NGI Security Architecture and Protocols Dr. J. T. Haigh, Vice President of Advanced Technology Secure Computing Corporation 2675 Long Lake Road Roseville MN, 55113 e-mail tom_haigh@securecomputing.com Phone (612) 628-2738 Fax: 612(628-2701) NGI Security Architecture and Protocols The Problem A brief look at the past, present and future of the internet highlights some obvious but critical trends. This paper looks at security and proposes research to make the next generation internet secure. Yesterday the internet was characterized by a small community of researchers running a few relatively simple protocols such as FTP, Telnet and SMTP. Security was not a serious issue because most of the users were benign and little sensitive information was accessible via the network. Today the internet user community is large and diverse. It includes businesses, children, researchers, and hackers. The number of protocols and network applications has mushroomed to include video conferencing, CORBA, HTTP, Active X, Java, electronic commerce, and the list goes on. Most of these were developed with little or no security architecture or formal security analysis even though some are active or intrusive. In addition there is not a unifying security architecture for the internet and the hosts connected to it. Security today is provided by a hodge podge of security protocols, authentication mechanisms, virus checkers and firewalls. It is no surprise that security breaches are a weekly event on the evening news! What will the future bring? The internet user community will be international, mobile and impossible to control. The complexity of new software combined with the rate of change makes it impossible for the average user to securely configure and use. In time more sensitive business will be conducted over the internet as competition pushes companies to be more efficient and offer customers instant service. More diverse protocols and distributed applications will emerge. These include agents which perform tasks of all sorts, including downloading software without human intervention. There will also be protocols, applications and equipment which are unknown today. Security breaches are common today and the risk will increase. The Solution Today's networked computing environment is the result of ad hoc design and integration coupled with a wild west mentality. There is not a security architecture for the resulting system. Developers and administrators do not have recognized standards for what security services are to be provided by the operating system, applications, network or the administrative infrastructure. Networking software (e.g., SSL and Microsoft Internet Explorer) have been developed without adequate security. Most protocol standards groups are run by volunteers who lack adequate resources to properly analyze protocol specifications let alone perform rigorous testing of implementations. Providing a secure network requires research in the following areas. - Define a networked computing security architecture: The objective of this work is to create a framework and migration plan for moving from chaos to order. The architecture includes specification of components, definition of security services to be provided by each component, constraints, and interfaces. For example, which component is responsible for protecting local user data from malicious Active-X code? Should the operating system provide a "sandbox" for untrusted applications much like TCP is part of operating systems today? The architecture shall be policy neutral but provide the support necessary to enforce and manage a policy. The architecture shall set the expectations, so developers can provide innovative solutions within the framework. The migration plan lays out a path for users to move from their existing software and infrastructure to the secure NGI. This includes steps to increase the level of security in existing software. - Develop role enforcement: One approach to secure existing software is to apply the concept of role (or type) enforcement to existing applications. This can be used to prevent a process (e.g., video game) from accessing types of data (e.g., home banking) it should not have access to. One possible implementation approach is to have users log into roles (e.g., game player, home shopper, administrator). Processes running under these roles would be restricted to accessing data associated with the role. The type enforcement approach assigns types to data and domains to applications. For example, software executing in the "TCP/IP" domain would only have access to data of type "network." - Develop a protocol specification language: Research must develop a protocol specification language and development tools modeled after other descriptive languages (e.g., VHDL). These proven design tools incorporate component models, rigorous specifications and architecture design rule checking, allowing the design of microprocessors with millions of transistors. The protocol design tools used with the architecture specifications provide design rule checking, simulation and finite state modeling to find and correct protocol design flaws before code is developed. The protocol design tools should leverage the NRL Protocol Analyzer [CM] work. - Develop robust/secure protocols: Researchers must specify protocols which provide the security services defined in the architecture. In addition to traditional confidentiality and integrity functions these protocols must address availability and reliability. These protocol specifications must include structures and state transitions written in a formal language so that they may be rigorously analyzed. The specifications must also address the response of the host/protocol to violations of the protocol. - Comprehensive test suites: The protocol development tools generate automated test suites from the formal specifications. Automated testing implies that implementations are QUICKLY certified as being robust against attack and compliant with the protocol standards. Users in the free market, who are not computer security engineers, use the certification to select secure software just as they select UL approved electric equipment today. The Result The NGI must be as robust and easy to use as the phone system. This allows American business to remain competitive and thrive in the global economy. Vendors providing networking products adhering to the security architecture gain an advantage by labeling their products "NGI Security Enabled." Individual privacy and data integrity is protected while national security is enhanced because our national infrastructure is more robust. CM: Language Generation and Verification in the NRL Protocol Analyzer, Catherine Meadows, Center for High Assurance Computing Systems, Navel Research Laboratory, Washington, DC 20375