Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...
132 Military Communications and Information Technology... IPSec and the XMPP protocol complements the Identity Management and offers a more “hardened” system. Besides, the discussion of requirements set on behalf of impartial and civilian NGOs has not been observed previously in the context of computing security research. The remainder of the paper is organized as follows: The next section articulates the technical non-functional requirements of the interconnection, followed by Section III where the proposed system configuration is described. Section IV gives a general introduction of Identity Management services, which are central to the proposed solution framework. Sections V-VII present the IdM prototype used for the evaluation experiment. Section VIII gives a brief presentation of the mechanisms bridging the IdM service invocation environment with the classified SOA environment. Section IX presents a set of problems related to the unconventional use of COTS products. Section X presents the experimental environment in which the framework was evaluated, and the paper finishes with a section containing some concluding remarks. II. Technical requirements The functional requirements for a Civilian-Military (CiMi) communication arrangement may be expressed in the following manner: A. COTS equipment and protocols The NGO should avoid the use of military communication equipment from reasons of impartiality and cost. A laptop computer or a smartphone is able to communicate over aWiFi link or a cellphone connection. Where possible, public communication service should be used, even though the military end of the connection would also need to link to a similar service. For longer ranges in environments without a communication service, civilian radio equipment with computer interface may be used. B. Protection of communication channel The CiMi connection must be a black network, i.e. it can run through any unprotected link. This supports the utilization of public network services or private radio links without any link crypto requirements. The end-to-end connection (possibly spanning several different links) must be protected with cryptographic equipment/software which is available for nonmilitary use, i.e.an IPSec tunnel protected with AES.
Chapter 2: Communications and Information Technology for Trusted... 133 C. Robustness of separation (fail-close) The separation of the NGO and the military equipment should have the failclose property (also called fail-safe). Fail-close means that in the event of a failure, system security should be preferred before connectivity. Any filtering or control mechanism should operate in a deny-allow order where the default action is to deny service. D. Authentication of participants Participants in the communication should be fully identified before or during the service. Authentication is the basis for resource control and auditing, and normally requires a registry of users and services where their identity is associated with the necessary credentials. Authentication across the CiMi interface should not require that the identities are registered on both sides: A Cross Domain mechanism should be in place where a trust relation between the registration authorities should allow mutual authentication across the interface without the need for multiple registration of identities. E. Role-based access control Since authentication does not require local registration of an identity, (cf. previous section) the decision to allow or deny participation in the service transaction cannot rely on the identity, but rather on roles or attributes associated with the identity. Role Based Access Control [3] should be the basis for the access control decisions, which enables the owner of a service to reserve its use for clients which possess certain roles. RBAC preserves the autonomy of domains and let them define and enforce their own independent security policies. F. Confidentiality labeling In the classification hierarchy found in military information management there is a need to decide if information kept in classified systems can be released for use on lower classification levels and even released to an NGO. One approach to achieve this is by means of confidentiality labels. They are cryptographically bound to the information object and can be automatically inspected by a guard. The guard is situated between networks of different classification levels and transfers object from high to low classification based on the confidentiality label and a transfer policy. The guard provides an isolation between two military networks and adds to the separation between the unclassified military network and the NGO.
- Page 81: Chapter 1: Concepts and Solutions f
- Page 84 and 85: 84 Military Communications and Info
- Page 86 and 87: 86 Military Communications and Info
- Page 88 and 89: 88 Military Communications and Info
- Page 90 and 91: 90 Military Communications and Info
- Page 92 and 93: 92 Military Communications and Info
- Page 94 and 95: 94 Military Communications and Info
- Page 96 and 97: 96 Military Communications and Info
- Page 98 and 99: 98 Military Communications and Info
- Page 100 and 101: 100 Military Communications and Inf
- Page 103: Chapter 2 Communications and Inform
- Page 106 and 107: 106 Military Communications and Inf
- Page 108 and 109: 108 Military Communications and Inf
- Page 110 and 111: 110 Military Communications and Inf
- Page 112 and 113: 112 Military Communications and Inf
- Page 114 and 115: 114 Military Communications and Inf
- Page 116 and 117: 116 Military Communications and Inf
- Page 118 and 119: 118 Military Communications and Inf
- Page 120 and 121: 120 Military Communications and Inf
- Page 122 and 123: 122 Military Communications and Inf
- Page 124 and 125: 124 Military Communications and Inf
- Page 126 and 127: 126 Military Communications and Inf
- Page 128 and 129: 128 Military Communications and Inf
- Page 130 and 131: 130 Military Communications and Inf
- Page 134 and 135: 134 Military Communications and Inf
- Page 136 and 137: 136 Military Communications and Inf
- Page 138 and 139: 138 Military Communications and Inf
- Page 140 and 141: 140 Military Communications and Inf
- Page 142 and 143: 142 Military Communications and Inf
- Page 144 and 145: 144 Military Communications and Inf
- Page 146 and 147: 146 Military Communications and Inf
- Page 149 and 150: Use of Cross Domain Guards for CoNS
- Page 151 and 152: Chapter 2: Communications and Infor
- Page 153 and 154: Chapter 2: Communications and Infor
- Page 155 and 156: Chapter 2: Communications and Infor
- Page 157 and 158: Chapter 2: Communications and Infor
- Page 159: Chapter 2: Communications and Infor
- Page 162 and 163: 162 Military Communications and Inf
- Page 164 and 165: 164 Military Communications and Inf
- Page 166 and 167: 166 Military Communications and Inf
- Page 168 and 169: 168 Military Communications and Inf
- Page 170 and 171: 170 Military Communications and Inf
- Page 172 and 173: 172 Military Communications and Inf
- Page 174 and 175: 174 Military Communications and Inf
- Page 176 and 177: 176 Military Communications and Inf
- Page 178 and 179: 178 Military Communications and Inf
- Page 180 and 181: 180 Military Communications and Inf
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
133<br />
C. Robustness of separation (fail-close)<br />
The separation of the NGO <strong>and</strong> the military equipment should have the failclose<br />
property (also called fail-safe). Fail-close means that in the event of a failure,<br />
system security should be preferred before connectivity. Any filtering or control<br />
mechanism should operate in a deny-allow order where the default action is to<br />
deny service.<br />
D. Authentication of participants<br />
Participants in the communication should be fully identified before or during<br />
the service. Authentication is the basis for resource control <strong>and</strong> auditing, <strong>and</strong><br />
normally requires a registry of users <strong>and</strong> services where their identity is associated<br />
with the necessary credentials. Authentication across the CiMi interface should not<br />
require that the identities are registered on both sides: A Cross Domain mechanism<br />
should be in place where a trust relation between the registration authorities should<br />
allow mutual authentication across the interface without the need for multiple<br />
registration of identities.<br />
E. Role-based access control<br />
Since authentication does not require local registration of an identity, (cf.<br />
previous section) the decision to allow or deny participation in the service transaction<br />
cannot rely on the identity, but rather on roles or attributes associated with<br />
the identity. Role Based Access Control [3] should be the basis for the access control<br />
decisions, which enables the owner of a service to reserve its use for clients which<br />
possess certain roles. RBAC preserves the autonomy of domains <strong>and</strong> let them define<br />
<strong>and</strong> enforce their own independent security policies.<br />
F. Confidentiality labeling<br />
In the classification hierarchy found in military information management<br />
there is a need to decide if information kept in classified systems can be released<br />
for use on lower classification levels <strong>and</strong> even released to an NGO. One approach to<br />
achieve this is by means of confidentiality labels. They are cryptographically bound<br />
to the information object <strong>and</strong> can be automatically inspected by a guard. The guard<br />
is situated between networks of different classification levels <strong>and</strong> transfers object<br />
from high to low classification based on the confidentiality label <strong>and</strong> a transfer<br />
policy. The guard provides an isolation between two military networks <strong>and</strong> adds<br />
to the separation between the unclassified military network <strong>and</strong> the NGO.