Defense in Depth

Defense in Depth: Security for Network-Centric Warfare

On Friday, February 13, 1998 a Defense Information and Electronics Report was released which stated that a "widespread and potentially harmful attack" on seven Air Force and four Navy information technology (IT) sites had been detected. As of this writing, the attacks are still under investigation to determine their source and the full extent of their effects. The article indicated that the focus of most of the attacks was domain name servers (DNSs) which provide name/address translation for internetworked systems. While it appears that the attacks targeted only unclassified systems, the report serves as yet another demonstration that networked IT systems are vulnerable to attacks and need to be protected.

The news media are replete with reports of attacks on and via the Internet and the increasingly widespread Web, and book upon book has been written describing the details of known vulnerabilities and how they can be countered.Traditionally, the military has ensured the security of its information systems by a risk avoidance strategy: keeping its network infrastructure separate from the public Internet, and strictly limiting access to it via locked spaces, security clearances and cryptographic devices. However, the drive to attain network-centric warfare capability has profound implications for security and requires a significant shift in the protection strategy.

Network-Centric Warfare is Technology Based

The value of network-centric warfare has been clearly identified and discussed, and it enables the achievement of information superiority. The IT-21 initiative has been designed to achieve this information superiority in a time of limited resources and rapidly changing technology by requiring that the military capitalize on available commercial technology as much as possible. IT-21 is a transformation in the C4ISR warfighting process that focuses on:

Movement away from expensive, single-function work-stations to affordable, highly-capable personal computers.
Extensive use of web technology to manage data to produce knowledge.
Seamless ashore/afloat transfer of voice, video and data information.
TCP/IP-based, client-server environment with multi-level security.
Embracing of industry standards, open architectures and COTS.
Merging of tactical and non-tactical data on a common infrastructure.

The IT-21 initiative leads to the adoption of open standards (DII-COE) and commercial off-the-shelf (COTS) technology (Windows NT). Additionally, it leads to migration away from separately developed and connected stovepipe systems which cannot interoperate or communicate, to fully integrated and interoperable systems connected via a common infrastructure. While much of this common infrastructure is separate from the public Internet, it is important to note that the unclassified military network currently includes multiple connections to the Internet, and that the plan is to migrate toward a common infrastructure to be shared by both unclassified and classified networks.

The Naval Virtual Intranet (NVI) concept works as part of the IT-21 Initiative to further develop the goal of speed of command via information superiority. NVI seeks to capitalize on the common infrastructure and interoperability of systems to achieve efficiencies of information processing by centralizing information services as much as possible in a limited number of data processing centers, the Regional Information Technology Service Centers (RITSC).

The combination of open standards, COTS technology, full connectivity and information service regionalization compels us to develop a new protection strategy based not on risk avoidance, but rather on risk management. No longer can we rely on limiting access to one-of-a-kind custom-developed systems with limited connectivity. We are now embracing widely-known common technologies, recognizing that some of the these technologies come with well-documented vulnerabilities. Further, as more and more systems are interconnected, the user population increases significantly, thus increasing the threat of insider attacks. Finally, regardless of the level of insider threats, the sharing of a common infrastructure which connects with the public Internet brings with it a world-wide host of hackers, criminals and foreign agents who are practiced and capable of surfing their way through that infrastructure.

Network-Centric Warfare is Information Intensive

Traditionally, security has focused on ensuring confidentiality: the non- disclosure of classified information to those who are not authorized to see it. While this remains an important consideration, the shift to network-centric warfare, with its goal of speed of command, is heavily reliant on both the accuracy and timeliness of information, and on the continued availability of critical communications channels. No military maneuver can succeed if its participants cannot communicate, or if their decisions and actions are based on inaccurate, bogus or outdated information. Many of the best known and most common attacks that occur on the Internet are those which target information integrity (such as viruses) or seek to bring down a system (such as flooding attacks). Some attacks, such as IP address spoofing, focus on masquerading which can result in planting bogus information. Other attacks such as corrupting the translation tables of a Domain Name Server can cut off or hijack communication channels. Thus, our protection strategy must address not only confidentiality, but also the integrity, authenticity and timeliness of information, and continued availability of processing and communications capabilities.

Perfect Security Cannot Be Achieved

The combination of open standards, COTS technology, and full connectivity on which network-centric warfare depends, requires that we focus priority attention on defining a strategy to counter a myriad of potential flaws and vulnerabilities. The flaws and vulnerabilities in the family of UNIX operating systems are well known and easily exploited, and we must continue to strive to plug up those holes in our systems that may continue to rely on UNIX. However, even intentionally designing security into a system (such as has been done with the Windows NT operating system) is no guarantee of success; the complexity of today's systems, coupled with the sometimes unexpected behaviors which result when two independently developed systems are connected, results in a never-ending, constantly changing list of flaws and vulnerabilities. Even systems which have been hardened by years of identifying and patching flaws continue to contain flaws and vulnerabilities that can be exploited by enterprising and resourceful hackers. It is this fact which necessitates the shift from a risk avoidance strategy to a risk management strategy.

While perfect security is a myth that cannot be achieved, there is much that can be done within the limits of the current state-of-the-practice to minimize system vulnerabilities and counter potential threats. To this end, the Navy has defined, as an integral part of the IT-21 initiative and the NVI, a Defense in Depth strategy which utilizes currently available protection technology in a layered system of defenses designed to protect the confidentiality, integrity, authenticity and availability of the information and IT systems on which network centric warfare depends. Table 1 identifies currently available protection tools, and indicates which security requirements are typically targeted by each tool.

Firewalls. A firewall is an application layer gateway that is used to selectively allow external users access to information located behind the firewall. Also known as a bastion host firewall, it is installed between an information system or enclave network and an outside, usually public, network. Users within the protected domain can access the outside network via the firewall. In addition to providing a mechanism for implementing network access control, a properly configured and managed firewall can provide network intrusion prevention. To minimize costs and management overhead, a firewall may be installed in a central location, such as a Regional Information Technology Service Center (RITSC) and shared by multiple DoN systems connected via a secure intranet. The most widely used firewall for the Navy is the TIS Gauntlet.

Encryption: Encryption can be used to provide not only information confidentiality but also integrity and mutual authentication of the communicating parties. Appropriate use of encryption technology can provide cryptographic separation of information at different levels of classification, permitting such information to be communicated via a common infrastructure, and even tunneled across a non-secure public internet. The National Security Agency (NSA) evaluates the strength of cryptographic devices for securing classified data. NSA endorsed Type 1 devices are currently available to provide link layer, IP and ATM layer encryption. Currently, only one device is available for IP layer encryption, the Network Encryption System (NES), and one device for the ATM layer, the Fastlane.

In FY99, NSA expects to release and endorse the Taclane, which will provide both IP and ATM encryption capability. This device will not interoperate with the NES and will not support Fast Ethernet, but will interoperate with the Fastlane at DS-3 rates. For unclassified information, a variety of software and hardware products are available which provide encryption and digital signature capabilities. The most commonly used standards include the Data Encryption Standard (DES) and a variation called 3DES (triple DES) for providing confidentiality, and Secure Hash Algorithm 1 (SHA-1) for providing data integrity and authentication.

Content Checking: Many forms of electronic information can contain harmful content such as viruses, worms and Trojan horses. These malicious programs can be transmitted across a network in a number of ways including SMTP e-mail attachments, FTP file downloads, and Java applets. Numerous COTS products exist that can check these routes to identify such potentially harmful content, and two of these products, Norton and McAfee, are available on the DoD-wide virus-detection tool site license. (see http://infosec.navy.mil). If properly configured and frequently updated, these tools can identify harmful content before it has the chance to do any damage, and in many cases can repair already damaged files. Content checking is often done as part of a firewall in addition to being done on the end-user workstations.

Source Authentication: Certain network components, such as routers and Domain Name Servers, maintain tables (routing tables, name/address translation tables) which are critical to their correct functioning, and which are updated regularly by their peers within the network. Without authentication of the source of the updates, it is easy to spoof the information, resulting in denial of service or network intrusion. Many COTS IP routers feature cryptographic authentication of updates for selected routing protocols. These features can often be utilized by simply reconfiguring existing routers. Currently, the BGP and OSPF routing protocols support cryptographic authentication.

Intrusion detection: Network intrusion filters (NIF) may be less restrictive than firewalls and thereby allow a wider range of network applications to be used while still being able to detect and block a wide variety of network attacks. Several vendors are currently producing NIF products, including stateful filtering routers and active, real-time intrusion detection systems. Stateful filtering routers are similar to normal filtering IP routers, and can be used to allow or disallow incoming packets based on source/destination IP addresses and TCP ports. In addition, stateful routers use knowledge of higher layer protocols to identify and allow legitimate protocols and to identify and disallow certain network attacks.

Active intrusion detection systems (IDS) also use knowledge of higher layer protocols to identify network attacks. When an attack is detected, it can be reported, often in real time, to a central monitoring facility and possibly blocked (e.g., using a TCP connection reset). Depending on its configuration, an active IDS may be able to provide a high level of security in a non-intrusive manner. The Fleet Information Warfare Center (FIWC) is the key organization that serves as the Navy's central reporting point for all information system incidents.

Access control: In addition to the access controls that can be provided by firewalls, filtering routers and intrusion detection systems, individual end systems such as user workstations and data or application servers usually provide access control mechanisms. These include user IDs and passwords, and file access control lists which can be very effective in limiting access to the information that resides there. These same mechanisms, however, if not configured and administered properly, can be significant vulnerabilities. For example, many systems have well-known default guest accounts and/or default passwords.

Secure protocols: Protection of unclassified information in transit and assembly of protected communities of interest are becoming possible via the use of network protocols that encrypt information and provide information integrity. Currently the two most attractive protocols are the Secure Sockets Layer (SSL) and the Internet Protocol security suite (IPsec). SSL is typically used to protect communications between a web server and a web browser. The IPsec protocol is used to build encrypted virtual private networks (VPNs) between groups of users.

Auditing: While auditing itself cannot prevent any security violations, it can be very useful in establishing and documenting the source of a violation, and assessing the extent and nature of the damage sustained. Audit trails may be used as input for intrusion detection systems, and can usually be tuned to avoid resource exhaustion by specifying what events are to be audited. Putting It All Together The security tools described in this article are all part of the currently available COTS technology and are being employed to enhance the security of the Navy's information infrastructure. While no single tool provides complete security, a well- planned deployment of multiple tools that complement and reinforce each other can significantly strengthen and harden that infrastructure. This is the goal of the Navy's Defense in Depth strategy. The protection requirements of the NVI include:

Service via a protected network infrastructure all the way to each subscriber's facility (protected, hardened routers, ATM switches, DNS services).
Securely configurable operating systems on all servers and clients.
Secure protocols (authentication, integrity and confiden- tiality) for all client-server and server-server interactions (http, messaging, network news, FTP, etc.).
Firewalls at processing and/or subscriber facilities (including malicious connection/content screening). ¥ Intrusion detection devices on LANs.
On-line virus protection.
Active security and configuration monitoring of the infrastructure.

The Defense in Depth strategy for IT-21/NVI addresses these protection requirements by employing security protection mechanisms in layers at multiple locations in the system architecture. The intent is to provide a combination of protection mechanisms that is broad enough to address all the security requirements and deep enough to provide redundancy across multiple layers. For example, within encryption, depth may mean combining link encryption under network (IP layer) encryption under email (application layer) encryption. Another example would be to use two different anti-viral packages (perhaps one on a firewall and another on the end-user workstations) so that if a virus is undetected by one package, it may be caught by the other. This approach ensures DON systems maximize resistance to attacks and minimize the probability of a security breach due to a weakness in any single security mechanism.

The Defense in Depth strategy is directly analogous to sea control concepts. Fleet air defense can serve as an example. An outer defense zone is defended by intercept fighters such as F-14s and controlled by E-2Cs. A second layer of defense is the missile zone defended by Aegis cruisers which intercept attackers that have not been stopped by the outer layer. Inside the missile zone lie the point defense zones where the defensive weapons are chaff, close in warfare systems and tactical electronic warfare machinery. If the system is working properly, the number of attacks that penetrate to the inner zone is less than the capacity of the point defense weapons.

The generic framework for Defense in Depth is illustrated in Figure 1. Four zones of defense are defined in this framework. These zones may be logical and are not necessarily physically separate. The selection, placement and configuration of particular security mechanisms are implementation dependent and are driven by the information protection requirements for the particular DoN information system that is being protected.

Zone 4: The outermost zone represents the boundary between a DON information system (or multiple DON information systems connected by a private intranet) and a public internetwork such as NIPRNET or SIPRNET. Defenses that are most appropriate here include firewalls, Virtual Private Network (VPN) encryption, content checking, and source authentication for routers and DNSs.

Zone 3: This zone delineates a Community of Interest (COI). The protections that are deployed here are designed to provide protection within and between such COIs. In general, Zone 3 information protection mechanisms are installed as part of an intranet used to connect end user networks that have similar security requirements and a common COI. Zone 3 information protection mechanisms may include network intrusion filters, firewalls, VPN encryption and content checking.

Zone 2: A single COI may include a number of individual sites or enclaves, each of which represents a layer 2 zone. Security mechanisms deployed here are used to provide protection at the boundary to the site or enclave and are generally integrated as part of the site/enclave LAN. Zone 2 information protection mechanisms may include network access controllers, network intrusion filters, firewalls, VPN encryption, and content checking.

Zone 1: The innermost zone is the individual end system and includes components such as workstations, servers (NT and/or UNIX) and mainframes. The operating systems must be deployed with all known holes and weaknesses fixed (as practical). The Navy and the National Security Agency (NSA) have both published secure configuration guides for Windows NT, and these guides are being used by our system developers. Zone 1 information protection mechanisms provide the innermost layer of defense for DoN systems, and may include the following: system access controls such as passwords, data access controls such as Access Control Lists (ACLs), encryption of data/files, email and web transactions, VPN encryption, content checking, auditing and careful design of user applications.

If properly designed, carefully deployed, and regularly maintained, the Defense in Depth strategy can significantly enhance the security posture of the Navy's information infrastructure, to ensure that the information it provides to the warfighter is properly protected, accurate, and timely, and that the data and communications channels essential to command are instantly and always accessible. Such protections play a critical role in establishing and maintaining the Navy's information superiority and effecting the speed of command that is vital to our warfighting capability.

More detailed information describing the Defense in Depth strategy, protection mechanisms and current policy and standards can be found at the Navy INFOSEC web page (http://infosec.navy.mil). The Navy INFOSEC Program Office (SPAWAR PMW 161) maintains this web page, with comprehensive links to INFOSEC information, including information on available security products, links to anti-viral tools, INFOSEC news and articles, security policies and procedures, and links to the Naval Computer Incident Response Team (NAVCIRT).

In addition, FIWC is the information warfare center of excellence for the Navy and the owner of NAVCIRT. FIWC publishes NAVCIRT advisories, alerting the Fleet to viruses and vulnerabilities in common computer networks or systems. Another significant support service available from FIWC includes the Vulnerability Analysis and Assessment Program (VAAP), which includes conducting On-Line Surveys (OLS), to test for vulnerabilities of fielded/legacy networked systems. FIWC also supports red team operations, which have a main goal of increasing security awareness, and to train system administrators in incident recognition. All of these services contribute to the Defense in Depth strategy. To contact FIWC, send an email to navcirt@fiwc.navy.mil.

References:
Network-Centric Warfare - Its Origin and Future, by Vice Admiral Arthur K. Cebrowski, USN, and John H. Garstka. Proceedings of the U.S. Naval Institute, Vol 124/1/1,139 January 1998.

IT-21 Intranet Provides Big "Reachbacks" by Rear Admiral Robert M. Nutwell, USN. Proceedings of the U.S. Naval Institute, Vol. 124/1/1,139 January 1998.

Approved for Public Release; distribution is unlimited.

About the Author