UNCLASSIFIED
UNCLASSIFIED
Horizontal Fusion Security Architecture
Les Owens
HF Management Team
Page 2UNCLASSIFIED
UNCLASSIFIED
Outline
• Underlying Security Philosophy
• Driving Security Policies
• Key Security Technologies
• Technical and Security Standards
• Conceptual Security Architecture
• FY05 and Beyond
Page 3UNCLASSIFIED
UNCLASSIFIED
Security Philosophy
• Build upon Service-Oriented Architecture (SOA)
• Extend and adapt commercial best practices to the government Net-centric environment
• Use decentralized security to all components of the architecture and move security closer to the edge
• Employ security Defense-in-Depth approach
• Move away from “the way its always been done”
• Prudently apply security policy in a Net-centric environment
Risk Management not Risk Avoidance
Page 4UNCLASSIFIED
UNCLASSIFIED
Major Security Policies Embraced by HF
DCID 6/3
DoDD 8100.2
DoDI 8540.aa
DoDI 8500.2
DoDD 8500.1
FIPS140-2
Driving Security Policies
Page 5UNCLASSIFIED
UNCLASSIFIED
Security Roles & Responsibilities
These security policies identify the Information Assurance/security requirements that must be addressed by:
• Collateral Space
• Core Enterprise Services
• Horizontal Fusion Initiatives/Capabilities
• SIPRNET Backbone
• DoD/IC Facilities/Sites
Page 6UNCLASSIFIED
UNCLASSIFIED
Targeted Security Requirements
• Based on DCID 6/3 and DoDI 8500.2
• For DCID 6/3 goal is to meet Protection Level 5 (PL5) requirements
• For DoDI 8500.2 goal is to meet Mission Assurance Category II and Confidentiality Level High requirements
• For FY04 we will achieve PL3 with some PL4 and PL5 compliance within some areas
Confidentiality
Availability
Integrity
Page 7UNCLASSIFIED
UNCLASSIFIED
Confidentiality Controls (1)
• Provide Access Control through: Metadata tag (with Classification Attribute) is applied to all objects Digital signature is applied to object and tag Changes to the Metadata tag are audited The NCES Policy Decision Server and GDS/Extended LDAP will contain a Trusted
Source of Clearance Information Objects will use the classification attribute as an access control through the Role
Base Access Control (RBAC) Filter
• Audits significant events and use audit analysis tools
• Uses DoD PKI for strong Identification and Authentication
• All data is labeled with classification and accesses using DDMS/IC Meta Data tagging
• Firewalls and IDS systems will be used for boundary defense
Page 8UNCLASSIFIED
UNCLASSIFIED
• Will use encryption (Type I certified and FIPS 140-2 validated) as needed to tunnel data through communications lines of lower or different classification levels or enclaves, (i.e., will tunnel Secret through NIPRnet to SIPRnet)
• System Assurance: Will use system vulnerability tools (i.e., ISS, APPscan) to assure the continued
integrity of security support structure Will perform malicious code checking and mobile code verification System Security Authorization Agreement (SSAA) includes: Security
Requirements Traceability Matrices, Test plans, Test result reports, and System Documentation (e.g., User Manuals, CONOPS, System Administration Manuals)
Certification Testing will be conducted at SPAWAR Systems Center - Charleston Test results will be reported to the DAA
• DoD CIO appointed DIA as the HF enterprise level DAA
Confidentiality Controls (2)
Page 9UNCLASSIFIED
UNCLASSIFIED
Integrity Controls (1)
• Will do Systems and Data Backups
• Will have a CM plan
• Malicious code checking at data source
• Uses digital signatures to ensure data integrity
• System design includes best security practices (e.g., PK
enabling of initiatives)
• Used applicable Security guidance documents
• Have a functional architecture for HF that defines external
interfaces, protection mechanisms, user roles
• System will be accredited prior to implementation
Page 10UNCLASSIFIED
UNCLASSIFIED
Integrity Controls (2)
• DoD PKI is used for digital signatures
• Use of Mobile code will be controlled
• DoD PKI used for Identification and Authentication
• Host Based IDS systems are used
• Role Based Access Control is used to control privileged
accounts
• Use transmission integrity controls such as parity checks,
labels, and encryption to prevent data corruption in transit
• Audit data is protected
Page 11UNCLASSIFIED
UNCLASSIFIED
Availability Controls
• Backups will be positioned to allow rapid recovery of the system
• Functional and compliance testing performed prior to
deployments
• Hardware baseline is documented in the SSAA
• Public Domain software use is controlled
• DAA and other IA roles assigned
• Virus checking implemented on hardware
• Wireless computing is implemented in accordance with
applicable Wireless policy DoDD8100.2
• Use vulnerability assessment tools to manage vulnerabilities
Page 12UNCLASSIFIED
UNCLASSIFIED
Key Security Technologies: A Diverse Set of Tools
• Core Enterprise Security Services
• DDMS / IC Meta Data Tags
• GDS / Extended LDAP Directory
• SAML / XACML
• Role Based Access Control (RBAC)
• DoD PKI and Public Key Certificates
• AES and FIPS140-2 Cryptography
Wireless
AES-based IPSec VPN Tunnel
PKE/PKINetwork Security
Perimeter Defense
Risk Management
Policy
Networking
Crypto
Page 13UNCLASSIFIED
UNCLASSIFIED
Standard Specifications as Guidance in the Development
Middleware and Data Layers
• XML & XML Schema v1.0
• Semantic Web Markup Languages (DAML, OWL)
• Registry standards (RDF/UDDI v2, JAXR)
• Web Services (WSDL v1.1, SOAP v 1.1), and JSR170
• J2EE (EJB, JAX Pack, JNDI, JMS)
• ODBC/JDBC
• SAML, XACML
• SQL database engines
• Syndication (RSS v1.0)
• XMPP
• JDK 1.4.2
• DDMS and IC Metadata Framework
Domain Namespaces
Content tagging
Taxonomies (categories)
Ontologies (relationships)
User/Admin Interfaces
• Cross-platform/browser (HTML 3.2/4.0; DHTML; CSS 1.0)
• JSR 168 Portlet/JSR 170 Specification
• JDK 1.4.2
• Limited JavaScript
• Web Services for Remote Portal (WSRP)
• Accepts XML/XSLT
Automatic rendering in portlet
• SAML/XML Signature/Encryption
• PKI and Directory Services
• Syndication (RSS v1.0)
• DDMS and IC Metadata Framework
Page 14UNCLASSIFIED
UNCLASSIFIED
Conceptual Security Architecture
Admin Console
SecurityCES
SecurityCESPolicy
DecisionService
PolicyAdmin
Service
PolicyRetrieval
Service
End User
PortalPortal
WS
Clie
nt
Sec
urity
Han
dler
CES SDK
Portlets
Service Provider AService Provider A
WebService
Sec
uri
ty H
an
dle
r (i
nbo
un
d)
S
ecur
ity H
andl
er
(out
boun
d)
CES SDK
GDS+ Extensions
AuthorizationStore (RDBMS)
PrincipalAttributeService
CertificateValidation
Service
CA
DoD SIPRNet Certs
•Roles•Credentials•Policy
3. Portal calls GDS to obtain User Role, Clearance, dn, etc based on PKI cert
2. Portal Validates Certificate
5. Service A’s Server Handler
validates signature
8. Service A validates PDS signature, allows or denies access to the web service
11.
7.
9.
PKICertificate
WebserviceRequest
LabelDigital
Signature
PDS WebserviceRequest
LabelDigital
Signature
Data returnedBy PDS
LabelDigital
Signature
Chained Service Request
LabelDigital
Signature
Data returnedBy Service
LabelDigital
Signature
4.
1.
6.
PostingData
LabelDigital
Signature
10.
Audit DBAudit DB
Audit DB
Page 15UNCLASSIFIED
UNCLASSIFIED
Secure Wireless
• Mobile and wireless technologies – are burgeoning in the private sector. Wi-Fi, MANETS, 802.16, 3G, PDAs, and SDR are only a few.
• These technologies could bring enormous benefits to today’s warfighter
• These “constrained” technologies are often space, power, CPU and bandwidth limited
• Moreover, due to the broadcast nature of the radio technology, the smaller size, and the mobility – challenging security issues exist
• Horizontal Fusion must leverage secure wireless nevertheless
Page 16UNCLASSIFIED
UNCLASSIFIED
Cross-Domain Information Exchange
• Crossing multiple security domains is vital to our efforts
• Getting valuable information between the Collateral Space and the warfighter at the “pointy edge of the spear” is critical
• Bidirectional communication with Coalition Forces is essential
• Historical methods – using antiquated solutions are no longer acceptable in the emerging NetCentric DoD
• Service Oriented Architecture with built-in security features provides the foundation
JWICS
SIPRNET
CoalitionUnclassified
CDIXCDIX CDIXCDIX CDIXCDIX
RBAC
DoD PKI / PK Enabling
Digital Signatures Intelligent Boundary Devices
(perimeter defense)
Meta data tagging / Labeling
Secret
Page 17UNCLASSIFIED
UNCLASSIFIED
SIPRNETDomain 2
Single NetSingle Net
Enhanced Enhanced security and security and
intelligent intelligent boundary boundary devicesdevices
Domain 1
FY05 and Beyond
Full complement Full complement of SOAP/XML of SOAP/XML services and services and
security featuressecurity features
DoDPKI
Robust, Robust, interoperable PKI interoperable PKI and ubiquitous and ubiquitous
certificatescertificates
Tagged Tagged DataData
Page 18UNCLASSIFIED
UNCLASSIFIED
Summary
• Horizontal Fusion is truly a Catalyst for Net-centricity for the DoD
• Uses current standards adapted to a Net-centric environment
• Security features are diversified and embedded throughout the architecture
• Architecture and IA will continuously evolve with constant improvement
• Information Assurance implementation lessons-learned will be shared widely