devices

All entities which can affect security must be uniquely identified and authenticated. In the most straightforward case, an entity would have a globally unique name and an appropriate authenticator. More complex situations arise for "composite entities" and environment-dependent entities. An example of the former is the attachment of an authentication device to a terminal. If such a device is non-forgeable, non-removable, and is otherwise adequately protected with physical and procedural controls,

As a prime example of the open-endedness of many critical issues, consider the attributes of "security" itself, e.g., how can one quantitatively express the adequacy of a given approach to security.