Tech Trend Notes Preview of Tomorrow’s Information Technologies

Volume: 9 Edition: 4 Fall 2000

Page 3

High-ReflectHigh-Reflectance,ance, RealReal TTimeime DielectricDielectric MirrorsMirrors IntrusionIntrusion DetectionDetection Page 12 Page 16

Focus - Page 22 Pointers - Page 32

Technology Forecasts - Page 28 Calendar of Events - Page 41 NetTop Commercial Technology in High Assurance Applications By Robert Meushaw and Donald Simard

Introduction of familiar COTS technology to our identify several investigated applica- users, but they believed that we tions, and suggest future capabilities. The decade of the nineties has would not be able to influence the been particularly challenging for the security of COTS technology for User Requirements National Security Agency's high assurance applications. The Information Assurance mission. The board challenged the Information The ISSO’s customers have long gradual but accelerating changeover Assurance Research Office to initi- identified shortcomings with the from government produced tech- ate a project to develop architectures security technology that was avail- nologies to commercial products and that would allow COTS technology able to them. One significant con- services has seriously eroded our to be used safely in high assurance cern is that their workspaces are ability to protect information applications. cluttered with equipment processed by the national security to support access to multiple net- community. Numerous government A Tiger Team was assembled for works of differing sensitivity. programs intended to produce high a one-year effort to develop an archi- Dealing with this duplication of assurance data systems and worksta- tectural approach to allow the safe equipment has long been a problem, tion platforms have been largely use of COTS in sensitive since there is no single system that unsuccessful, and the buying power Government applications. The user can support all of their access needs. of the government has not com- should see a familiar interface, e.g., A second concern is that government manded the attention of the IT Windows Operating developed security solutions have industry. The historical flow of tech- System (OS) and off-the-shelf appli- often been incompatible with other nology from government to industri- cation software, but achieve the standards-based IT products, which al and home users has largely been assurance needed for DoD use. The has significantly complicated the reversed. We often find technologies NSAAB suggested that one or more interfacing and upgrading of system that are more sophisticated in our government-off-the-shelf (GOTS) components. The cost and complexi- homes earlier than in our govern- components be included, preferably ty of network management is also a ment workspaces. The shortcomings as plug-ins; and their removal should steadily growing issue, particularly of our information assurance tech- allow the system to be used as a nor- in times of declining resources and nologies are further evidenced by the mal COTS machine. The notion of a mounting security concerns over the shift of R&D resources away from "Vault" was introduced as an outsourcing of support. Our cus- protection and into detection and accessible, protected enclave tomers also need the ability to move response initiatives. that would provide high assurance data across isolated networks in services to connected user machines. order to perform their daily tasks, To address these issues, during and the techniques to make such the summer of 1999 the NSA The results of the Tiger Team transfers efficient and safe. Finally, Advisory Board (NSAAB) reviewed effort are a proof-of-concept archi- the increased importance placed on the Information Systems Security tecture and a set of components that coalition operations brings new chal- Organization's (ISSO) commercial- are referred to as NetTop. The lenges for technology to securely off-the-shelf (COTS) strategy. The remainder of this article will support these operations. The archi- board acknowledged the need to describe the concept and technical tecture of the NetTop prototype sug- provide the functionality and the feel approach used in the architecture, gests a near-term approach that can

Fall 2000 Research & Advanced Technology Publication 1 provide a useful and practical set of capabilities to satisfy these needs.

An Initial Capability

To begin the development of the NetTop architecture, a modest, initial capability was sought. Opportunely, Figure 1 - Typical Virtual Private Network Client Configuration the ISSO's System Solutions Group identified an Internet-based version Recycling Technology tion software could be executed in of the Remote Access Security VMs running more current OS ver- Program (RASP) system as an The requirement that NetTop sions. excellent prospect. The RASP pro- users see a familiar COTS computer vides secure remote access to a host desktop environment was taken as a Commodity VMMs computer over a dial-up connection, fundamental precept of the architec- and includes a computer and ture. One consequence of this During the NetTop design discus- a specially developed encrypting approach is that for high assurance sions, we identified a new commer- modem to protect the communica- applications, the end-user environ- cial product, VMware, that provided tions link. Many customers have ment must be presumed to be a practical VMM capability. The requested a similar capability for untrustworthy, and the NetTop archi- VMware product is a spin-off of remote network connectivity, but tecture must protect against poten- DARPA-sponsored research at using Internet connections through a tially hostile behavior. Stanford University, and is generally local Internet Service Provider (ISP), used for providing a safe test envi- i.e., use the public data network In order to place limitations upon ronment for OS and networking rather than the public voice network. a potentially malicious component, software. The ability to provide a secure, we explored the concept of encapsu- remote connection over the Internet lation to constrain the behavior of There were several novel capabil- to a secure enclave was selected as the end-user operating system and ities of VMware that made it attrac- the initial NetTop goal. . The method tive for use in NetTop. First, it was selected for encapsulating the OS designed for efficient operation on An architecture that can achieve was based upon a 30-year-old tech- Intel platforms rather than on this capability has been known for nology, Virtual Machine Monitors large mainframe , which some time. It typically includes an (VMM). VMM technology was made it suitable for use on common- end-user , an in-line designed and developed in the era of place personal computers, worksta- encryptor, and possibly a filtering large IBM mainframe computers, tions, and . Next, VMware router or firewall to connect to the and was intended to help extend the operates on top of an underlying Internet. Commercially, such solu- life of legacy software, when host OS rather than directly on the tions are knows as Virtual Private improved hardware or OS software system hardware. VMMs that run Networks (VPN). Figure 1 depicts a was released. In essence, a VMM directly on hardware have been stud- typical VPN client configuration. was a software system that ran ied previously under Project This system configuration would directly on the computer hardware, Neptune for their use in securing provide the required functionality, and allowed multiple operating sys- systems. A Neptune type of VMM but it would be cumbersome and tems to be installed on top of it. By would face the enormous challenge expensive for a mobile user. running older OS versions in some of keeping pace with changes in the virtual machines, legacy software underlying hardware platform. could be run, while newer applica- VMware takes advantage of the host

2 Research & Advanced Technology Publication Tech Trend Notes OS's need to track these changes. This is a much more practical approach, and would be particularly important to produce a GOTS VMM for NetTop. Lastly, VMware pro- vides an abstraction for "virtual hubs." This capability allows virtual machines to be inter- connected in a fashion that is well understood by network designers and administrators.

A Network on a Desktop

Using VMware, the initial Figure 2 - Simple NetTop System Configuration NetTop system was constructed Any of the individual virtual desired technology, including dial- using a powerful laptop computer. machines can be replaced or upgrad- up, Ethernet, ATM, wireless, etc. The operating system chosen for the ed with standards-based compo- host OS was Redhat Linux Version nents. The interconnection of the vir- The basic NetTop configuration 6.2. Three virtual machines net- tual machines is based upon familiar provides the same functionality as worked by two virtual hubs were TCP/IP networking. Finally, a single three separate hardware platforms. installed on top of the host OS, pro- platform replaces several traditional Each virtualized component should viding an in-line configuration of components, thereby reducing hard- operate identically to its real-world three machines comprising (1) an ware and maintenance costs. An counterpart with "bug for bug com- end-user Windows NT machine, (2) important side benefit is that the patibility." The simple NetTop con- an encrypting machine using IPSec, architecture makes no assumptions figuration was successfully connect- and (3) a Filtering Router (FR) about the communications technolo- ed across the Internet to a simulated, machine. Both the VPN and FR gy used to connect the external net- secure enclave on an unclassified were hosted on VMs running the work. The user is free to select the NSA network, using both dial-up Linux operating system. Figure 2 displays the initial NetTop prototype configuration.

The initial NetTop configuration demonstrates a number of important capabilities. It encapsulates the unmodified, end-user Windows operating system in a VM. An important characteristic of this approach is that the encryption can be provided as an in-line function that cannot be bypassed by mali- cious actions of the end-user OS or application software. Rudimentary protection from network attacks is provided through a filtering router. Figure 3 - NetTop Logical Configuration

Fall 2000 Research & Advanced Technology Publication 3 network connections are already physically isolated, encrypted com- munication tunnels are not needed. This type of NetTop configuration may be appropriate to replace multi- ple end user , when sep- arate communications infrastructures are already available.

Thin-Client VMs

While the VMs described so far have been fully configured Windows or Linux systems, there is nothing Figure 4 - NetTop Multiple Security Level Configuration preventing a VM from being a "thin and cable modem connections. Such ality. The second version of the client." In fact, there may be reasons a configuration could have all of the NetTop prototype included another why a thin-client would be prefer- capabilities of a locally connected Windows NT machine connected able. For example, if the Windows machine, including the ability to directly to the filtering router as NT in Figure 4 was installed as a connect to the Internet, if permitted shown in Figure 4. This machine "display only" thin-client, all classi- within the enclave. Figure 3 illus- allows a user to access the Internet fied files could be kept on a remote trates a NetTop logical configura- directly. This extended prototype in a protected enclave. This tion. suggests a powerful feature of the configuration increases assurance, NetTop architecture - the ability to since the NetTop device contains Multiple Security Levels replace multiple end-user worksta- minimal sensitive information. tions within a single, hardware plat- A natural extension to the first form. In theory, multiple user con- Assurance prototype was the addition of other nections to networks of differing VMs to provide increased function- sensitivity could be provided using Despite the functional and cost multiple VPNs. This envi- advantages that the NetTop architec- ronment provides ture described above may offer to Multiple (single) Security some users, its usefulness will Level (MSL) capability depend upon its ability to withstand rather than true Multi- determined attacks from the external Level Security, but still network and from malicious end- addresses an important user software. The most sensitive customer need. applications may require additional protection against compromising Another configuration system failures. While NetTop for a MSL system is attempts to deal with insecurities shown in Figure 5, where that may be caused by user errors, two isolated VM worksta- no attempt has been made to thwart tions are connected to two malicious insiders. As a practical different networks matter, it should only be necessary through two network to demonstrate that a NetTop config- Figure 5 - NetTop Dual Network MSL Configuration interface cards. Since the uration provides the same degree of

4 Research & Advanced Technology Publication Tech Trend Notes security as the separate network components that it replaces. If this can be achieved, then the basic architectural approach is validated.

A number of approaches have been identified to increase the assur- ance of the NetTop architecture. The critical aspect of the architecture that must be validated is the ability of the VMM/Host OS combination to suf- ficiently isolate the various NetTop components. Our approach to deal- ing with security in the underlying host is to use a Trusted Linux OS Figure 6 - NetTop Improved Assurance Configuration prototype that has been developed under the IARO's OS Security Another critical component of the developed to limit failure effects by research program. Trusted Linux underlying host platform is the severing external NetTop communi- incorporates flexible access control BIOS function that controls the ini- cations. mechanisms. In order to bolster the tial boot-up process, and its ability to inherent isolation provided by the arrive at a secure initial state. In order to make an effective VMM, a tailored security policy has Vulnerabilities in the BIOS have argument for the correct operation been developed for the Trusted long been identified as the "Achilles' of a failure checking mechanism, Linux host. The VMM/Trusted heel" of computer systems. Work hardware and software must be Linux combination will be evaluated presently underway to develop a completely independent of the sys- further during an internal "red team" robust, trusted BIOS should be tem being checked. A Dallas exercise to assess the degree of iso- incorporated into any high assurance Semiconductor Tiny InterNet lation it provides. NetTop system. Interface (TINI) embeddable com- puter was networked to the in-line The Trusted Linux prototype is Failure Checking Network Encryptor machine, and also envisioned for use as the guest was programmed to use a simple OS in the VPN and Filtering Router Even a minimal NetTop configu- network "ping" to the VPN VMs. It is likely that a substantially ration will be an extremely complex machine as a health check. If no reduced Trusted Linux OS could be hardware and software system. It response was received, the Internet configured to support each VM. In will not likely be amenable to the connection was interrupted. A more each case, specific security policies forms of failure analysis historically robust health check could include a need to be tailored to support the used for NSA high assurance sys- more complex set of tests to gain limited functionality of each tems. While it might seem that sig- increased assurance that the NetTop machine. The particular encryption nificant failures in a NetTop device device is working properly. The and filtering router products selected would result in complete system tests could include could be from National Information shutdown, sensitive applications challenge/response exchanges with Assurance Partnership approved lists will require more rigorous assur- a Failure Detection Server in the or specially developed GOTS com- ance arguments. Lacking failure protected enclave. A dead-man ponents. detection support in the workstation switch of this type may be suitable platform, an approach using a type for a GOTS plug-in component for of "dead man's switch" has been high assurance applications. The

Fall 2000 Research & Advanced Technology Publication 5 maintained and monitored for sus- picious activity. Figure 8 depicts the protocol exchange between the Regrade Server and two hosts of different security levels. A trusted user token is employed in a chal- lenge/response exchange with the trusted server in order to safeguard against untrusted OS behavior.

Coalition Support

The paradigm of virtual machines creates abstractions of Figure 7 - Dead-Man Switch Architecture physical computers. Each VM is composed of a set of files that failure detection approach is shown capability includes a protocol for embody a hardware/software sys- in Figure 7. performing the regrade operation, tem. This set of files can be copied as well as a "Regrade Server" that from one physical machine to Moving Data Safely provides a trusted network service. another. Given the portability of By making the regrade operation a VMs, there is no inherent reason Many organizations require the centralized service, a number of why a VM, or set of VMs, could ability to move information advantages are gained. First, consis- not be electronically transferred. It between networks of differing secu- tency in the regrade operation can is possible for a NetTop device to rity levels. A common operation be achieved. Second, it would be become a member of a coalition by involves downgrading information possible to develop and enforce a downloading an appropriately con- from highly classified to lower clas- regrade policy that specified the figured VM over a secured commu- sified systems, but increasingly, conditions under which each user nications channel. The set of VMs information is imported from the could perform regrade operations. in each coalition would constitute a Internet into classified systems. In The regrade operation could include VPN, and would not be able to the first case, it is essential that "sanitization" functions to deter the communicate directly with VMs in classified information not be com- transfer of covert or malicious con- other coalitions. Cross-coalition promised, while in the second, a tent. Finally, an audit log could be communication is performed using primary concern is the protection of the classified host from malicious content.

The VMware product includes a capability to copy and paste data between VMs via a clipboard. This feature does not include sufficient safeguards for use in a high assur- ance NetTop system. In order to provide a more trusted copy/paste function, a new capability, dubbed a "Regrader," was developed. This Figure 8 - Regrade Server Protocol

6 Research & Advanced Technology Publication Tech Trend Notes a variation of the Regrade Server previously described. For some coalitions, it might be useful to distribute applica- tion specific VMs, such as a secure Voice-over-IP machine. A centralized Coalition Management Server could be used to manage the configura- tion and distribution of VMs to coalition members. The essence of NetTop's coalition support is its ability to distrib- ute virtual systems electroni- cally. Figure 9 displays a hypothetical situation in Figure 9 - NetTop Coalition Concept which four organizations par- ticipate in four data coalitions and During normal operation, all disk puter used in the prototype includes two voice coalitions. A simple capa- files, including temporary files, are a 500 MHz Pentium III processor bility to demonstrate electronic dis- stored encrypted on the hard disk. and 384 MB of memory. The tribution of VMs is under develop- VMware VMM is surprisingly ment. The pro- modest in its affect upon the per- vided by the VMM also provides a formance of a VM, and only a Additional Capabilities capability to alter the operation of slight degradation is noticed. As the hard disks seen by each VM. In more VMs are introduced, more A number of useful capabilities one mode, all changes made to a serious performance degradation is are included in the prototypes that VM's hard disk are discarded when noticed, but can be minimized with were not described in the NetTop it is powered down. This may be additional memory. The 384-MB overview. The entire file system on useful in the operation of the IPSec configuration of the NetTop proto- the hard disk is encrypted in order and FR machines by preventing type shown in Figure 4 was suffi- to protect against compromise if the permanent changes to the system if cient to support the Linux host and machine is lost or stolen. The a successful attack did occur. Any four guest VMs - two Windows NT "International Patch" for Linux was changes would be lost when the machines for the end-user terminals installed, which provides software VM was restarted, which would and two Linux machines for the in- encryption capabilities and services force an adversary to repeat the line Network Encryptor and under the control of the Trusted attack. Filtering Router. Overall, the per- Linux host OS. The hard disk formance of the NetTop prototype encryption is transparent to all Performance is quite satisfactory, and easily VMs. Additionally, this disk keeps pace with a high-speed, cable encryption cannot be corrupted or Real-world performance deter- modem connection. Continuing bypassed by an VM. A process was mines any technology's acceptance. enhancements in hardware perform- developed that uses a floppy disk NetTop's architecture includes a lot ance will only improve its perform- and a user entered PIN to "boot- of functionality in a single hard- ance. strap" the decryption and loading of ware platform, yet the performance system files from the hard disk. is quite acceptable. The laptop com-

Fall 2000 Research & Advanced Technology Publication 7 Future Development · IPSec modifications for NetTop Conclusion protocols The NetTop proof-of-concept has · User friendly interfaces The Information Assurance demonstrated an architecture that Research Office has responded to appears to have significant promise The set of capabilities identified the NSA Advisory Board's challenge for information assurance applica- as NetTop extensions - Failure with the NetTop proof-of-concept. tions. In its current form, however, it Detection Server, Regrade Server, The novel architecture builds upon is unsuitable for widespread use and and Coalition Management Server - COTS technology, fortifies it with requires considerable refinement. suggests an expansion of the security GOTS components, and provides a Our research has uncovered a num- services typically considered as part combination with the potential to be ber of shortcomings in current tech- of a Security Management securely used for sensitive applica- nology that need to be addressed. Infrastructure. The integration of tions. It also addresses other impor- Additionally, important topics still these services with traditional key tant concerns, and provides a frame- must be investigated. Areas requir- and certificate management services work for useful extensions. NetTop ing further development are: may deserve a separate investigation depends heavily upon the isolation to develop a concept for a more capabilities provided by the Trusted · Identification & Authentication comprehensive security infrastruc- Linux/VMM combination. The Architecture ture. robustness of the approach still · Biometric activation technique requires a comprehensive security · Key & certificate management Development of the NetTop pro- evaluation. TTN · Filtering Router management totype is continuing. Some of the · Un-spoofable labels for MSL concepts previously described Donald Simard is the Technical windows including a Regrade Server, thin- Director for the System and Network · Trusted VM switching mechanism clients, and coalition support will be Attack Center and has been with the · Installation & configuration wizards integrated as each is developed. Agency since 1979. The majority of his work has been in the Information Systems Security Organization. He is a Master in the INFOSEC Technical Track and has a Masters Degree in Computer Science.

Robert Meushaw is Technical Director for the Information Assurance Research Office. He joined the Agency in 1973 with BS and MS degrees in Electrical A very simple NetTop configuration with only one user Virtual Machine can provide Engineering. Mr. Meushaw had a very useful feature - media encryption - which could not otherwise be done with a long career in the Information a high-level of confidence. Since the host operating system does not run Systems Security Organization applications software, it is protected from virus attacks and other malicious software prior to his current position. He that might corrupt the user VM. With the media encryption function embedded in the host OS, all of the files on the hard disk can be encrypted transparently to the is a Master in the Computer user OS. The user OS cannot bypass the cryptography that is protecting the media. Systems Technical Track.

8 Research & Advanced Technology Publication Tech Trend Notes