UNCLASSIFIED//FOR OFFICIAL USE ONLY 1 2 National Security Agency 3 Information Assurance 4 Directorate 5 6 7 8 9 10 11 12 13 (U) Global Information Grid 14 Information Assurance 15 Capability/Technology Roadmap 16 17 18 19 20 21 Version 1.0 (Final Draft) 22 23 24 25 26 October 2004 26 27 28 29 30 Prepared by: 31 IA Architecture Office (I11) 32 UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 (U) This page intentionally left blank 50 UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY (U) TABLE OF CONTENTS 51 Section Title Page 52 (U) Revision History........................................................................................................xv 53 (U) Executive Summary....................................................................................................I 54 1 (U) Introduction.................................................................................................1-1 55 1.1 (U) Purpose......................................................................................................1-1 56 1.2 (U) Scope..........................................................................................................1-2 57 1.3 (U) Approach...................................................................................................1-2 58 2 (U) IA System Enablers and their Technologies.............................................2-1 59 2.1 (U) Identification and Authentication........................................................2.1-1 60 2.1.1 (U) GIG Benefits due to I&A.....................................................................2.1-2 61 2.1.2 (U) I&A: Description..................................................................................2.1-2 62 2.1.3 (U) I & A: Technologies.............................................................................2.1-4 63 2.1.3.1 (U) Authentication Tokens..................................................................2.1-5 64 2.1.3.2 (U) Biometrics...................................................................................2.1-15 65 2.1.3.3 (U) Device/Service Authentication...................................................2.1-25 66 2.1.3.4 (U) Authentication Protocols.............................................................2.1-35 67 2.1.3.5 (U) Authentication Confidence.........................................................2.1-43 68 2.1.3.6 (U) Single Sign-On............................................................................2.1-46 69 2.1.4 (U) I&A Gap Analysis..............................................................................2.1-59 70 2.1.5 (U) Identification and Authentication: Recommendations and Timelines2.1-62 71 2.2 (U) Policy-Based Access Control................................................................2.2-1 72 2.2.1 (U) GIG Benefits due to Policy-Based Access Control..............................2.2-2 73 2.2.2 (U) Policy-Based Access Control: Description..........................................2.2-2 74 2.2.2.1 (U) Core RAdAC Functions................................................................2.2-2 75 2.2.2.2 (U) Assured Metadata and Data Describing Enterprise Elements......2.2-4 76 2.2.2.3 (U) Digital Access Control Policy.......................................................2.2-5 77 i UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.2.2.4 (U) IA Enabler Dependencies.............................................................2.2-6 78 2.2.3 (U) Policy-Based Access Control: Technologies.......................................2.2-6 79 2.2.3.1 (U) Core RAdAC.................................................................................2.2-7 80 2.2.3.2 (U) Assured Metadata.......................................................................2.2-15 81 2.2.3.3 (U) Digital Access Control Policy.....................................................2.2-40 82 2.2.4 (U) Distributed Policy Based Access Control: Gap Analysis...................2.2-44 83 2.2.4.1 (U) Core RAdAC: Gap Analysis.......................................................2.2-44 84 2.2.4.2 (U) Assured Metadata: Gap Analysis................................................2.2-46 85 2.2.4.3 (U) Digital Access Control Policy: Gap Analysis.............................2.2-49 86 2.2.5 (U) Policy Based Access Control: Recommendations and Timelines......2.2-50 87 2.3 (U) Protection of User Information............................................................2.3-1 88 2.3.1 (U) GIG Benefits Due to Protection of User Information..........................2.3-2 89 2.3.2 (U) Protection of User Information: Description........................................2.3-3 90 2.3.3 (U) Protection of User Information: Technologies.....................................2.3-7 91 2.3.3.1 (U) Technologies for Protecting Data-at-Rest.....................................2.3-8 92 2.3.3.2 (U) Technologies for Protecting Data-in-Transit..............................2.3-10 93 2.3.3.3 (U) Trusted Platforms........................................................................2.3-87 94 2.3.3.4 (U) Trusted Applications...................................................................2.3-98 95 2.3.3.5 (U) Cross Domain Solution Technologies......................................2.3-106 96 2.3.3.6 (U) Non-Repudiation.......................................................................2.3-116 97 2.3.4 (U) Protection of User Information: Gap Analysis.................................2.3-126 98 2.3.5 (U) Protection of User Information: Recommendations and Technology 99 Timelines.................................................................................................2.3-130 100 2.3.5.1 (U) Data-in-Transit..........................................................................2.3-130 101 2.3.5.2 (U) Cross Domain Solutions...........................................................2.3-132 102 2.4 (U) Dynamic Policy Management...............................................................2.4-1 103 2.4.1 (U) GIG Benefits due to Dynamic Policy Management.............................2.4-2 104 UNCLASSIFIED//FOR OFFICIAL USE ONLY ii UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.4.2 (U) Dynamic Policy Management: Description.........................................2.4-2 105 2.4.3 (U) Dynamic Policy Management: Technologies.......................................2.4-6 106 2.4.3.1 (U//FOUO) Development of Policies..................................................2.4-6 107 2.4.3.2 (U) Distribution of Policies...............................................................2.4-22 108 2.4.3.3 (U) Policy Management Architectures..............................................2.4-29 109 2.4.4 (U) Dynamic Policy Management: Gap Analysis....................................2.4-31 110 2.4.5 (U) Dynamic Policy Management: Recommendations and Timelines.....2.4-33 111 2.4.5.1 (U) Standards.....................................................................................2.4-33 112 2.4.5.2 (U) Technology.................................................................................2.4-34 113 2.4.5.3 (U) Infrastructure...............................................................................2.4-34 114 2.5 (U) Assured Resource Allocation................................................................2.5-1 115 2.5.1 (U) GIG Benefits of Assured Resource Allocation....................................2.5-3 116 2.5.2 (U) Assured Resource Allocation: Description..........................................2.5-3 117 2.5.3 (U) Technologies........................................................................................2.5-5 118 2.5.3.1 (U//FOUO) IA Policy-Based Routing.................................................2.5-6 119 2.5.3.2 (U//FOUO) Operational-Based Resource Allocation........................2.5-17 120 2.5.3.3 (U//FOUO) Integrity of Network Fault Monitoring/Recovery and 121 Integrity of Network Management & Control...................................2.5-26 122 2.5.4 (U) Assured Resource Allocation: Gap Analysis.....................................2.5-38 123 2.5.5 (U) Assured Resource Allocation: Recommendations and Technology 124 Timelines...................................................................................................2.5-40 125 2.6 (U) Network Defense and Situational Awareness.....................................2.6-1 126 2.6.1 (U) GIG Benefits due to Network Defense and Situational Awareness.....2.6-2 127 2.6.2 (U) Network Defense and Situational Awareness: Description.................2.6-3 128 2.6.3 (U) Network Defense and Situational Awareness: Technologies...............2.6-8 129 2.6.3.1 (U) Protect Technologies.....................................................................2.6-9 130 2.6.3.2 (U) Deception Technologies.............................................................2.6-14 131 UNCLASSIFIED//FOR OFFICIAL USE ONLY iii UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.6.3.3 (U) Situational Awareness.................................................................2.6-21 132 2.6.3.4 (U) Network Mapping.......................................................................2.6-26 133 2.6.3.5 (U) Intrusion Detection Systems.......................................................2.6-30 134 2.6.3.6 (U) Intrusion Prevention Systems (IPSs)..........................................2.6-37 135 2.6.3.7 (U) User Activity Profiling................................................................2.6-39 136 2.6.3.8 (U) Cyber Attack Attribution............................................................2.6-44 137 2.6.3.9 (U) Correlation Technologies............................................................2.6-49 138 2.6.3.10 (U) CND Response Actions..............................................................2.6-54 139 2.6.3.11 (U) Automated IAVA Patch Management........................................2.6-58 140 2.6.4 (U) Network Defense and Situational Awareness: Gap Analysis............2.6-63 141 2.6.5 (U) Network Defense and Situational Awareness: Recommendations and 142 Timelines...................................................................................................2.6-66 143 2.6.5.1 (U) Standards.....................................................................................2.6-66 144 2.6.5.2 (U) Technology.................................................................................2.6-66 145 2.6.5.3 (U) Infrastructure...............................................................................2.6-69 146 2.6.5.4 (U) Technology Timelines................................................................2.6-69 147 2.7 (U) Management of IA Mechanisms and Assets.......................................2.7-1 148 2.7.1 (U) GIG Benefits due to Management of IA Mechanisms and Assets.......2.7-1 149 2.7.2 (U) Management of IA Mechanisms and Assets: Description...................2.7-1 150 2.7.2.1 (U) Identity Management....................................................................2.7-2 151 2.7.2.2 (U) Privilege Management..................................................................2.7-5 152 2.7.2.3 (U) Key Management..........................................................................2.7-9 153 2.7.2.4 (U) Certificate Management..............................................................2.7-11 154 2.7.2.5 (U) Configuration Management of IA Devices and Software..........2.7-14 155 2.7.2.6 (U) Inventory Management...............................................................2.7-16 156 2.7.2.7 (U) Compromise Management of IA Devices..................................2.7-16 157 2.7.2.8 (U) Audit Management.....................................................................2.7-17 158 UNCLASSIFIED//FOR OFFICIAL USE ONLY iv UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.7.3 (U) Management of IA Mechanisms & Assets: Technologies.................2.7-18 159 2.7.3.1 (U) Identity Management..................................................................2.7-18 160 2.7.3.2 (U) Privilege Management................................................................2.7-26 161 2.7.3.3 (U) Key Management........................................................................2.7-33 162 2.7.3.4 (U) Certificate Management..............................................................2.7-49 163 2.7.3.5 (U) Configuration Management of IA Devices and Software..........2.7-59 164 2.7.3.6 (U) Inventory Management...............................................................2.7-68 165 2.7.3.7 (U) Compromise Management of IA Devices..................................2.7-76 166 2.7.3.8 (U) Audit Management.....................................................................2.7-82 167 2.7.4 (U) Management of IA Mechanisms & Assets: Gap Analysis.................2.7-93 168 2.7.4.1 (U) Identity Management..................................................................2.7-96 169 2.7.4.2 (U) Privilege Management................................................................2.7-96 170 2.7.4.3 (U) Key Management........................................................................2.7-97 171 2.7.4.4 (U) Certificate Management..............................................................2.7-97 172 2.7.4.5 (U) Configuration Management of IA Devices and Software..........2.7-98 173 2.7.4.6 (U) Inventory Management...............................................................2.7-99 174 2.7.4.7 (U) Compromise Management of IA Devices..................................2.7-99 175 2.7.4.8 (U) Audit Management.....................................................................2.7-99 176 2.7.5 (U) Management of IA Mechanisms and Assets: Recommendations and 177 Timelines.................................................................................................2.7-100 178 2.7.5.1 (U) Standards...................................................................................2.7-100 179 2.7.5.2 (U) Technology...............................................................................2.7-101 180 2.7.5.3 (U) Infrastructure.............................................................................2.7-101 181 3 (U) Summary......................................................................................................3-1 182 3.1 (U//FOUO) Assured information Sharing Summary...............................3.1-3 183 3.1.1 (U) Identification and Authentication Technologies..................................3.1-3 184 3.1.2 (U) Access Control and Data Labeling Technologies................................3.1-5 185 UNCLASSIFIED//FOR OFFICIAL USE ONLY v UNCLASSIFIED//FOR OFFICIAL USE ONLY 3.1.3 (U) Cross-Domain Technologies................................................................3.1-7 186 3.1.4 (U) Trusted Platform Technologies............................................................3.1-9 187 3.2 (U) Highly Available Enterprise Summary.............................................3.2-11 188 3.2.1 (U//FOUO) IA Policy-based Routing for Mobile/Tactical Environments 189 Technologies.............................................................................................3.2-11 190 3.2.2 (U) End-to-End Resource Allocation Technologies.................................3.2-12 191 3.2.3 (U//FOUO) Edge-to-Edge Boundary Protection Technologies................3.2-13 192 3.2.4 (U) Secure Voice Technologies................................................................3.2-13 193 3.2.5 (U) Enforcement of QoP in Transit Technologies....................................3.2-14 194 3.2.6 (U//FOUO) Protection of High Risk Link Technologies..........................3.2-14 195 3.3 (U) Assured Enterprise Management and Control Summary...............3.3-15 196 3.3.1 (U) Identity Management Technologies...................................................3.3-16 197 3.3.2 (U) Inventory Management Technologies................................................3.3-16 198 3.3.3 (U) Privilege Management Technologies.................................................3.3-17 199 3.3.4 (U) Key Management Technologies.........................................................3.3-18 200 3.3.5 (U) Certificate Management Technologies...............................................3.3-19 201 3.3.6 (U) Configuration Management Technologies.........................................3.3-20 202 3.3.7 (U) Policy Management Technologies.....................................................3.3-20 203 3.3.8 (U) Audit Management Technologies......................................................3.3-22 204 3.3.9 (U) Confidentiality & Integrity of Network Management & Control 205 Technologies.............................................................................................3.3-23 206 3.4 (U) Cyber Situational Awareness and Network Defense Summary......3.4-24 207 3.4.1 (U) Protection Technologies.....................................................................3.4-25 208 3.4.2 (U) Monitoring Technologies...................................................................3.4-25 209 3.4.3 (U) Detection Technologies......................................................................3.4-26 210 3.4.4 (U) Analysis Technologies.......................................................................3.4-28 211 3.4.5 (U) Response Technologies......................................................................3.4-29 212 UNCLASSIFIED//FOR OFFICIAL USE ONLY vi UNCLASSIFIED//FOR OFFICIAL USE ONLY 213 4 (U) Acronyms and Abbreviations.....................................................................4-1 214 Appendices 215 (U//FOUO) Appendix A: Mapping of technologies to IA System Enablers............A-2 216 (U//FOUO) Appendix B: TV-1 for IA.........................................................................A-6 217 (U//FOUO) Appendix C: TV-2 for IA.......................................................................A-23 218 219 UNCLASSIFIED//FOR OFFICIAL USE ONLY vii UNCLASSIFIED//FOR OFFICIAL USE ONLY (U) LIST OF FIGURES 220 Figure Title Page 221 Figure 1.3-1: (U) GIG Mission Concepts, IA Cornerstones, and IA System Enablers..................1-3 222 Figure 1.3-2: (U) Iterative Development of the GIG IA Capability/Technology Roadmap..........1-5 223 Figure 2.1-1: (U) Examples of time-driven hardware tokens......................................................2.1-6 224 Figure 2.1-2: (U) DoD Common Access Card..........................................................................2.1-10 225 Figure 2.1-3: (U) Example of a Hybrid Device.........................................................................2.1-14 226 Figure 2.1-4: (U) Biometric System Block Diagram.................................................................2.1-15 227 Figure 2.1-5: (U) Network Authentication Framework.............................................................2.1-37 228 Figure 2.1-6: (U) Device Authentication Framework................................................................2.1-37 229 Figure 2.1-7: (U) Centralized Architecture for Single Sign-On................................................2.1-48 230 Figure 2.1-8: (U) Federated KEBEROS Based Single Sign-On................................................2.1-50 231 Figure 2.1-9: (U) Federated PKI-based Single Sign-on.............................................................2.1-51 232 Figure 2.1-10: (U) Federated SAML-Based Single Sign-On....................................................2.1-52 233 Figure 2.2-1: (U) RAdAC Functional Model..............................................................................2.2-3 234 Figure 2.2-2: (U) Codifying the Net-Centric Data Strategy......................................................2.2-22 235 Figure 2.2-3: (U) Encapsulation Notional Diagram..................................................................2.2-38 236 Figure 2.2-4: (U) Policy-Based Access Control Gap Closure Timelines..................................2.2-51 237 Figure 2.3-1: (U) Context of Non Real-Time Application Security..........................................2.3-11 238 Figure 2.3-2: (U) Layered Protocol Wrapping Concept.............................................................2.3-12 239 Figure 2.3-3: (U) CMS Supports S/MIME and Other Secure Applications...............................2.3-16 240 Figure 2.3-4: (U) TLS Handshake Protocol...............................................................................2.3-23 241 Figure 2.3-5: (U) Model for Web Services Security..................................................................2.3-30 242 Figure 2.3-6: (U) FNBDT Location in Network Protocol Stack...............................................2.3-33 243 Figure 2.3-7: (U) Packet Jitter Mitigation Process....................................................................2.3-35 244 Figure 2.3-8: (U//FOUO) FNBDT Frame Structure for Signaling Reliability and Reliable 245 UNCLASSIFIED//FOR OFFICIAL USE ONLY viii