Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ... Military Communications and Information Technology: A Trusted ...
364 Military Communications and Information Technology... • NS Federation Proxy, to control the policy compliant flow of the identity and access attributes. It should be noted that identity and access data processing is not explicitly addressed in the current NATO policy, which should be noted as a potential problem when defining policy rules at the Proxy. Figure 2. Federation Topology at the NS Level From the NATO as an Alliance point of view, the federation component in the Gateway Zone would operate as the Alliance Federation Broker, enabling federation services in the NATO Alliance. 2) Federation Topology for NU/NR networks: taking into account a significant defragmentation in the NU/NR environment, the “Point-to-Point” option seems to be more accurate. A consequence of this approach will be an overall mesh-topology (Figure 3). Although more flexible, this topology is more difficult to manage and control. Accountability for the establishment and maintenance of trust relationships with external parties is pushed down to the level of a single domain. The mesh topology should be adopted as an interim solution. It is anticipated that with implementation of the EBN concept at the NU/NR level, NATO will follow the same evolution path as the one delimited by the NS environment. When it happens, the “trust broker topology”, as proposed for the Bi-SC AIS NS area (Figure 2), would be more appropriate at the NU/NR level.
Chapter 4: Information Assurance & Cyber Defence 365 Figure 3. Federation Topology at the NU/NR Level C. Public key operations and infrastructure In the Web-based federation solutions, asymmetric cryptography techniques are used to underpin trustful identity and access data flows. This implies the use of public-key operations. In sensitive, classified, policy-driven environments, like the NATO organization, the requirement to utilize public-key operations has to be translated into the requirement to deploy a Public Key infrastructure (PKI). In NATO, it means a use of the NATO Public Key Infrastructure (NPKI), providing an assured foundation on top of which the NATO federation trust topology can be built. Without integrating with the existing NPKI, the federation services in NATO environment may not be considered as a valid solution. Currently, NATO is planning to deploy NPKI on two separate PKI branches, one on NS domain and the other one in support of NU/NR services. This structure reflects directly the NATO Security Policy identified sensitiveness levels of information assets as well as, in a sense, the current NATO network topology logic. From the federation services point of view, there are a number of challenges the NPKI needs to meet: • the management and distribution of certificates and private keys, which will be solved by the NPKI itself; • the validation of certificates. There are a number of approaches to this problem, e.g.:
- Page 313 and 314: Chapter 3: Information Technology f
- Page 315 and 316: Chapter 3: Information Technology f
- Page 317 and 318: Application of CID Server in Decisi
- Page 319 and 320: Chapter 3: Information Technology f
- Page 321 and 322: Chapter 3: Information Technology f
- Page 323 and 324: Chapter 3: Information Technology f
- Page 325 and 326: Chapter 3: Information Technology f
- Page 327 and 328: Chapter 3: Information Technology f
- Page 329 and 330: Chapter 3: Information Technology f
- Page 331 and 332: Managing Lessons Learnt from Daily
- Page 333 and 334: Chapter 3: Information Technology f
- Page 335 and 336: Chapter 3: Information Technology f
- Page 337 and 338: Chapter 3: Information Technology f
- Page 339 and 340: Chapter 3: Information Technology f
- Page 341 and 342: Chapter 3: Information Technology f
- Page 343: Chapter 3: Information Technology f
- Page 347 and 348: Federated Cyber Defence System - Ap
- Page 349 and 350: Chapter 4: Information Assurance &
- Page 351 and 352: Chapter 4: Information Assurance &
- Page 353 and 354: Chapter 4: Information Assurance &
- Page 355 and 356: Chapter 4: Information Assurance &
- Page 357: Chapter 4: Information Assurance &
- Page 360 and 361: 360 Military Communications and Inf
- Page 362 and 363: 362 Military Communications and Inf
- Page 366 and 367: 366 Military Communications and Inf
- Page 368 and 369: 368 Military Communications and Inf
- Page 370 and 371: 370 Military Communications and Inf
- Page 372 and 373: 372 Military Communications and Inf
- Page 374 and 375: 374 Military Communications and Inf
- Page 377 and 378: Development of High Assurance Guard
- Page 379 and 380: Chapter 4: Information Assurance &
- Page 381 and 382: Chapter 4: Information Assurance &
- Page 383 and 384: Chapter 4: Information Assurance &
- Page 385 and 386: Chapter 4: Information Assurance &
- Page 387 and 388: Chapter 4: Information Assurance &
- Page 389 and 390: Chapter 4: Information Assurance &
- Page 391 and 392: Chapter 4: Information Assurance &
- Page 393 and 394: Chapter 4: Information Assurance &
- Page 395 and 396: Network Traffic Characteristics for
- Page 397 and 398: Chapter 4: Information Assurance &
- Page 399 and 400: Chapter 4: Information Assurance &
- Page 401 and 402: Chapter 4: Information Assurance &
- Page 403 and 404: Chapter 4: Information Assurance &
- Page 405 and 406: Chapter 4: Information Assurance &
- Page 407 and 408: Chapter 4: Information Assurance &
- Page 409 and 410: Chapter 4: Information Assurance &
- Page 411 and 412: Chapter 4: Information Assurance &
- Page 413 and 414: Chapter 4: Information Assurance &
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
365<br />
Figure 3. Federation Topology at the NU/NR Level<br />
C. Public key operations <strong>and</strong> infrastructure<br />
In the Web-based federation solutions, asymmetric cryptography techniques<br />
are used to underpin trustful identity <strong>and</strong> access data flows. This implies the use<br />
of public-key operations. In sensitive, classified, policy-driven environments, like<br />
the NATO organization, the requirement to utilize public-key operations has to<br />
be translated into the requirement to deploy a Public Key infrastructure (PKI).<br />
In NATO, it means a use of the NATO Public Key Infrastructure (NPKI), providing<br />
an assured foundation on top of which the NATO federation trust topology<br />
can be built. Without integrating with the existing NPKI, the federation services<br />
in NATO environment may not be considered as a valid solution.<br />
Currently, NATO is planning to deploy NPKI on two separate PKI branches,<br />
one on NS domain <strong>and</strong> the other one in support of NU/NR services. This structure<br />
reflects directly the NATO Security Policy identified sensitiveness levels of information<br />
assets as well as, in a sense, the current NATO network topology logic.<br />
From the federation services point of view, there are a number of challenges<br />
the NPKI needs to meet:<br />
• the management <strong>and</strong> distribution of certificates <strong>and</strong> private keys, which<br />
will be solved by the NPKI itself;<br />
• the validation of certificates. There are a number of approaches to this<br />
problem, e.g.: