Trusted Internet Connections (TIC) Reference Architecture Document Version 2.2
Total Page:16
File Type:pdf, Size:1020Kb
Trusted Internet Connections (TIC) Reference Architecture Document Version 2.2 Federal Interagency Technical Reference Architectures June 19, 2017 Federal Network Resilience Revision History Date Version Description Approved By 4/20/09 1.0 Agency feedback M.A. Brown, RADM, USN incorporated and released DAS Cybersecurity & Communications, DHS 3/24/2011 2.0 Capabilities and M. Coose architecture updated by the Director, Federal Network TIC 2.0 Working Group. Security, DHS Final version prepared by DHS. 9/1/2011 2.0 Final approval by OMB M. Coose and reference to M-11-11. Director, Federal Network Security, DHS 9/16/2013 2.0 Added Appendix H – John Streufert Cloud Considerations. Director, Federal Network Resilience, DHS 6/9/2017 2.2 Modified Secure Mark Kneidinger communications from Director, Federal Network Critical to Recommended Resilience, DHS TIC Reference Architecture V2.2 i Table of Contents ACKNOWLEDGEMENTS ........................................................................................................................................ 1 ORIGINAL TIC TECHNICAL ARCHITECTURE STRATEGY TEAM MEMBERS ................................................................. 1 KEY STAKEHOLDERS ................................................................................................................................................. 1 ADVISORS .................................................................................................................................................................. 2 TIC 2.0 UPDATE PARTICIPANTS................................................................................................................................. 2 TIC TECHNICAL ARCHITECTURE DOCUMENT TEAM MEMBERS ................................................................................ 2 INTRODUCTION ....................................................................................................................................................... 3 UPDATES AND CHANGES IN THE TIC 2.0 ARCHITECTURE .......................................................................................... 3 SCOPE OF THE DOCUMENT ......................................................................................................................................... 3 TIC POLICY REFERENCES .......................................................................................................................................... 4 TIC CLARIFICATION .............................................................................................................................................. 5 TIC TRUST RELATIONSHIPS ................................................................................................................................ 5 CONCEPTUAL TIC ARCHITECTURE .................................................................................................................. 7 SECURITY PATTERN FOR EACH CONNECTION CLASS ............................................................................... 8 SECURITY PATTERN #1: EXTERNAL CONNECTIONS ................................................................................................... 9 SECURITY PATTERN #2: INTER-AGENCY (INTERNAL PARTNERS) CONNECTIONS..................................................... 10 SECURITY PATTERN #3: INTRA-AGENCY (INTERNAL PARTNERS) CONNECTIONS .................................................... 12 SECURITY PATTERN #4: TIC SYSTEMS .................................................................................................................... 13 SECURITY FUNCTIONS, DESCRIPTIONS AND CHARACTERISTICS ....................................................... 16 SECURITY FUNCTION: PACKET FILTERING ............................................................................................................... 17 SECURITY FUNCTION: CONTENT FILTERING ............................................................................................................ 19 SECURITY FUNCTION: PROXY .................................................................................................................................. 20 SECURITY FUNCTION: IDPS .................................................................................................................................... 20 SECURITY FUNCTION: AUTHENTICATION ................................................................................................................ 22 SECURITY FUNCTION: REMOTE ACCESS .................................................................................................................. 24 SECURITY FUNCTION: MANAGEMENT ..................................................................................................................... 25 SECURITY FUNCTION: LOGGING .............................................................................................................................. 26 SECURITY FUNCTION: DATA STORAGE .................................................................................................................... 28 SECURITY FUNCTION: MONITORING ........................................................................................................................ 30 SECURITY FUNCTION: AUDIT ................................................................................................................................... 31 SECURITY FUNCTION: REPORTING ........................................................................................................................... 32 SECURITY FUNCTION: SECURE COMMUNICATIONS .................................................................................................. 33 SECURITY FUNCTION: RESPONSE ............................................................................................................................. 34 APPENDICES ............................................................................................................................................................ 36 APPENDIX A – DEFINITION OF EXTERNAL CONNECTION ......................................................................................... 36 APPENDIX B – TIC CAPABILITIES LIST .................................................................................................................... 41 APPENDIX C – GLOSSARY: COMMON TERMS AND DEFINITIONS .............................................................................. 50 APPENDIX D – ACRONYMS: COMMON ABBREVIATIONS .......................................................................................... 53 APPENDIX E – GUIDANCE FOR OCONUS TELEWORK/REMOTE ACCESS CONNECTIONS ......................................... 55 APPENDIX F – RECOMMENDATIONS FOR NETWORK TIME PROTOCOLS (NTP) ......................................................... 57 APPENDIX G – AGENCY DOMAIN NAME SYSTEM (DNS) DEPLOYMENT .................................................................. 58 APPENDIX H – CLOUD CONSIDERATIONS ................................................................................................................ 61 APPENDIX I – REFERENCES ...................................................................................................................................... 68 TIC Reference Architecture V2.2 ii Table of Figures FIGURE 1: CONCEPTUAL MODEL FOR TIC TRUST RELATIONSHIPS ................................................................................ 5 FIGURE 2: CONCEPTUAL TIC ARCHITECTURE ............................................................................................................... 7 FIGURE 3: TAXONOMY OF A SECURITY PATTERN .......................................................................................................... 8 FIGURE 4: EXTERNAL CONNECTION SECURITY PATTERN ............................................................................................ 10 FIGURE 5: INTER-AGENCY CONNECTION SECURITY PATTERN ..................................................................................... 11 FIGURE 6: INTRA-AGENCY CONNECTION SECURITY PATTERN .................................................................................... 13 FIGURE 7: TIC ACCESS POINT FUNCTIONAL BLOCK DIAGRAM ................................................................................... 14 FIGURE 8: TIC SYSTEMS SECURITY PATTERN ............................................................................................................. 15 FIGURE 9: RELATIONSHIP BETWEEN SECURITY FUNCTIONS AND CONNECTIONS CLASSES .......................................... 16 FIGURE 10: CURRENT TIC OCONUS SOLUTION ......................................................................................................... 56 FIGURE 11: PROPOSED REMOTE ACCESS FOR OCONUS CONNECTIONS SOLUTION .................................................... 56 FIGURE 12: GUIDANCE FOR IMPLEMENTING PRIMARY TIME SERVERS ......................................................................... 57 FIGURE 13: DNS ARCHITECTURE ................................................................................................................................. 58 FIGURE 14: D/A UNRESTRICTED-ACCESS DATA .......................................................................................................... 63 FIGURE 15: D/A RESTRICTED-ACCESS DATA ............................................................................................................... 64 FIGURE 16: D/A-TO-CSP CONNECTIVITY REQUIREMENTS ........................................................................................... 65 FIGURE