Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2004-09 Simultaneous connection management and protection in a distributed multilevel security environment Sears, Joseph D. Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/1348 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS SIMULTANEOUS CONNECTION MANAGEMENT AND PROTECTION IN A DISTRIBUTED MULTILEVEL SECURITY ENVIRONMENT by Joseph D. Sears September 2004 Thesis Advisor: Cynthia E. Irvine Co-Advisor: Thuy D. Nguyen Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES September 2004 COVERED Master’s Thesis 4. TITLE AND SUBTITLE: 5. FUNDING NUMBERS Simultaneous Connection Management and Protection in a Multilevel Security Environment 6. AUTHOR(S) Joseph D. Sears 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Postgraduate School REPORT NUMBER Monterey, CA 93943-5000 9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING N/A AGENCY REPORT NUMBER 11. SUPPLEMENTARY NOTES: The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. 12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE Approved for public release; distribution is unlimited 13. ABSTRACT (maximum 200 words) The Naval Postgraduate School Center for Information Systems Security Studies and Research (CISR) is designing and developing a distributed multilevel secure (MLS) network known as the Monterey Security Architecture (MYSEA). MYSEA will permit the delivery of unmodified commercial off the shelf productivity software applications and data from a large number of single-level network domains (e.g., NIPRNET, SIPRNET, JWICS) to a trusted distributed operating environment that enforces MLS policies. The analysis and development of a communications framework necessary to support connections between multiple MLS servers and a set of high assurance network appliances supporting simultaneous access to multiple single level networks and their concurrent connection management is required to fulfill the goal of MYSEA. To enable this functionality, modifications to the existing MYSEA server, the development of a new high assurance communications security device - the Trusted Channel Module (TCM), and the implementation of a trusted channel between the MYSEA server and the TCM is required. This document specifies a framework for incorporating the high level design of the TCM, several trusted daemons and databases, plus the incorporation of a trusted channel protocol into MYSEA to enable a distributed MLS environment. 14. SUBJECT TERMS Multilevel Security, Trusted Channel, High Assurance, Distributed MLS 15. NUMBER OF Network PAGES 146 16. PRICE CODE 17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION OF CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF ABSTRACT REPORT PAGE ABSTRACT Unclassified Unclassified Unclassified UL NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. 239-18 i THIS PAGE INTENTIONALLY LEFT BLANK ii Approved for public release; distribution is unlimited. SIMULTANEOUS CONNECTION MANAGEMENT AND PROTECTION IN A DISTRIBUTED MULTILEVEL SECURITY ENVIRONMENT Joseph D. Sears Lieutenant, United States Navy B.A., University of Kentucky, 1989 Submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN COMPUTER SCIENCE from the NAVAL POSTGRADUATE SCHOOL September 2004 Author: Joseph D. Sears Approved by: Cynthia E. Irvine, Ph.D. Thesis Advisor Thuy D. Nguyen Co-Advisor Peter J. Denning, Ph.D. Chairman, Department of Computer Science iii THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT The Naval Postgraduate School Center for Information Systems Security Studies and Research (CISR) is designing and developing a distributed multilevel secure (MLS) network known as the Monterey Security Architecture (MYSEA). MYSEA will permit the delivery of unmodified commercial off the shelf productivity software applications and data from a large number of single-level network domains (e.g., NIPRNET, SIPRNET, JWICS) to a trusted distributed operating environment that enforces MLS policies. The analysis and development of a communications framework necessary to support connections between multiple MLS servers and a set of high assurance network appliances supporting simultaneous access to multiple single level networks and their concurrent connection management is required to fulfill the goal of MYSEA. To enable this functionality, modifications to the existing MYSEA server, the development of a new high assurance communications security device - the Trusted Channel Module (TCM), and the implementation of a trusted channel between the MYSEA server and the TCM is required. This document specifies a framework for incorporating the high level design of the TCM, several trusted daemons and databases, plus the incorporation of a trusted channel protocol into MYSEA to enable a distributed MLS environment. v THIS PAGE INTENTIONALLY LEFT BLANK vi TABLE OF CONTENTS I. INTRODUCTION........................................................................................................1 A. BACKGROUND ..............................................................................................1 1. MYSEA Historical Overview..............................................................1 2. Requirement to Expand Single Level Network Capability..............4 3. Distributed MLS Network ..................................................................5 B. COMMON CRITERIA IMPACT ON HIGH ASSURANCE DEVELOPMENT ............................................................................................8 1. PalME Project ......................................................................................8 2. Trusted Channel Module Development.............................................9 3. Terminology..........................................................................................9 C. CHAPTER OVERVIEW ................................................................................9 1. Introduction..........................................................................................9 2. MYSEA Connected Single Level Network Management Framework ...........................................................................................9 3. Protected Communications Channel Protocol ..................................9 4. The MYSEA Trusted Channel Module ...........................................10 5. Conclusion and Future Work ...........................................................10 D. APPENDIX OVERVIEW .............................................................................10 1. Appendix A: Connected Single Level Network Systems Requirements Document...................................................................10 2. Appendix B: Protected Communications Channel Protocol Requirements Document...................................................................10 3. Appendix C: Trusted Channel Management Requirements Document............................................................................................10 II. MYSEA CONNECTED SINGLE LEVEL NETWORK MANAGEMENT FRAMEWORK..........................................................................................................11 A. CONNECTED SINGLE LEVEL NETWORK ARCHITECTURE COMPONENTS.............................................................................................12 1. MYSEA Server...................................................................................13 2. Trusted Channel Module ..................................................................15 3. Networking Device.............................................................................15 4. Type I Encryption Device..................................................................16 B. CONNECTED SINGLE LEVEL NETWORK SOFTWARE MODULES .....................................................................................................16 1. MYSEA Server...................................................................................17 a. Trusted Channel Server..........................................................18 b. Secure Connection Server ......................................................18 c. Trusted Channel Database .....................................................18 d. Secure Connection Inbound Database...................................19 e. Secure Connection Outbound Database ................................19 f. Protected Communications Channel Protocol handler.........19 2. Trusted Channel Module ..................................................................20
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages147 Page
-
File Size-