NIST SP 800-119, Guidelines for the Secure Deployment of Ipv6

Total Page:16

File Type:pdf, Size:1020Kb

NIST SP 800-119, Guidelines for the Secure Deployment of Ipv6 Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks NIST Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Director GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-119 Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. iii GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Acknowledgments The authors, Sheila Frankel of the National Institute of Standards and Technology (NIST), Richard Graveman of RFG Security, John Pearce of Booz Allen Hamilton and Mark Rooks of L-1 Identity Solutions (formerly of Booz Allen Hamilton) wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors would like to acknowledge Tim Grance of NIST for his keen and insightful assistance and encouragement throughout the development of the document. The authors particularly want to thank Mark Carson, Doug Montgomery and Stephen Nightingale of NIST and Scott Hogg for their careful review and valuable contributions to improving the quality of this publication. The authors also appreciate the efforts of those individuals, agencies, and other organizations that contributed input during the public comment period, including John Baird, DREN; Alistair de B Clarkson, nCipher; Vint Cerf, Google; John Curran, ARIN; Terry Davis, Boeing; Francois Donze and Michael Scott Pontillo, HP; Jeffrey Dunn, Chern Liou, and Jeffrey Finke, Mitre; Fernando Gont, the UK Centre for the Protection of National Infrastructure (UK CPNI); Bob Grillo, US Army; Cecilia Hall, Don Radeke and Joseph Bertrand, USMC; J. Holland, David Leach, Sam Nguyen, M. Roed, Beth Scruggs, D. Wellington and Joe Williams, Aerospace Corp.; Ed Jankiewicz, SRI International; Ralph Kenyon, Caida; Lovell King II, Dept. of State; Joe Klein, IPv6 Security Researcher; Dan Luu, VA; Trung Nguyen, FAA; Carroll Perkins, Serco-NA; and Martin Radford, University of Bristol. iv GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Table of Contents Executive Summary ................................................................................................................. 1 1. Introduction ................................................................................................................... 1-1 1.1 Authority .................................................................................................................1-1 1.2 Purpose and Scope ................................................................................................1-1 1.3 Audience ................................................................................................................1-1 1.4 Document Structure ...............................................................................................1-1 2. Introduction to IPv6 ....................................................................................................... 2-1 2.1 Early History of IPv6 ...............................................................................................2-1 2.2 Limitations of IPv4 ..................................................................................................2-1 2.3 Major Features of the IPv6 Specification ................................................................2-2 2.3.1 Extended Address Space ........................................................................... 2-3 2.3.2 Autoconfiguration ....................................................................................... 2-3 2.3.3 Header Structure ........................................................................................ 2-3 2.3.4 Extension Headers ..................................................................................... 2-4 2.3.5 Mandatory Internet Protocol Security (IPsec) Support ................................ 2-4 2.3.6 Mobility ....................................................................................................... 2-4 2.3.7 Quality of Service (QoS) ............................................................................. 2-5 2.3.8 Route Aggregation ..................................................................................... 2-5 2.3.9 Efficient Transmission ................................................................................ 2-5 2.4 IPv4 and IPv6 Threat Comparison ..........................................................................2-5 2.5 Motivations for Deploying IPv6 ...............................................................................2-7 3. IPv6 Overview ................................................................................................................ 3-1 3.1 IPv6 Addressing .....................................................................................................3-2 3.1.1 Shorthand for Writing IPv6 Addresses ........................................................ 3-5 3.1.2 IPv6 Address Space Usage ....................................................................... 3-6 3.1.3 IPv6 Address Types ................................................................................... 3-7 3.1.4 IPv6 Address Scope ................................................................................... 3-7 3.1.5 IPv4 Addressing ......................................................................................... 3-9 3.1.6 IPv4 Classless Inter-Domain Routing (CIDR) Addressing ........................ 3-10 3.1.7 Comparing IPv6 and IPv4 Addressing ...................................................... 3-11 3.2 IPv6 Address Allocations ...................................................................................... 3-12 3.2.1 IPv6 Address Assignments ...................................................................... 3-12 3.2.2 Obtaining Globally Routable IPv6 Address Space .................................... 3-14 3.3 IPv6 Header Types, Formats, and Fields.............................................................. 3-16 3.4 IPv6 Extension Headers ....................................................................................... 3-18 3.5 Internet Control Message Protocol for IPv6 (ICMPv6) .......................................... 3-22 3.5.1 ICMPv6 Specification Overview ............................................................... 3-22 3.5.2 Differences between IPv6 and IPv4 ICMP ................................................ 3-25 3.5.3 Neighbor Discovery .................................................................................. 3-26 3.5.4 Autoconfiguration ..................................................................................... 3-28 3.5.5 Path Maximum Transmission Unit (PMTU) Discovery .............................. 3-29 3.5.6 Security Ramifications .............................................................................. 3-30 3.6 IPv6 and Routing .................................................................................................. 3-34 3.6.1 Specification Overview ............................................................................. 3-34 3.6.2 Security for Routing Protocols .................................................................. 3-35 v GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 3.6.3 Unknown Aspects .................................................................................... 3-36 3.7 IPv6 and the Domain Name System (DNS) .......................................................... 3-36 3.7.1 DNS Transport Protocol ........................................................................... 3-37 3.7.2 DNS Specification Overview .................................................................... 3-37 3.7.3 Security Impact and Recommendations
Recommended publications
  • SIP Software for Avaya 1200 Series IP Deskphones-Administration
    SIP Software for Avaya 1200 Series IP Deskphones-Administration Release 4.4 NN43170-601 Issue 06.05 Standard July 2015 © 2015 Avaya Inc. list of Heritage Nortel Products located at http://support.avaya.com/ All Rights Reserved. LicenseInfo under the link “Heritage Nortel Products” or such successor site as designated by Avaya. For Heritage Nortel Notice Software, Avaya grants You a license to use Heritage Nortel While reasonable efforts have been made to ensure that the Software provided hereunder solely to the extent of the authorized information in this document is complete and accurate at the time of activation or authorized usage level, solely for the purpose specified printing, Avaya assumes no liability for any errors. Avaya reserves in the Documentation, and solely as embedded in, for execution on, the right to make changes and corrections to the information in this or for communication with Avaya equipment. Charges for Heritage document without the obligation to notify any person or organization Nortel Software may be based on extent of activation or use of such changes. authorized as specified in an order or invoice. Documentation disclaimer Copyright “Documentation” means information published by Avaya in varying Except where expressly stated otherwise, no use should be made of mediums which may include product information, operating materials on this site, the Documentation, Software, Hosted Service, instructions and performance specifications that Avaya may generally or hardware provided by Avaya. All content on this site, the make available to users of its products and Hosted Services. documentation, Hosted Service, and the product provided by Avaya Documentation does not include marketing materials.
    [Show full text]
  • Configuring DNS
    Configuring DNS The Domain Name System (DNS) is a distributed database in which you can map hostnames to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated hostname. The Cisco IOS software maintains a cache of hostname-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. This cache speeds the process of converting names to addresses. Note You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource record type AAAA is used to map a domain name to an IPv6 address. The IP6.ARPA domain is defined to look up a record given an IPv6 address. • Finding Feature Information, page 1 • Prerequisites for Configuring DNS, page 2 • Information About DNS, page 2 • How to Configure DNS, page 4 • Configuration Examples for DNS, page 13 • Additional References, page 14 • Feature Information for DNS, page 15 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
    [Show full text]
  • User Datagram Protocol - Wikipedia, the Free Encyclopedia Página 1 De 6
    User Datagram Protocol - Wikipedia, the free encyclopedia Página 1 de 6 User Datagram Protocol From Wikipedia, the free encyclopedia The five-layer TCP/IP model User Datagram Protocol (UDP) is one of the core 5. Application layer protocols of the Internet protocol suite. Using UDP, programs on networked computers can send short DHCP · DNS · FTP · Gopher · HTTP · messages sometimes known as datagrams (using IMAP4 · IRC · NNTP · XMPP · POP3 · Datagram Sockets) to one another. UDP is sometimes SIP · SMTP · SNMP · SSH · TELNET · called the Universal Datagram Protocol. RPC · RTCP · RTSP · TLS · SDP · UDP does not guarantee reliability or ordering in the SOAP · GTP · STUN · NTP · (more) way that TCP does. Datagrams may arrive out of order, 4. Transport layer appear duplicated, or go missing without notice. TCP · UDP · DCCP · SCTP · RTP · Avoiding the overhead of checking whether every RSVP · IGMP · (more) packet actually arrived makes UDP faster and more 3. Network/Internet layer efficient, at least for applications that do not need IP (IPv4 · IPv6) · OSPF · IS-IS · BGP · guaranteed delivery. Time-sensitive applications often IPsec · ARP · RARP · RIP · ICMP · use UDP because dropped packets are preferable to ICMPv6 · (more) delayed packets. UDP's stateless nature is also useful 2. Data link layer for servers that answer small queries from huge 802.11 · 802.16 · Wi-Fi · WiMAX · numbers of clients. Unlike TCP, UDP supports packet ATM · DTM · Token ring · Ethernet · broadcast (sending to all on local network) and FDDI · Frame Relay · GPRS · EVDO · multicasting (send to all subscribers). HSPA · HDLC · PPP · PPTP · L2TP · ISDN · (more) Common network applications that use UDP include 1.
    [Show full text]
  • Secure Shell Encrypt and Authenticate Remote Connections to Secure Applications and Data Across Open Networks
    Product overview OpenText Secure Shell Encrypt and authenticate remote connections to secure applications and data across open networks Comprehensive Data security is an ongoing concern for organizations. Sensitive, security across proprietary information must always be protected—at rest and networks in motion. The challenge for organizations that provide access to applications and data on host systems is keeping the data Support for Secure Shell (SSH) secure while enabling access from remote computers and devices, whether in a local or wide-area network. ™ Strong SSL/TLS OpenText Secure Shell is a comprehensive security solution that safeguards network ® encryption traffic, including internet communication, between host systems (mainframes, UNIX ™ servers and X Window System applications) and remote PCs and web browsers. When ™ ™ ™ ™ Powerful Kerberos included with OpenText Exceed or OpenText HostExplorer , it provides Secure Shell 2 (SSH-2), Secure Sockets Layer (SSL), LIPKEY and Kerberos security mechanisms to ensure authentication security for communication types, such as X11, NFS, terminal emulation (Telnet), FTP support and any TCP/IP protocol. Secure Shell encrypts data to meet the toughest standards and requirements, such as FIPS 140-2. ™ Secure Shell is an add-on product in the OpenText Connectivity suite, which encrypts application traffic across networks. It helps organizations achieve security compliance by providing Secure Shell (SSH) capabilities. Moreover, seamless integration with other products in the Connectivity suite means zero disruption to the users who remotely access data and applications from web browsers and desktop computers. Secure Shell provides support for the following standards-based security protocols: Secure Shell (SSH)—A transport protocol that allows users to log on to other computers over a network, execute commands on remote machines and securely move files from one machine to another.
    [Show full text]
  • Reverse DNS What Is 'Reverse DNS'?
    Reverse DNS Overview • Principles • Creating reverse zones • Setting up nameservers • Reverse delegation procedures What is ‘Reverse DNS’? • ‘Forward DNS’ maps names to numbers – svc00.apnic.net -> 202.12.28.131 • ‘Reverse DNS’ maps numbers to names – 202.12.28.131 -> svc00.apnic.net 1 Reverse DNS - why bother? • Service denial • That only allow access when fully reverse delegated eg. anonymous ftp • Diagnostics • Assisting in trace routes etc • SPAM identifications • Registration • Responsibility as a member and Local IR In-addr.arpa • Hierarchy of IP addresses – Uses ‘in-addr.arpa’ domain • INverse ADDRess • IP addresses: – Less specific to More specific • 210.56.14.1 • Domain names: – More specific to Less specific • delhi.vsnl.net.in – Reversed in in-addr.arpa hierarchy • 14.56.210.in-addr.arpa Principles • Delegate maintenance of the reverse DNS to the custodian of the address block • Address allocation is hierarchical – LIRs/ISPs -> Customers -> End users 2 Principles – DNS tree - Mapping numbers to names - ‘reverse DNS’ Root DNS net edu com arpa au apnic in-addr whoiswhois RIR 202202 203 210 211.. ISP 6464 22 .64.202 .in-addr.arpa Customer 2222 Creating reverse zones • Same as creating a forward zone file – SOA and initial NS records are the same as normal zone – Main difference • need to create additional PTR records • Can use BIND or other DNS software to create and manage reverse zones – Details can be different Creating reverse zones - contd • Files involved – Zone files • Forward zone file – e.g. db.domain.net • Reverse zone file – e.g. db.192.168.254 – Config files • <named.conf> – Other • Hints files etc.
    [Show full text]
  • Telnet Client 5.11 Ssh Support
    TELNET CLIENT 5.11 SSH SUPPORT This document provides This document describes how to install and configure SSH support in Wavelink Telnet Client 5.11. information on the SSH support available in Telnet Client 5.11 OVERVIEW OF SSH SUPPORT Secure Shell (SSH) is a protocol developed for transmitting private information over the Internet. SSH OVERVIEW encrypts data that is transferred over the Telnet session. • Overview of SSH The Telnet Client supports SSH version 1 and 2 and will automatically select the most secure protocol Support that the SSH server supports. • Installing Windows SSH Support This document describes the following: • Configuring the host • Installing Windows SSH support utility profile for SSH • Configuring the host profile for SSH support support • Deploying Windows • Deploying Windows SSH support to the device through Avalanche or ActiveSync SSH Support • Revision History INSTALLING WINDOWS SSH SUPPORT Installing SSH support is a two-step process. First, install SSH support on the PC from which you will deploy Telnet. Once you install SSH support on the PC, use Avalanche or ActiveSync to deploy the utility to the device. To install SSH support on your PC: 1. Obtain the installation executable for SSH support. NOTE: To obtain the Wavelink SSH support utility install, go to http://www.wavelink.com/downloads/ files/sshagreement.aspx. 2. Install SSH support on the PC from which you will deploy the Telnet Client. CONFIGURING THE HOST PROFILE FOR SSH SUPPORT SSH support is configured from the Host Profiles window of the configuration utility. NOTE: SSH is only an active option if SSH support has been installed on the PC running the Telnet Client configuration utility.
    [Show full text]
  • Routing Loop Attacks Using Ipv6 Tunnels
    Routing Loop Attacks using IPv6 Tunnels Gabi Nakibly Michael Arov National EW Research & Simulation Center Rafael – Advanced Defense Systems Haifa, Israel {gabin,marov}@rafael.co.il Abstract—IPv6 is the future network layer protocol for A tunnel in which the end points’ routing tables need the Internet. Since it is not compatible with its prede- to be explicitly configured is called a configured tunnel. cessor, some interoperability mechanisms were designed. Tunnels of this type do not scale well, since every end An important category of these mechanisms is automatic tunnels, which enable IPv6 communication over an IPv4 point must be reconfigured as peers join or leave the tun- network without prior configuration. This category includes nel. To alleviate this scalability problem, another type of ISATAP, 6to4 and Teredo. We present a novel class of tunnels was introduced – automatic tunnels. In automatic attacks that exploit vulnerabilities in these tunnels. These tunnels the egress entity’s IPv4 address is computationally attacks take advantage of inconsistencies between a tunnel’s derived from the destination IPv6 address. This feature overlay IPv6 routing state and the native IPv6 routing state. The attacks form routing loops which can be abused as a eliminates the need to keep an explicit routing table at vehicle for traffic amplification to facilitate DoS attacks. the tunnel’s end points. In particular, the end points do We exhibit five attacks of this class. One of the presented not have to be updated as peers join and leave the tunnel. attacks can DoS a Teredo server using a single packet. The In fact, the end points of an automatic tunnel do not exploited vulnerabilities are embedded in the design of the know which other end points are currently part of the tunnels; hence any implementation of these tunnels may be vulnerable.
    [Show full text]
  • IPV6 MIGRATION and ADOPTION in INDIA by Shweta Satao
    Episteme: an online interdisciplinary, multidisciplinary & multi-cultural journal Bharat College of Arts and Commerce, Badlapur, MMR, India Volume 8, Issue 3 December 2019 IPV6 MIGRATION AND ADOPTION IN INDIA By Shweta Satao Abstract One of the major reasons for the IPv6 transition is because the allocation of IPv4 address space is running out of control and is gradually being exhausted. Though the Regional Internet Registries of all the continents are still allocating IPv4 addresses. Annually hundreds of millions of new smart phones that require internet connectivity are being sold. These demands for mobile phone have made the demand for internet connectivity to be increasing exponentially. We are in the age of smart mobile devices, social networking, and cloud computing and other new internet developments that are linked to the internet. There is need for Service Providers to ensure there is good, smooth and reliable internet connectivity via IP addresses. These makes IP addresses critical resources that sustain the business growth of service providers and also sustains an exponential economic growth generated through the internet. As hundreds of millions of mobile users are connected to the internet, there is need for a network that is ready for an internet that have both IPv4 and IPv6 addresses “IPv4 and IPv6 networks are not directly interoperable but the technologies used in the transition mechanisms allow hosts on either network to be involved in networking with opposing networks”. The transition mechanisms include: - Dual Stack Techniques - IPv6 over IPv4 tunneling techniques: 6to4 tunnel, Tunnel broker, Manually Configured Tunnel, ISATAP tunnels, IPv6 over IPv4 GRE tunnel.
    [Show full text]
  • VRF-Aware Ipv6 Rapid Deployment Tunnel
    VRF-Aware IPv6 Rapid Deployment Tunnel Virtual Routing and Forwarding - aware tunnels are used to connect customer networks separated by untrusted core networks or core networks with different infrastructures (IPv4 or IPv6). The VRF-Aware IPv6 Rapid Deployment Tunnel feature extends Virtual Routing and Forwarding (VRF) awareness to IPv6 rapid deployment tunnels. • Finding Feature Information, on page 1 • Restrictions for the VRF-Aware IPv6 Rapid Deployment Tunnel, on page 1 • Information About the VRF-Aware IPv6 Rapid Deployment Tunnel, on page 2 • How to Configure the VRF-Aware IPv6 Rapid Deployment Tunnel, on page 2 • Feature Information for the VRF-Aware IPv6 Rapid Deployment Tunnel , on page 10 Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for the VRF-Aware IPv6 Rapid Deployment Tunnel The VRF- Aware IPv6 Rapid Deployment Tunnel feature has the following restrictions: • The incoming physical interface, and the tunnel interface should have the same VRF instance defined. • The tunnel transport VRF and the egress physical interface, through which the traffic leaves should have the same VRF instance defined.
    [Show full text]
  • Medium Access Control Layer
    Telematics Chapter 5: Medium Access Control Sublayer User Server watching with video Beispielbildvideo clip clips Application Layer Application Layer Presentation Layer Presentation Layer Session Layer Session Layer Transport Layer Transport Layer Network Layer Network Layer Network Layer Univ.-Prof. Dr.-Ing. Jochen H. Schiller Data Link Layer Data Link Layer Data Link Layer Computer Systems and Telematics (CST) Physical Layer Physical Layer Physical Layer Institute of Computer Science Freie Universität Berlin http://cst.mi.fu-berlin.de Contents ● Design Issues ● Metropolitan Area Networks ● Network Topologies (MAN) ● The Channel Allocation Problem ● Wide Area Networks (WAN) ● Multiple Access Protocols ● Frame Relay (historical) ● Ethernet ● ATM ● IEEE 802.2 – Logical Link Control ● SDH ● Token Bus (historical) ● Network Infrastructure ● Token Ring (historical) ● Virtual LANs ● Fiber Distributed Data Interface ● Structured Cabling Univ.-Prof. Dr.-Ing. Jochen H. Schiller ▪ cst.mi.fu-berlin.de ▪ Telematics ▪ Chapter 5: Medium Access Control Sublayer 5.2 Design Issues Univ.-Prof. Dr.-Ing. Jochen H. Schiller ▪ cst.mi.fu-berlin.de ▪ Telematics ▪ Chapter 5: Medium Access Control Sublayer 5.3 Design Issues ● Two kinds of connections in networks ● Point-to-point connections OSI Reference Model ● Broadcast (Multi-access channel, Application Layer Random access channel) Presentation Layer ● In a network with broadcast Session Layer connections ● Who gets the channel? Transport Layer Network Layer ● Protocols used to determine who gets next access to the channel Data Link Layer ● Medium Access Control (MAC) sublayer Physical Layer Univ.-Prof. Dr.-Ing. Jochen H. Schiller ▪ cst.mi.fu-berlin.de ▪ Telematics ▪ Chapter 5: Medium Access Control Sublayer 5.4 Network Types for the Local Range ● LLC layer: uniform interface and same frame format to upper layers ● MAC layer: defines medium access ..
    [Show full text]
  • Best Practices for Deploying Ipv6 Over Broadband Access
    WHITE PAPER Best Practices for Deploying IPv6 over Broadband Access www.ixiacom.com 915-0123-01 Rev. D, January 2016 2 Table of Contents Introduction ................................................................................................. 4 IPv6 Solutions for Broadband Access......................................................... 4 Translation ................................................................................................... 5 Tunneling ..................................................................................................... 5 Dual-Stack Lite (DS-Lite) ............................................................................ 5 IPv6 Rapid Deployment (6rd) ...................................................................... 6 Dual-Stack ................................................................................................... 8 How Dual-Stack PPP works ....................................................................... 8 Test Requirements ....................................................................................... 9 Testing Tunneling ......................................................................................... 9 Testing Dual-Stack PPP ............................................................................. 11 Conclusion ..................................................................................................12 3 Introduction Service Providers: The IPv6 Bell Tolls for Thee! After more than a decade of forewarning, the IPv4 to IPv6 transition has
    [Show full text]
  • PDF Version of DM3530-005
    CHAPTER 6 – PART 5 Encryption Security Standards 1 BACKGROUND All USDA agencies and staff offices need to transmit Sensitive But Unclassified (SBU) over open networks. In using IT to continuously improve mission performance, the USDA is becoming more interconnected to open networks and other emergent global networks. The openness of these networks enables malicious cyber attacks against sensitive USDA assets and increases the potential risk to sensitive information. This risk is compounded through the use of the Internet and other non-secure mediums such as Wireless Local Area Network technology, Microwave, and Radio technologies. This technology includes utilizing Laptops and Personal Electronic Devices (such as cellular telephones, pagers and hand held computers) to communicate and process USDA information from any location. Encryption methods can protect sensitive information during storage and transmission. They provide important functionality to reduce the risk of intentional and accidental compromise and alteration of data. Encryption algorithms use a mechanism called a key, which is used to render the information unreadable during transmission. While the information is encrypted it is mathematically protected against disclosure because it is cannot be read by some one who does not have a corresponding key to decrypt the information. Encryption methods serve as part of the USDA defense-in-depth strategy and provide reasonable protection of sensitive information at a comparatively low cost. The primary factor that must be considered when determining if encryption is required is data sensitivity. Data sensitivity is a measure of the importance and nature of the information processed, stored, and transmitted by an IT system to the organization’s mission and day-to-day operations.
    [Show full text]