WP - IP Videoconferencing Security for the Department of Defense

Complying with Information Assurance Requirements and Managing Cross Security Domain Risks

IP Videoconferencing Security for the Department of Defense

IP Videoconferencing Security for the Department of Defense Complying with Information Assurance Requirements and Managing Cross Security Domain Risks

October 2006

http://www.criticom.com/

IP Videoconferencing Security for the Department of Defense Copyright © 2006 Wainhouse Research. All rights reserved.

Table of Contents Executive Summary.................................................................................................................... 1

Introduction ................................................................................................................................. 1

Elements of IP Videoconferencing Security............................................................................. 2

Security during Video Meetings ................................................................................................2

Security Risks Related to Switching IP Video between Security Domains ...............................2

IP Video System Security Basics .............................................................................................. 4

Preparing the Video System .....................................................................................................4

Real World Compromises .........................................................................................................7

Options for Securing the IP Videoconferencing Environment ............................................... 9

Option 1: Deploying Individual Systems per Security Level......................................................9

Option 2: Custom / Home Grown Solutions ..............................................................................9

Option 3: Turnkey “Off-the-Shelf” Solutions............................................................................11

Conclusion ................................................................................................................................ 14

Glossary of Terms .................................................................................................................... 15

About Wainhouse Research .................................................................................................... 16

About the Author .....................................................................................................................16

About Criticom .......................................................................................................................... 16

List of Figures

Figure 1: Information Stored within the Video Endpoint................................................................2 Figure 2: Preparing Video Systems to Host Secure and Non-Secure Sessions...........................4 Figure 3: Steps Required to Change Between Secure and Non-Secure Operating Mode ...........6 Figure 4: A Typical Two Video System Custom Solution............................................................10 Figure 5: Criticom's ISEC-323 Secure Videoconferencing Solution ...........................................12 Figure 6: The Benefits of Automation .........................................................................................13


1

Executive Summary The convergence of voice, video, and data communications over IP networks has increased the complexity and range of security risks for Department of Defense (DoD) videoconferencing users. In the IP environment, videoconferencing users must be concerned not only about the traditional RED/BLACK (TEMPEST) requirements, but also a new set of Information Assurance (IA) guidelines. This whitepaper explores the security challenges, risks, and resolution alternatives for agencies seeking to deploy and maintain a secure IP-based videoconferencing environment.

Introduction As the importance of videoconferencing in the Department of Defense (DoD) and all government agencies has grown, so has the desire and need to ensure that data, voice and video are protected and secure from compromise by unauthorized eyes, ears, and systems. While Type 2 and Type 3 encryption methods, such as DES, 3DES and AES, provide sufficient protection for many unclassified applications, the DoD and others engaged in National Security communications require Type 1 information security. Type 1 security is used to protect information classified at various levels such as secret, allied secret, top secret, SCI. The National Security Agency (NSA) provides guidance and oversight for Type 1 security, with compliance requirements further detailed by various DoD Directives and CJCS Instructions. In order to conduct Type 1 secure videoconferencing, each videoconferencing system must be evaluated for compliance by the agency’s Designated Approving Authority (DAA) or COMSEC Officer. Both traditional ISDN and IP videoconferencing share a similar set of risks, but hosting secure video traffic on IP networks introduces the need for Information Assurance (IA) policy compliance. Many agencies use the same videoconferencing equipment to host both secure and non-secure conferences. Early adopters initially believed that maintaining top-secret security in this type of “cross security domain” environment simply required the use of equipment and switches that adhere to TEMPEST requirements and provide proper Red / Black signal isolation. While this may resolve the physical connectivity-related security risks, it does not address the Information Assurance risks associated with the protection of the classified information stored by secure videoconferencing systems. To avoid violating NSA guidelines, classified information must be purged by approved methods before a system is switched to a lower classification level. This white paper discusses the security issues that arise from hosting both IP video sessions at different classification levels on the same videoconferencing equipment, and provides insight and guidance on how to best achieve and maintain a certified secure conferencing environment. This paper does not cover general meeting security elements such as the need to a) control the people and locations admitted to meetings, b) ensure that documents are not left in meeting rooms, and c) avoid unauthorized meeting recording. In addition, this document assumes that certain basic precautions are already in place, including basic network security, password protection on all video systems, deactivation of auto answer capabilities, etc.


2

Elements of IP Videoconferencing Security Those seeking to maintain security in IP videoconferencing environments must be concerned about security during video meetings and especially when switching conferencing systems between security domains, commonly referred to as cross security domain switching. Security during Video Meetings From a 10,000 foot view, the following areas must be taken into consideration to maintain security during video meetings:

• Physical items (room location, potential for eavesdropping / spying, sound isolation, radiation protection / TEMPEST certification)

• Data security and network access control • Connection security (dialing securely using optical isolation) • Content security (encryption, KIV encryptors, content archival / streaming, etc.)

For additional information about maintaining security during video meetings, please see a previously released Wainhouse Research white paper on Security for Videoconferencing – A guide to understanding, planning, and implementing secure compliant ISDN & IP videoconferencing solutions. Security Risks Related to Switching IP Video between Security Domains The increased threat of terrorist activities has prompted the increased use of both classified and unclassified video communications, which has escalated the need to maintain security in an IP video-enabled environment, and in particular when operating on different IP networks at different security classifications. Of specific concern is the protection of the classified information stored and maintained within the typical videoconferencing endpoint including: Network Information Directory Information Other Information IP address (static or DHCP) Subnet mask Gateway address Gatekeeper address / login DNS Server SIP Address / Proxy Call Manager

System name / aliases System locations Local directory address entries Global directory address entries Directory server address / login Global management server address SNMP Addressing

Call logs / usage details Last number / IP address dialed

Figure 1: Information Stored within the Video Endpoint This area of IP security is known as Information Assurance, or IA, and focuses on maintaining the security of the classified data rather than containing RF emanations which is covered by TEMPEST guidelines. Although not specifically called out above, the typical video endpoint also maintains and stores “hidden” system / call information used to assist with call troubleshooting, problem discovery, and issue resolution.

http://www.wrplatinum.com/BekijkSamenvatting.asp?Inhoudsnummer=104


3

The fact that these items are stored within the video system is not usually documented within the user manuals or administrator guides, but those with the proper knowledge and equipment would have little trouble gaining access to these stores of information. In addition, videoconferencing system manufacturers are constantly adding new features and functionality, often resulting in additional information storage and related security risk. Depending upon the agencies and networks involved, most, if not all, of the information above is classified as “Secret” if associated with a classified network. In order to maintain appropriate security, such information must be protected from access by unauthorized personnel, those lacking the proper clearance, and those without the need to know such information. This information must also be protected from exposure to unclassified networks, which occurs automatically when an IP videoconferencing system loaded with secure information is attached to a non-secure IP network. The above issue is further compounded by the ability of today’s video systems to operate on both ISDN and IP networks, either individually (allowing the user to place an IP or an ISDN call at any time without re-cabling) or simultaneously using the integrated video bridge capability. The examples below illustrate these concerns: Example 1 – A videoconferencing system configured for operation on a secure IP network is used to host an unclassified ISDN video call. In this case, the classified IP addressing and other stored information in the video system is exposed to remote access over the ISDN data lines used to host the video call. Example 2- A videoconferencing system with an integrated video bridging capability is hosting a secure IP video session. During the video call, the system receives a non-secure video call through the connected ISDN lines. The moment that the non-secure video call connects (either automatically via auto-answer or when the user accepts the video call), the secure data stored within the video system is immediately exposed on the non-secure ISDN network. Such security violations arise in many agencies operating seemingly secure environments.

IP Video System Security Basics In order to use a videoconferencing system to host secure video sessions, the system must be placed into “secure” operating mode, and the appropriate classified network settings and directory information must be loaded. Before a system in “secure” mode can switched and used to host a non-secure video session, all classified information must be purged and erased from the system. Proper conversion (or reprogramming) of the system from secure to non-secure mode involves multiple steps that must be followed precisely and in the proper order to avoid compromising security.

Author’s Note:

The security risks described above are primarily focused on switching a system from the secure IP domain to an unclassified LAN. However, these same security risks apply to switching between different levels of security classification (e.g. Top Secret to Secret, Secret to Allied Secret, Secret to SCI, etc.). There are also risks associated with having peripheral devices containing classified data attached to video systems that may be used to host non-classified video sessions. For example, having a laptop containing a classified presentation connected to a video system during an unclassified videoconference introduces the risk that classified information will be shown to or accessed by unauthorized individuals.

Preparing the Video System The flowchart below highlights the high level logic and decision process that should be followed by support staff, based on a video system’s current operating mode, to prepare that system to host a secure or non-secure video call. As shown below (see the red highlighted text), the area of greatest concern occurs when flipping a system from secure operating mode to non-secure mode to allow it to host a non-secure video call.


4

Figure 2: Preparing Video Systems to Host Secure and Non-Secure Sessions


5

In order to perform the above security mode changes without compromising security, many steps must be completed. The flowchart below highlights the steps needed to purge the system logs (call records, hidden call information, etc.) and switch modes. As shown, these seemingly simple tasks actually involve a multitude of complex steps. It is also worth noting that different data elements often must be purged in different ways. For example, some fields must be deleted using a clear field command. Others may require the entry of new valid data before the existing data will be removed. Furthermore, in some cases a soft or hard system reset may be required to force the changes to take effect. For example, on most video systems a reboot is necessary to change the system’s IP address. Once the new IP address is entered, the user menus will display the new IP address, but unbeknownst to the user the codec will still be transmitting the old IP address. For this reason, switching from a secure to a non-secure IP network without rebooting introduces a major IA breech. It goes without saying that the greater the number of steps, the greater the chance for human error and the risk of a security violation.

Figure 3: Steps Required to Change Between Secure and Non-Secure Operating Mode

In the flowchart above, items highlighted in red are actually multi-step processes that must be completed by a highly trained, COMSEC-certified1 technician. Furthermore, the “Load New Network Settings” and “Reconfigure Laptop for New Network” steps require training and expertise in network technologies.


6

1 COMSEC is an acronym for Communications Security

Such complex tasks (log purges and security mode changes) are far beyond that which the typical – or even highly experienced – end user could tackle themselves. It is important to understand that overlooking any of these steps, or even completing the steps in the wrong order, can expose secure information on a non-secure network. For example, let’s assume that a technician is working to convert an endpoint from secure to non-secure mode. Were the technician to connect the endpoint to the non-secure network before purging the logs and secure address book, he would have introduced a security breach. It is also worth noting that some, but not all, of the required steps can be completed using remote management systems, such as those available from endpoint manufacturers Polycom or Tandberg. When using remote management tools, one must carefully consider the timing of the network change to avoid exposing secure data on the non-secure network. In reality, this would require the system administrator to use two different remote management systems, one on the secure side and one on the non-secure side, to complete the network reconfiguration. Similarly, the video system IR remote could be used to change endpoint settings and flush some (but not all) of the system logs. However, these methods do not usually allow one to easily purge the “hidden” information stores, and are likely to increase the risk of exposing secure data on non-secure networks. Real World Compromises There are many reasons why some agencies are unable to (or choose not to) fully comply with the mandated security protocols including:

Time and Inconvenience – A proper system purge and mode change can take 30 minutes or more to manually complete, which all but eliminates the possibility of impromptu / ad hoc video communication. In case of an emergency, skipping steps to expedite mode changes modes will most certainly introduce security violations. Complexity and Expense – Maintaining a secure videoconferencing environment requires an in-depth knowledge of videoconferencing and network technologies, and the relevant security regulations. Certified technicians with this knowledge and the appropriate security clearance are not only expensive to hire and keep, but must be available at each site whenever a call needs to be placed. Limited Resources – Limited staffing budgets means that the demand for qualified support staff will always outpace the supply. In many cases, the necessary support personnel are not available to provide the required service.


7

Manually changing between non-secure and secure videoconferencing modes is a complex,

multi-step process beyond the expertise of most end users and support staff.


8

Lack of Awareness – Many end users and administrators are simply unaware of the risks and regulations associated with hosting secure videoconferencing sessions. For this reason, proper procedures are not followed and security is compromised.

In reality, even in environments with the appropriate and available support staff, the practice of manually purging video systems and changing modes without violating security is a very tedious and error-prone process. Quite simply, as long as this remains a manual process, security violations are likely to occur.

Options for Securing the IP Videoconferencing Environment The typical government agency has several options for securing its videoconferencing environment. Option 1: Deploying Individual Systems per Security Level One way to avoid exposing classified data stored in the video endpoint to non-classified networks is to install and maintain two separate video systems (one for secure and one for non-secure video sessions) for each videoconferencing requirement. Although rudimentary and not particularly cost-effective, this method can help an agency adhere to videoconferencing environment security mandates. The disadvantages of this option, however, are numerous and include:

• Cost – this method requires the purchase of two totally separate videoconferencing systems, including two separate display subsystems (necessary to avoid potential security lapses). Additional costs also include recurring maintenance and fixed network fees.

• Footprint – installing two video systems, and the associated displays and furniture, requires significant additional space. In most cases this involves dedicating one room for secure and another room for non-secure video sessions.

• Burden – agencies following this method must manage and maintain two times as many video systems.

• Resources – to avoid compromising security, the secure video system storing classified data must be physically protected from non-secure resources. This requires support from trained resources with the appropriate security expertise and clearances.

The significantly higher acquisition and lifecycle costs make this option less than ideal for most government agencies. Option 2: Custom / Home Grown Solutions Although ill advised, and given an extensive knowledge of TEMPEST and IA requirements, it is (in theory) possible for agencies with access to the proper resources to design a custom solution to maintain security both during and between video calls. Such systems could utilize custom software running on standard PCs or might leverage A/V proprietary control systems such as those available from AMX or Crestron. To avoid the complicated process of switching a single video system between secure and non-secure networks, these home-grown solutions typically use two video systems and a video / audio matrix switcher. The system drawn below illustrates the major cost elements involved in typical dual video system custom solution.


9

Although not recommended or efficient, installing two separate video systems in

each conference room can help an agency adhere to security mandates.

Figure 4: A Typical Two Video System Custom Solution

The primary advantage of using a custom / home grown security solution is that it gives the system designers total control over the steps taken to maintain security compliance. Unfortunately, this advantage is overshadowed by the many disadvantages including:

• Complexity – this solution involves the deployment of various A/V devices that must be properly selected, connected, and controlled in order to avoid security violations.

• Cost – the creation of a custom security automation system would involve significant costs in both equipment and time. In addition, this solution requires the purchase and deployment of two video systems (codecs), an AV switcher, and other peripherals.

• Risk – the use of a previously untested and custom solution within the production environment is likely to introduce additional security risk.

• Functionality – due to cost or development time constraints, home grown solutions typically suffer from functionality / flexibility limitations.


10

• Certification – once developed, the agency would need to submit the solution, with appropriate testing results, to the appropriate parties for certification and approval (an often difficult, expensive, and time consuming process). This adds to the time and cost associated with the


11

creation of the solution. In addition, any future changes to the solution would require that the system be recertified.

• Burden – the agency developing the home grown solution would also shoulder the burden of supporting and maintaining the solution. In addition, the agency would be responsible for training users and administrators in proper system operation. Furthermore, the agency would need to provide system updates and modifications in response to functionality or control code changes within video endpoints or other integrated equipment.

• Efficiency - By designing, deploying, and managing a custom solution, the agency takes the role of system manufacturer and must provide full lifecycle support without the benefit of economies of scale associated with COTS (commercial off the shelf) solutions.

It is also worth pointing out that the room control system (a RED processor), which contains classified dialing and configuration information, cannot be connected physically or electronically to a video system in non-secure mode without introducing both TEMPEST and IA security violations. This level of knowledge of security doctrine is usually beyond the area of expertise of the typical control system programmer or system designer. Finally, although administrators are responsible for maintaining a secure videoconferencing environment, their charge does not typically include the design and maintenance of custom automation systems. As such, one must question the appropriateness and efficiency of investing time and money in such development efforts for a one-off solution. Option 3: Turnkey “Off-the-Shelf” Solutions Agencies seeking to maintain proper security during and in-between video calls should consider the deployment of a turnkey and COTS security solution for IP videoconferencing. The ISEC-323 solution, available from Criticom, the sponsor of this white paper, is a good example of a fully integrated and certified solution and provides the following:

• Fully automated switching between secure and non-secure modes • NSA Certification for RED/BLACK isolation as per TEMPEST 2/95 for LAN access switching • Compliance with security directives for TEMPEST 2/95 and Information Assurance (IA) • Integration with external encryption for session security with HAIPE or other Type 1 IP

encryption • Support for switching between unclassified and bulk encrypted networks, such as SIPRNET. • Fiber Optic isolation for unclassified operation • Support for Static and DHCP IP addressing • Support for dual network (ISDN and IP) security switching • Onscreen messages to inform the system users of the status during security level switching • An illuminated wall sign displaying the current security mode (secure or non-secure) • Tight integration with current videoconferencing codecs and systems offered by leading

manufacturers • Full support and maintenance (including software updates as required)

The block diagram below shows the elements of Criticom’s solution. As shown, the IP optical switch provides the TEMPEST 2/95 mandated isolation between the codec and the secure and non-secure networks, while the IP domain controller ensures that the timing of the network switching meets IA requirements.

Figure 5: Criticom's ISEC-323 Secure Videoconferencing Solution

Designed to be operated by the end users themselves by means of a single toggle switch or button on a control panel, this solution automates the many complex steps required to switch between secure and non-secure operation. Key benefits of this type of solution include:

• Cost savings that result from a) eliminating the need for costly (and certified) in-room support staff before, during, and after each video call, and b) avoiding the need to purchase and install duplicate systems for each classification level supported.

• Time savings afforded by decreasing the time required to switch between operating modes. • Ease of use resulting from allowing system operators to continue using their existing control

system or video system IR remote to place / accept video calls. • Flexibility to conduct video calls at any time, without having to wait for support staff or for the

completion of a time-consuming, manual mode-changing process.


12

• A significantly decreased risk of exposing secure information to non-secure staff / networks thanks to the fully integrated and automated mode switching engine.

The chart below highlights the relationship between the level of automation and the cost, security risk, and support requirements for the typical video session.

Figure 6: The Benefits of Automation

Depending upon the level of security required, there are many ways to improve the security of the videoconferencing environment. For example, most currently available video solutions, including those available from, Polycom and Tandberg, support AES encryption, which provides at least some degree of information protection during the conference. Criticom’s solution differentiates itself by protecting the classified IP address information in the codec by providing an easy and automated method for changing between secure and non-secure operating modes. Agencies using a secure videoconferencing solution should carefully consider this often neglected area of potential exposure.


13


14

Conclusion The continuously changing global political environment has prompted increased interest in and demand for secure videoconferencing within governmental agencies. Although encrypting the actual videoconference session traffic (audio, video, and presentation / content data) is vital, system administrators must also concern themselves with Information Assurance requirements and the protection of the classified addressing and directory information stored within video systems themselves. Maintaining proper videoconferencing security requires that agencies switch their video systems between secure and non-secure operating modes without compromising secure information. Unfortunately, manually switching modes involves a complex, time-consuming process that requires trained personnel with the appropriate security clearance. For these reasons, many agencies are unable to maintain a secure video environment. Fortunately, there are certified secure videoconferencing solutions available that can automate the process of switching between secure and non-secure video modes. Although these solutions require an up-front capital investment, the costs are offset by the savings realized thanks to decreased staffing support requirements and reduced lifecycle maintenance expense. In addition, these solutions are able to switch modes more quickly and reliability than trained staff, which minimizes system downtime and allows users to host back-to-back secure and non-secure video calls. Turnkey secure videoconferencing solutions make it possible for any agency, even those without dedicated IT support staff, to create and maintain a totally secure videoconferencing environment.


15

Glossary of Terms

Codec – Device that compresses and decompresses audio and video data. Videoconferencing systems are often referred to as codecs.

COMSEC – Communications security COTS – Commercial “off-the-shelf” DAA – Designated Approving Authority DISA – Defense Information Systems Agency DoD – Department of Defense EMSEC – Emanations security Encryption Levels – Type 1: NSA encryption for Classified information Type 2: NSA encryption for unclassified information – export restrictions apply Type 3: NSA encryption for Sensitive, but unclassified information HAIPE - High Assurance Internet Protocol Encryptor IA - Information Assurance IMUX – Inverse multiplexer KIV - Type 1 Encryptor NIPRNET – Non-classified Internet Protocol Router Network NSA – National Security Agency RS-366 – The dialing interface on a videoconferencing device (codec) or IMUX RS-449 / 530 – The voice, video, and data interface on a videoconferencing device (codec) or

IMUX SIPRNET - Secret Internet Protocol Router Network TEMPEST – The widely recognized and classified set of standards for electric or

electromagnetic radiation emanations from electronic equipment and other communication devices.

Security Levels

Secret - Such material would cause "serious damage" to national security if publicly available

Allied Secret - Secret information that is shared with current and trusted US allies

Top Secret - The highest level of classification - such material would cause "exceptionally grave damage" to national security if publicly available

SCI - Sensitive Compartmental Information

http://en.wikipedia.org/wiki/National_security


16

About Wainhouse Research Wainhouse Research (www.wainhouse.com) is an independent market research firm that focuses on critical issues in rich media communications and conferencing. The company conducts multi-client and custom research studies, consults with end users on key implementation issues, publishes white papers and market statistics, and delivers public and private seminars as well as speaker presentations at industry group meetings. Wainhouse Research publishes Conferencing Markets & Strategies, a three-volume study that details the current market trends and major vendor strategies in the multimedia networking infrastructure, endpoints, and services markets, as well as a variety of segment reports, the free newsletter, The Wainhouse Research Bulletin, and the PLATINUM (www.wrplatinum.com) content website.

About the Author Ira M. Weinstein is a Senior Analyst and Partner at Wainhouse Research, and a 15-year veteran of the conferencing, collaboration and audio-visual industries. Prior to joining Wainhouse Research, Ira was the VP of Marketing and Business Development at IVCi, managed a technology consulting company, and ran the global conferencing department for a Fortune 50 investment bank. Ira’s current focus includes IP video conferencing, network service providers, global management systems, scheduling and automation platforms, ROI and technology justification programs, and audio-visual integration. Mr. Weinstein holds a B.S. in Engineering from Lehigh University and is currently pursuing an MBA in Management and Marketing. He can be reached at [email protected].

About Criticom Criticom, headquartered in Lanham, Md., is a leading integrator of video and video conferencing equipment for complete video solutions to both government and commercial customers. Founded in 1990 and privately held, the company has earned an outstanding reputation for its video systems and integration expertise. Criticom has partnerships with the leading manufacturers of video systems and telecommunications equipment, including Tandberg; Polycom; Radvision; Adtran; Cisco Systems, Inc. and Northrop Grummen. Some of Criticom’s many long-standing government customers include the U.S. Central Command, The Joint Chiefs of Staff, U.S Special Operations Command, Marine Corps, 82nd Airborne, Army National Guard, Air National Guard, Air Reserve Command, Metropolitan DC Police and the White House Communication Agency (WHCA).

In 2002, Criticom announced the availability of its own-patented product: the ISEC-320, a TEMPEST-tested and certified secure/non-secure switch solution specifically designed for videoconferencing. As of this writing, CritiCom’s ISEC product is the only secure/non-secure videoconferencing solution utilizing fiber-optic switching technology for conclusive, Type 1 security, enabling classified communications to Top Secret and above. Criticom’s ISEC products have been featured in numerous publications such as Signal and Military Information Technology magazines. To date, DoD customers have accepted and installed ISEC at hundreds of agencies and locations around the world.

Frequently honored with regional Washington Technology “Fast 50” and national Inc. 500 awards for its fast growth and success, additional information about Criticom can be found on the company’s Web site: http://www.criticom.com

http://www.wainhouse.com/

http://www.wrplatinum.com/

mailto:[email protected]

http://www.criticom.com/

Date post:	21-Oct-2014
Category:	Documents
View:	696 times
Download:	0 times

WP - IP Videoconferencing Security for the Department of Defense

Documents