Advanced
C4I systems include networks of computers that
provide real-time situation data for military decision makers and a
means of directing response to a situation. These networks collect
data from sensors and subordinate commands. That data is fused with
the existing situation status data and presented by the C4I system to
decision makers through display devices. C4I networks today may
incorporate two general types of networks: networks of
Multi-level Secure (MLS) Systems, and
Intranets of single level systems. Figure
5 shows the relevant major security components of a C4I computer
system network.
Figure 5: Computer System Security in C4I Systems
This technology description is tutorial in nature. It provides a
general overview of key concepts and introduces key technologies.
Detailed discussions of the individual technologies can be found in
the referenced technology descriptions.
Some computers in the network are hosts that collect and process
data. A host can be a mainframe, a server, a workstation, or a PC. It
may perform the function of an application processor, a communication
processor, a database processor, a display processor, or a
combination. The security mode for the host may be single-level or
multi-level. A single-level host processes all data as though it was
one security level. A multi-level host can process data at different
security levels, identify and isolate data in the appropriate levels
or categories, and distribute data only to the appropriately cleared
users.
C4I systems benefit from multi-level security implementations
because C4I systems fuse data from sources with a wide range of
security levels and provide status, warning data, or direction to war
fighting systems that may be at lesser security levels. An
MLS operating system (see
Multi-Level
Secure One Way Guard with Random Acknowledgment) provides the
software that makes a host MLS. A particular kind of
MLS host is the Compartmented
Mode Workstation (CMW). A CMW is a MLS host that has been evaluated
to satisfy the Defense Intelligence Agency CMW requirements
[Woodward
87] in addition to the Trusted Computer System Evaluation
Criteria [DoD
85]. A MLS host may use a MLS DBMS (see
Multi-Level Secure Database
Management Schemes) to store and retrieve data at multiple
security levels. A MLS guard provides a secure interface across a
security boundary between systems operating at different security
levels or modes.
MLS guards may allow data across the interface
automatically or may require manual review of data and approval of
transfer on an attached terminal. They also may control data transfer
across the interface in both directions or be limited to allowing
data to be transferred one way, usually from the low security level
side of a security boundary to the high security level side. One-way
guards are usually the easiest to implement and accredit for use.
Data integrity is an issue with one-way guards because an
acknowledgment message can not be used. Recent research in one-way
guards has addressed allowing an acknowledgment message (see
Multi-Level Secure One Way Guard
with Random Acknowledgment).
Intranets use the same kind of networking software (e.g., TCP/IP,
Telnet, Netnews, DNS, browsers, home pages) that
is used on the Internet, but Intranets use them on a private
dedicated network. They are in essence a private Internet. They are
used in a growing number of ways in many military and corporate
networks including mission performance, off-line processing of raw
data, administrative support, and mail networks. They may be
incorporated into C4I systems using firewalls
or proxies (see Firewalls
and Proxies) and MLS guards. Firewalls or proxies may be used to
provide a security interface to the Internet. If the Intranets are to
be connected to MLS systems, they must be connected through MLS
guards. In an environment with Intranet hosts, a major concern is
Virus
Detection and Intrusion
Detection. PCs on a network are particularly susceptible to virus
attacks from other hosts on the network or the Internet. PCs are also
vulnerable to viruses carried on floppy disks. Since PCs are now in
most homes, transfer of files from home to work via floppy disk
provides the risk of introducing a virus into the Intranet. PCs are
more vulnerable to viruses than UNIX-based workstations or mainframes
because the PC has no memory protection hardware and the operating
system (DOS and Windows) allows a program to access any part of
memory or disk.
Security across the networks in a C4I system is crucial.
Traditionally this security is provided by physically protecting the
equipment and cables in the network for localized networks. When that
is not possible, the network connections are encrypted using
encryption hardware in the communications paths.
End-to-end encryption is an alternative that
encrypts the data using software before it is put on the network and
decrypts it after it has been taken off of the network. Then
non-encrypted circuits can be used for communications.
Any encryption system involves the distribution of keys used by
the encryption algorithm for the encryption/decryption of messages
and data. Encryption keys must be replaced periodically to enhance
security or when the key has been compromised or lost. Traditionally
these keys have been distributed through couriers or encrypted
circuits. Public key cryptography provides a
means of electronic encryption
key distribution that can lower the security risk and administrative
workload associated with encryption.
Data integrity is another issue associated with the networks used
in C4I systems. Public
Key Digital Signatures and providing for Nonrepudiation
in Network Communications are two means to enhance data
integrity. Public key digital signatures, which make use of public
key encryption and message authentication codes, are a means to
authenticate that data came from the person identified as the sender
and that the data has not been modified. The nonrepudiation process
uses a digital signature and a trusted arbitrator process to assure
that a particular message has been sent and received and to establish
the time when this occurred.
MLS systems require specialized knowledge to build, accredit, and
maintain. The cost of MLS systems can be high. The system development
overhead and operational performance overhead associated with MLS
systems are substantial. They are difficult to implement in an "open"
configuration because open requirements sometimes conflict with MLS
requirements. On the other hand, using MLS techniques may be the only
allowable way to construct some C4I systems. Operational security
vulnerabilities may be unacceptable without MLS implementations.
Procedural security approaches may be too slow for an operational C4I
system as a non-MLS approach. A single-level system approach may be
too restrictive. For example, a secret single-level system that
contains unclassified, confidential, and secret data will not release
confidential data to a user who is cleared for confidential and needs
the data. That is because the system cannot determine what data is
confidential rather than secret. Further usage discussions are
addressed in individual technology descriptions.
The National Security Agency (NSA) Multilevel
Information Systems Security Initiative (MISSI) is an evolutionary
effort intended to provide better MLS capability in a cost-effective
manner [MISSI
96]. This effort was initiated after the Gulf War when it was
recognized that war fighting commanders needed MLS systems in order
to incorporate intelligence and other highly classified data into
their planning and operations in a timely manner. The MISSI effort is
developing a set of building block products that can be obtained
commercially to construct an MLS system. The initial products include
the FORTEZZA crypto cards and associated
FORTEZZA ready workstation applications to control access to and
protect data on a workstation in a network environment. Other
products include high-assurance guards and firewalls to provide
access control and encryption services between the local security
boundary and external networks. MISSI will also include secure
computing products that provide high-trust operating systems and
application programs for MLS hosts, and network encryption and
security management products. These products can be incorporated into
developing MLS systems as the products become available.
See individual technologies.
See individual technologies.
This technology is classified under the following categories.
Select a category for a list of related topics.
|
Name of technology
|
Computer System Security - an
Overview
|
|
Application category
|
Information
Security (AP.2.4)
|
|
Quality measures category
|
Security
(QM.2.1.5)
|
|
Computing reviews category
|
Operating Systems Security &
Protection (D.4.6),
Security & Protection (K.6.5),
Computer-Communications Networks Security and Protection
(C.2.0)
|
|
[Abrams 95]
|
Abrams, Marshall D.; Jajodia, Sushil;
& Podell, Harold J. Information Security An
Integrated Collection of Essays. Los Alamitos, CA: IEEE
Computer Society Press, 1995.
|
|
[Woodward 87]
|
Woodward, John. Security Requirements
for High and Compartmented Mode Workstations (MTR 9992,
DDS 2600-5502-87). Washington, DC: Defense Intelligence
Agency, 1987.
|
|
[DoD 85]
|
Department of Defense (DoD) Trusted
Computer System Evaluation Criteria (TCSEC) (DoD
5200.28-STD 1985). Fort Meade, MD: Department of Defense,
1985. Also available WWW
<URL:
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html>
(1985).
|
|
[MISSI 96]
|
MISSI Web site [online].
Available WWW
<URL:
http://beta.missilab.com>
(1996).
|
|
[Russel 91]
|
Russel, Deborah & Gangemi, G.T. Sr.
Computer Security Basics. Sebastopol, CA: O'Reilly
& Associates, Inc., 1991.
|
|
[White 96]
|
White, Gregory B.; Fisch, Eric A.; &
Pooch, Udo W. Computer System and Network Security.
Boca Raton, FL: CRC Press, 1996.
|
Tom Mills, Lockheed Martin
Brian Gallagher, SEI
8 July 97: added reference to MLS One-Way Guard with Random
Ack.
20 June 97: updated URL for [MISSI 96]
10 Jan 97 (original)
