<cover>

                 Next Generation Internet White Paper

Research Areas for the Next Generation Internet:

                   Next Generation Internet Security


Mike Fisk
505-667-5119
mfisk@lanl.gov

Ron Wilkins
505-665-1879
ronw@lanl.gov

Larry Parker
505-667-3943
lep@lanl.gov

FAX: 505-665-7793

Los Alamos National Laboratory
CIC-5, MS B255
Los Alamos, NM 87545

</cover>
------------------------

                  NEXT GENERATION INTERNET SECURITY

                              Mike Fisk
                             Ron Wilkins
                             Larry Parker

                      Network Engineering Group,
                    Los Alamos National Laboratory

Security is of critical importance to the Next Generation Internet.
Development of the NGI must incorporate scaleable, ubiquitous security
mechanisms if it is to be a reliable foundation for the critical
applications envisioned for the 21st century.

The goal of computer security is to ensure the integrity, privacy,
authenticity, and availability  of information while it is in storage  on
computer systems, or in transit between systems.  It is difficult to
provide a high level of system protection or trust in todayís Internet
due to vulnerabilities in operating systems, protocols, and
hardware/software implementations of communication and computing
systems.

Many of the protocols and operating systems in use today were designed
for small networks in a trusted environment.  Consequently, the
designers of these systems did not include security as a fundamental
feature:

    o Protocols are designed to provide reliable and robust
      communications, not security.

    o Operating systems are designed to provide a large array of
      functions and capability, not security.

    o Communications networks are fabricated from equipment that is
      designed to provide reliability and high performance, not
      security.

In the last few years the growth of the Internet has proven that  neither
small networks or trusted environments are a reality in the real world
of information networks.  Hackers have found numerous ingenious ways to
exploit vulnerabilities and disrupt operation of the Internet and the
multitude of interconnected Intranets that make up todayís information
infrastructure.

Todayís method of dealing with the vulnerabilities inherent in our
information systems is the electronic firefighter approach to security.
In this scenario, vulnerabilities are patched after they are exploited.
New vulnerabilities are found, and the cycle is repeated. Allowing
attackers to discover and exploit weaknesses in our systems and  patching
them once they become widely know is an unacceptable approach for the
NGI.  Attacks on the information infrastructure and interconnected
systems have become commonplace and so severe that the ability of the
Internet to provide reliable communications with any degree of
integrity is in doubt. The increasing dependency of the national
information infrastructure on computers and data communications  networks
makes the lack of a trusted, ubiquitous, security system a critical,
national issue.

The approach to developing NGI security should not be one of trying to
reinvent all operating systems and communications  protocols.  As is
true with many R&D/engineering efforts, it is often best to build upon
what you already know.  We now have a good understanding of the types  of
weaknesses that plague our operating systems, protocols, and networks.
In addition, over the last several years many new security tools have
become available that, although not fully deployed to date, hold the
promise of providing a useful level of security and performance at a
reasonable cost.  The NGI R&D effort is an opportunity to evaluate
todayís vulnerabilities and security mechanisms and determine the optimal
set of mechanisms that would be required to protect a computer network.

The first step in developing security mechanisms and policy for the NGI
is to investigate the applicability of new security tools to a network
that uses IPv6 as the underlying communications protocol.  Although the
IPv6 specifications define several security mechanisms, it is not clear
that these mechanisms by themselves will provide adequate security for
the NGI.  However, the IPv6 protocol coupled with any number of other
security mechanisms such as public key encryption technology,  electronic
tokens, SSL, Kerberos, and  DCE, to name a few, may provide the  required
level of security.  Many of the new security tools are designed to
accomplish the same level of protection through different means.
Research into how to best integrate the various security tools and
determine what level of protection can be provided through combinations
of the tools should be accomplished early in the development of the
NGI.  In this way, the Next Generation Internet protocols will have
security mechanisms built in from the start to provide the greatest
chance of deploying a viable network.

If good network security is in place, there is little chance that the
information can be stolen or modified in transit and there is a
reasonable level of assurance that the source of the information is
known through strong authentication.  However, even if data
transmissions are secure, there are no guarantees on the quality of the
information being transmitted.  The usefulness of an application or
system is dependent on the validity of the information used in the
system.  A term for the perceived validity of the information from a
remote system is trust.  There is trust that the information was  entered
correctly, that the system is run securely, and that the information  has
not been tampered with.

A whole area of investigation is how you develop and prove trust in a
process, person, or organization.  This type of endeavor is well beyond
the scope of electronic security.  However, one aspect that is of
interest in NGI security is the propagation of expressions of trust
across the network.  Standard measures of trust and ways of binding  that
trust to information need to be created.

The product of the NGI security research effort should be at least  three
fold.  The effort should provide a definition of a minimum set of
security mechanisms to provide acceptable levels of protection and
trust.  It should provide a NGI security policy and mechanisms that
should be incorporated when the NGI is deployed.  It should also
identify potential system vulnerabilities for which there is no known  or
readily available mitigating mechanism and research new ways to secure
these vulnerabilities.


--
-----------------------------------------------------------------------
Ron Wilkins                                               ronw@lanl.gov
Network Engineering (CIC-5)                                505-665-1879
MS B255                                                  pager 104-6785
Los Alamos National Laboratory                         fax 505-665-7793
PGP Key fingerprint =  04 43 D2 1A B4 D7 52 5F  ED 82 E2 91 42 91 41 31
-----------------------------------------------------------------------