Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...
112 Military Communications and Information Technology... The basic IT Security Architecture is based upon the RuDi Outline Concept Chapter 6.5.2 and Chapter 6.9.1 [18]. In the BI-SC AIS/NNEC SOA Implementation Guidance [19] NATO document, the layers depicted in Figure 3 are classified as IT security technology that RuDi is also based upon. Figure 3. Example of a layer-based security architecture The IT security architecture of the Reference Environment for Services is based on two components: • Elementary / basic protection (basic security of the classified Bundeswehr LAN on network level) Elementary protection: the Virtual Private Network (VPN) technology protects the transmitted information from undesired access by setting up a “tunnel” protected by powerful cryptographic mechanisms that is going through insecure networks. Basic protection: The encryption by means of HAIPE, NINE or SINA with its IPSec internet protocol is based on the network level. • Object protection (security on information level) Object protection is used to secure objects – information objects – by way of authentication, encryption, integrity securing and labeling (signature). Generally, the SOA framework is an addition to the existing elementary / basic protection, which it uses. The elementary / basic protection is not described and analyzed in any more detail in this document. RuDi implements object protection on the information level (application and web services) in the IT security architecture. Certificate / Key structure in RuDi Put in technical terms, an X.509 certificate is a data construct that includes a user’s public key, their personal data and a digital signature of the relevant certificate authority (CA). RuDi security is based upon certificates in accordance with the X.509 v3 standard. Using a root certificate, every user is able to verify whether the information signed by means of these certificates and the following certificate chain is authentic.
Chapter 2: Communications and Information Technology for Trusted... 113 An OpenDS is used as directory for certificates. It is based on the ACP 133 [20] format (ed. C or D) in order to be smoothly interoperable in the NATO context. Figure 4 shows an example of the CA structure (grayed out boxes) and an extract of the respective (Sub) CA certificate store. In the example Mission RootCA Straussberg forms the highest-level Root CA (layer 1). The SubCAs for operations (missions, layer 2) that may be located on a stationary IT system in the home country are derived from this Root CA. Figure 4. CA structure and extract of certificate store
- Page 61 and 62: CFBLNet: A Coalition Capability Ena
- Page 63 and 64: Chapter 1: Concepts and Solutions f
- Page 65 and 66: Chapter 1: Concepts and Solutions f
- Page 67 and 68: Chapter 1: Concepts and Solutions f
- Page 69 and 70: Chapter 1: Concepts and Solutions f
- Page 71 and 72: Selected Aspects of Effective RCIED
- Page 73 and 74: Chapter 1: Concepts and Solutions f
- Page 75 and 76: Chapter 1: Concepts and Solutions f
- Page 77 and 78: Chapter 1: Concepts and Solutions f
- Page 79 and 80: Chapter 1: Concepts and Solutions f
- Page 81: Chapter 1: Concepts and Solutions f
- Page 84 and 85: 84 Military Communications and Info
- Page 86 and 87: 86 Military Communications and Info
- Page 88 and 89: 88 Military Communications and Info
- Page 90 and 91: 90 Military Communications and Info
- Page 92 and 93: 92 Military Communications and Info
- Page 94 and 95: 94 Military Communications and Info
- Page 96 and 97: 96 Military Communications and Info
- Page 98 and 99: 98 Military Communications and Info
- Page 100 and 101: 100 Military Communications and Inf
- Page 103: Chapter 2 Communications and Inform
- Page 106 and 107: 106 Military Communications and Inf
- Page 108 and 109: 108 Military Communications and Inf
- Page 110 and 111: 110 Military Communications and Inf
- Page 114 and 115: 114 Military Communications and Inf
- Page 116 and 117: 116 Military Communications and Inf
- Page 118 and 119: 118 Military Communications and Inf
- Page 120 and 121: 120 Military Communications and Inf
- Page 122 and 123: 122 Military Communications and Inf
- Page 124 and 125: 124 Military Communications and Inf
- Page 126 and 127: 126 Military Communications and Inf
- Page 128 and 129: 128 Military Communications and Inf
- Page 130 and 131: 130 Military Communications and Inf
- Page 132 and 133: 132 Military Communications and Inf
- Page 134 and 135: 134 Military Communications and Inf
- Page 136 and 137: 136 Military Communications and Inf
- Page 138 and 139: 138 Military Communications and Inf
- Page 140 and 141: 140 Military Communications and Inf
- Page 142 and 143: 142 Military Communications and Inf
- Page 144 and 145: 144 Military Communications and Inf
- Page 146 and 147: 146 Military Communications and Inf
- Page 149 and 150: Use of Cross Domain Guards for CoNS
- Page 151 and 152: Chapter 2: Communications and Infor
- Page 153 and 154: Chapter 2: Communications and Infor
- Page 155 and 156: Chapter 2: Communications and Infor
- Page 157 and 158: Chapter 2: Communications and Infor
- Page 159: Chapter 2: Communications and Infor
112 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The basic IT Security Architecture is based upon the RuDi Outline Concept<br />
Chapter 6.5.2 <strong>and</strong> Chapter 6.9.1 [18].<br />
In the BI-SC AIS/NNEC SOA Implementation Guidance [19] NATO document,<br />
the layers depicted in Figure 3 are classified as IT security technology that<br />
RuDi is also based upon.<br />
Figure 3. Example of a layer-based security architecture<br />
The IT security architecture of the Reference Environment for Services is based<br />
on two components:<br />
• Elementary / basic protection (basic security of the classified Bundeswehr<br />
LAN on network level)<br />
Elementary protection: the Virtual Private Network (VPN) technology<br />
protects the transmitted information from undesired access by setting up<br />
a “tunnel” protected by powerful cryptographic mechanisms that is going<br />
through insecure networks.<br />
Basic protection: The encryption by means of HAIPE, NINE or SINA with<br />
its IPSec internet protocol is based on the network level.<br />
• Object protection (security on information level)<br />
Object protection is used to secure objects – information objects – by way<br />
of authentication, encryption, integrity securing <strong>and</strong> labeling (signature).<br />
Generally, the SOA framework is an addition to the existing elementary /<br />
basic protection, which it uses. The elementary / basic protection is not described<br />
<strong>and</strong> analyzed in any more detail in this document.<br />
RuDi implements object protection on the information level (application <strong>and</strong><br />
web services) in the IT security architecture.<br />
Certificate / Key structure in RuDi<br />
Put in technical terms, an X.509 certificate is a data construct that includes a user’s<br />
public key, their personal data <strong>and</strong> a digital signature of the relevant certificate authority<br />
(CA). RuDi security is based upon certificates in accordance with the X.509 v3<br />
st<strong>and</strong>ard. Using a root certificate, every user is able to verify whether the information<br />
signed by means of these certificates <strong>and</strong> the following certificate chain is authentic.