The document discusses securing classified networks and sensitive data through the use of a Secure Network Access Platform (SNAP). SNAP allows users to securely access multiple isolated security domains from a single thin client desktop while preserving network isolation. It implements role-based access control, mandatory access controls, and label-based security to control access between security domains. SNAP leverages the security capabilities of the Solaris 10 operating system with Trusted Extensions to provide a certified, multi-level secure computing environment for government users.
3. Delivering Defence Solutions
Globally
Challenges for Secure Collaboration
Networks
•
•
•
•
•
•
Role-based Access to Multiple Security Domains
Secure Data Transfer between Domains
Scalability and Availability
Ability to meet Regulations and Certify/Accredit Deployed
Platforms
Maximize Workflow Efficiency
Minimize Cost of Acquisition and Life-Time Ownership
4. Delivering Defence Solutions
Globally
Target Communities
•
Government Communities of Interest have special IT
needs based on classified information handling
>
>
•
Requirements for appropriate handling of classified
information mandate rigid approach to network configuration
Conceptual “compartments” are manifested in physically
isolated networks
SNAP enables secure, multi-compartment access from a
single, thin-client desktop system—while preserving
network isolation
5. Delivering Defence Solutions
Globally
Government System Requirements
• Thin Client desktop – secure computing environment
• Single Virtual Switch to Multiple Networks
> Single desktop with connections to multiple security domains
implemented as physically separated networks (without
enabling intra-domain routing)
> End-users have controlled access to domains based on
security level, compartmentalization
• Secure Inter-Domain Data Transfer
> Automated and manual auditing based on pre-defined policies
and procedures
• Windows Interoperability
> Secure Global Network, Citrix, RDP, X Windows or
Browser.
8. Delivering Defence Solutions
Globally
Mobility with Security:
Ultra-Thin Client Front-End
Before:
After:
To ensure a high level of security physically isolated clients were deployed often single state
Full Session Mobility enabled by a resulting in
9. Delivering Defence Solutions
Globally
The Sun Solution:
Secure Network Access Platform
DOD
Community
Intell
Community
Switch Switch
Switch
NATO
Community
Switch
Other
Community
Switch
ARCHITECTURAL
INDEPENDENCE
Multi-network
Application Consolidation
●
Ultra Secure Authentication
layer
●
V240
V240
V240
Switch
Switch
Context free access layer
●
User Identity/Role based
access
●
Switch
>
●
D1000
Auditability
>
220R
Session Mobility
N
10. Delivering Defence Solutions
Globally
Different Security Domains
• System Requirements and Security Policy dictate
which networks/security domain will be a part of the
implementation
• Each security domain is assigned a label
> All labels defined in Labels and Encoding File
> All security domains within implementation must be
defined in Labels and Encoding File
• Sol 10 TX using Mandatory Access Control and
Trusted Networking enforces security policy by
allowing/denying access to/from a specific security
domain
• Security Domains can be dynamically added/deleted
from architecture as long as they are defined in policy
11. Delivering Defence Solutions
Globally
User Access, Rights and Roles
• User Access dependent upon Roles and Security
Clearance
• User Roles defined by job function and permission
to applications and data
• All users are assigned a Role and are granted
privileges based on security clearance
• Audit Logs record user activity
12. Delivering Defence Solutions
Globally
Trusted Solaris(TM) Is Certified as one of Indus
Trusted Extensions
Layered on Solaris
EAL4+ (B1) 10*
(CAPP, RBACPP, LSPP)
Solaris 10
EAL4+ (C2) (CAPP & RBACPP)
OS CERTIFIED WITH EAL4 AND
3 PROTECTION PROFILES IN EAL4:
CAPP—Controlled Access Protection Profile
(Ensures proper login)
RBPP—Role-based Protection Profile
(Role-based access control allows the
system administrator to define roles
EAL4 or EAL4+ (C2) (CAPP)
Linux
based on job functions within an organization.
The administrator assigns privileges to those roles)
EAL3 or EAL3+
LSPP—Labeled Security Protection Profile (
All data and application components are
REDHAT
SGI Irix
SuSE
IBM AIX
HP-UX
WINDOWS 2000
SOLARIS 8
SOLARIS 9
TRUSTED SOLAR
Based on data from http://www.commoncriteriaportal.org/
formally labeled addressed, and tracked
through role based access control
13. Delivering Defence Solutions
Globally
Common Criteria Evaluation Levels
• CC Evaluation Assurance Levels (EAL)
>
>
>
>
>
>
>
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
Functionally Tested
Structurally Tested
Methodically Tested and Verified
Methodically Designed, Tested and Verified
Semi-formally Designed and Tested
Semi-formally Verified Design and Tested
Formally Verified Design and Tested
• These are used to measure how well a protection profile has
been tested...
14. Delivering Defence Solutions
Globally
Certification vs. Accreditation
• Hardware and Software Components are evaluated
against Protection Profiles and receive Certifications
at Evaluation Assurance Levels (EAL)
• Systems are Accredited based on the Security Policy
established for the specific program
15. Delivering Defence Solutions
Globally
US Accreditation Examples
• Certification Test & Evaluation (CT&E)
> SR 1-8 Performed by DISA Slidell for NSA
> SR 9 (Penetration Testing) Performed by NSA
• SABI Accredited
> Completed Questionnaire
> Valid Requirement from Operational Unit
> DSAWG Process
> Cross Domain Technical Advisory Board - CDTAB
> Cross Domain Systems Approval Process - CDSAP
• Documents
>
>
>
>
>
System Security Authorization Agreement - SSAA
Interim Authority to Operate - IATO
Cross Domain Appendix - CDA
Enclave MOA’s
Secret Network Connection Approval Process
• Awaiting US Department of Commerce export approval (expected this week)
17. Delivering Defence Solutions
Globally
What Is Trusted Operating System?
A security-enhanced version of Solaris with
additional access control policies
Implements label-based security with
hierarchical and compartmented modes
Implements Role-Based Access Control and
the Principle of Least Privilege
SolarisTM 10 Trusted
Extensions
Provides a trusted multilevel desktop for
workstations and ultra-thin clients
Has the most complete set of trusted
functionality of any certified OS
18. Delivering Defence Solutions
Globally
Trusted Extensions
Trusted Solaris
BSM
Trusted Networking
Trusted Desktop
RBAC
Solaris
Solaris 2.3
Solaris 8/9
Solaris 10
w/ TX
Layered on
Solaris
Process Attributes
Device Allocation
Virtualization
Privilege Policy
Solaris 10
19. Delivering Defence Solutions
Globally
Trusted Solaris History
• 1990, SunOS MLS 1.0
> Conformed to TCSEC (1985 Orange Book)
• 1992, SunOS CMW 1.0
> Compartmented-mode workstation requirements
> Release 1.2 ITSEC certified for FB1 E3, 1995
• 1996, Trusted Solaris 2.5
> ITSEC certified for FB1 E3, 1998
• 1999, Trusted Solaris 7
• 2000, Trusted Solaris 8
> Common Criteria: CAPP, RBACPP, LSPP at EAL4+
> Updates to Trusted Solaris 8 also re-certified
• 2006, Solaris 10 w/ Solaris Trusted Extensions
21. Delivering Defence Solutions
Globally
Trusted Computing Key Features
and Benefits
●
Trusted Extensions extends the security capabilities
of Solaris by providing:
−
−
−
−
−
−
−
−
−
Trusted Path
Least Privilege
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Sensitivity Labels
Role-based Access Control (RBAC)
Trusted Networking
Trusted Windowing
Trusted Printing
22. Delivering Defence Solutions
Globally
Trusted Path
●
What is Trusted Path?
A mechanism that provides confidence that
the user is communicating directly with the
Trusted Computing Base (TCB)
➢ It ensure that attackers can't intercept or modify
whatever information is being communicated
➢
●
How is Trusted Path achieved?
Trusted Windowing (Trusted CDE)
➢ Solaris Management Console (SMC)
➢
23. Delivering Defence Solutions
Globally
Least Privilege
●
There is no concept of “superuser”
➢
➢
●
In its place, fine-grained privileges...
➢
That delegate specific capabilities as needed
Example: How to start a web server?
➢
➢
●
Root is not exempt from policy enforcement
Root is not required for administration
In Solaris, must be started as root or using a RBAC role that
sets UID to 0 before starting
In Trusted Solaris, only the privilege “net_privaddr” need be
assigned
24. Delivering Defence Solutions
Globally
Discretionary Access Control
●
Discretionary Access Control (DAC)
A software mechanism for controlling users' access to files
and directories.
➢ Leaves setting protections for files or
directories to the owner's discretion
➢
There are two forms of DAC in both Solaris and
Trusted Solaris:
●
Unix Permissions
➢ Access Control Lists (ACLs)
➢
25. Delivering Defence Solutions
Globally
Mandatory Access Control
●
Mandatory Access Control (MAC)
A system-enforced access control mechanism that uses
clearances and labels to enforce security policy
➢ MAC is enforced according to your site's security policy and
cannot be overridden without special authorization or
privileges
➢
●
MAC is key in SNAP for preserving network
isolation
26. Delivering Defence Solutions
Globally
Role-Based Access Control
●
●
●
●
A role is a special account that provides
access to specific programs using predefined
privileges and authorizations
Can only be assumed if Trusted Path exists
Can grant fine-grained privileges to programs
Can execute programs with different labels
27. Delivering Defence Solutions
Globally
Sensitivity Labels
●
Sensitivity Labels are defined by:
➢
A Classification indicating the (hierarchical) level or
degree of security
●
➢
➢
A Compartment representing some grouping
●
●
●
e.g, TOP SECRET, SECRET, CONFIDENTIAL, …
e.g., PUBLIC, INTERNAL, NEED TO KNOW, …
e.g., ALPHA1, BRAVO1, BRAVO2
e.g., PAYROLL, HR, FINANCE, ENGINEERING
Relationships can be hierarchical or
compartmentalized
28. Delivering Defence Solutions
Globally
Sensitivity Labels (2)
●
Dominance Relationships
➢
●
In a hierarchical relationship, a label that dominates
another is able to read data from the lower label
(“read down”)
Clearances
➢
Highest level of access assigned to the user
●
●
A user cannot read or write above clearance
Privileges can be given to exceed clearance
29. Delivering Defence Solutions
Globally
Label Aware Services
• Services which are trusted to protect multi-level
information according to predefined policy
• Trusted Extensions Label-aware service include:
>
>
>
>
>
>
>
Labeled Desktops
Labeled Printing
Labeled Networking
Labeled Filesystem
Label Configuration and Translation
System Management Tools
Device Allocation
30. Delivering Defence Solutions
Globally
Device Allocation
• Devices must be allocated before they can be used
• Only authorized users/roles are allowed to
allocate/deallocate devices at a label they are
cleared for.
• USB devices can be allocated
• Sun This Client Devices
> Audio filtered based on desktop unit
> Hot pluggable device support
• Devicec can be contolled by role or by user
32. Delivering Defence Solutions
Globally
Zones for Trusted Extensions
• Each zone has a label
> Labels are implied by process zone IDs
> Processes are isolated by label (and zone ID)
> Files in a zone assume that zone's label
• Global zone is unique
> Parent of all other zones
> Exempt from all labeling policies
> No user processes—just TCB
> Trusted path attribute is applied implicitly
> Provides services to other zones
• Common naming service to all zones
• Device allocation on a per-zone / per-label basis
33. Delivering Defence Solutions
Globally
Trusted Extensions - Option 1: Per-Zone
Need-toknow
Internal
Use
Public
Multilevel Desktop Services
(Global Zone)
Solaris Kernel
1.2.3.10
1.2.4.10
1.2.5.10
1.2.6.10
• Each zone has a
unique IP address
• Network Interface
may be virtualized to
share a single
hardware NIC or use
multiple NICs
34. Delivering Defence Solutions
Globally
Trusted Extensions - Option 2: All-Zon
Need-toknow
Internal
Use
Public
Multilevel Desktop Services
(Global Zone)
Solaris Kernel
1.2.3.4
1.2.3.4
1.2.3.4
1.2.3.4
1.2.6.10
• All zones share a
single address
• Shared network
Interface may be
physical or logical
• Both per-zone and
all-zone assignment
strategies can be
used concurrently
38. Delivering Defence Solutions
Globally
Benefits of Trusted Extensions
• Leveraging Solaris functionality:
> Process & User Rights Management, auditing, zones
> Make use of existing Solaris kernel enhancements
• Elimination of patch redundancy:
> All Solaris patches apply, hence available sooner
> No lag in hardware platform availability
• Extend Solaris Application Guarantee
• Full hardware and software support
> File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.)
> Processors (SPARC, x86, AMD64
> Infrastructure (Cluster, Grid, Directory, etc.)
39. Delivering Defence Solutions
Globally
Trusted Extensions in a Nutshell
• Every object has a label associated with it
> Files, windows, printers, devices, network packets,
network interfaces, processes, etc...
• Accessing or sharing data is controlled by the
objects label relationship to each other
> 'Secret' objects do not see 'Top Secret' objects
• Administrators utilize Roles for duty separation
> Security admin, user admin, installation, etc...
• Programs/processes are granted privileges rather
than full superuser access
• Strong independent certification of security
42. Delivering Defence Solutions
Globally
Client Pain Points
FAT OS
Multiple Crash Sites
●
Virus Entry Points
●
Client Side Support
●
Unapproved Apps
●
Local Apps
●
Large Power Consumption
●
Resource Underutilization
Big CPU,
DRAM
Local Hard
Drive
44. Delivering Defence Solutions
Globally
Sun Ray Ultra-thin Clients
Session Mobility/ Hot-Desking
Multiple OS & Application Choices: Solaris, Linux or
Windows
Small footprint
Built-in Java Card Readers supporting
multifactor authentication
Sun Ray 2G
Sun Ray 270
1920 x 1200
Supports 24” Display
17" LCD Integrated
Broadband deployment capable
• No DATA at the desktop
OEM's
• No APPS at the desktop
• No OS at the desktop
OEM options
• No END-USER
MANAGEMENT at the
desktop
45. Delivering Defence Solutions
Globally
Mobility with Security today at Sun
●
30, 000+ Sun Rays deployed at Sun
●
1 SA per 3000 clients
●
$ 4.8M Power Savings
●
Zero Move/Add/Changes
●
Patching and OS upgrade speed
●
Zero annual desktop
refresh costs
●
$71 M Savings in Real Estate
●
Software License Savings
●
Secure: token authentication, no viruses
●
Silent: no fans or moving part
●
No User time for boot up and OS management
46. Delivering Defence Solutions
Globally
Sun Ray Deployment Options
Sun Ray
Server
Corporate
WAN Router/
Firewal
l
Interne
t
Intrane
t
Office
Broadband Remote
ISP
Hom
e
47. Delivering Defence Solutions
Globally
JavaBadge
One, Multi-App Badge With a Future
vs.
Multiple Cards With No Future
Corporate Card/
Physical Access Card
Sun RayTM Server Session Mobility Card
=
PKI Authentication Token Card/ x509
Replaces Safeword Challenge/Response Card
50. Delivering Defence Solutions
Globally
Identity Synchronization for Windows
(ISW) System Components
• ISW Connectors; synchronize modification and user
creation events over the Message Queue
> Sun Java System Directory Server
> W2000/2003 Active Directory & NT SAM
• Connector Subcomponents; DS Plugin, NT
Password Filter
• DLL, NT Change Detector
55. Delivering Defence Solutions
Globally
Multi-Media Capable Sun Ray
• Delivered by 3rd party partner (GD C4 Systems)
> Prototype developed
> Anticipated availability, December 06
• Local Video and Audio Devices
> “Limited 3-D graphics rendering”
> codec and application dependent
> high-resolution display capabilities
> Low latency audio
> Streaming Audio and Video
• Desktop and Laptop / Portable footprint
• Sun Ray Engineering
> Sun Ray DDX into X Server
> Local Codec Execution on SR-2 Hardware
56. Delivering Defence Solutions
Globally
Why Should Your Customers Care
About or Consider the Secure Network
Access Platform?
Because it protects data, centralizes
control of your data & helps avoid
embarrassing and damaging media
moments like these...
59. Delivering Defence Solutions
Globally
Secure Network Access Platform for Gov
3rd Party Security Extensions
Integration to Legacy Systems
Java Ultra-Thin Client Environment
Government Accredited Trusted Operating Env
RAS Compute Platform
Consulting, Training,
and Support Services
TNE, Maxim, AC Tech,
Cryptek, Tenix, RSA, TCS, etc.
Secure Global Desktop, Citrix, RDP, Thinsoft
SunRay 2FS, 270; Sun Ray Session Server,
Trusted CDE, Java Cards
Solaris 10 TX Certified EAL4+ (B1): CAPP,
LSPP, RBPP
Sun Solaris
Enterprise StorEdge™ 9
Sun Servers
Sun Open Work Practice, Workshop, POC,
Architecture and Implementation + Training
and Support