ebook img

National Security Agency Information Assurance - Krebs on Security PDF

605 Pages·2004·5.19 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview National Security Agency Information Assurance - Krebs on Security

UNCLASSIFIED//FOR OFFICIAL USE ONLY 1 2 National Security Agency 3 Information Assurance 4 Directorate 5 6 7 8 9 10 11 12 13 (U) Global Information Grid 14 Information Assurance 15 Capability/Technology Roadmap 16 17 18 19 20 21 Version 1.0 (Final Draft) 22 23 24 25 26 October 2004 26 27 28 29 30 Prepared by: 31 IA Architecture Office (I11) 32 UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 (U) This page intentionally left blank 50 UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY (U) TABLE OF CONTENTS 51 Section Title Page 52 (U) Revision History........................................................................................................xv 53 (U) Executive Summary....................................................................................................I 54 1 (U) Introduction.................................................................................................1-1 55 1.1 (U) Purpose......................................................................................................1-1 56 1.2 (U) Scope..........................................................................................................1-2 57 1.3 (U) Approach...................................................................................................1-2 58 2 (U) IA System Enablers and their Technologies.............................................2-1 59 2.1 (U) Identification and Authentication........................................................2.1-1 60 2.1.1 (U) GIG Benefits due to I&A.....................................................................2.1-2 61 2.1.2 (U) I&A: Description..................................................................................2.1-2 62 2.1.3 (U) I & A: Technologies.............................................................................2.1-4 63 2.1.3.1 (U) Authentication Tokens..................................................................2.1-5 64 2.1.3.2 (U) Biometrics...................................................................................2.1-15 65 2.1.3.3 (U) Device/Service Authentication...................................................2.1-25 66 2.1.3.4 (U) Authentication Protocols.............................................................2.1-35 67 2.1.3.5 (U) Authentication Confidence.........................................................2.1-43 68 2.1.3.6 (U) Single Sign-On............................................................................2.1-46 69 2.1.4 (U) I&A Gap Analysis..............................................................................2.1-59 70 2.1.5 (U) Identification and Authentication: Recommendations and Timelines2.1-62 71 2.2 (U) Policy-Based Access Control................................................................2.2-1 72 2.2.1 (U) GIG Benefits due to Policy-Based Access Control..............................2.2-2 73 2.2.2 (U) Policy-Based Access Control: Description..........................................2.2-2 74 2.2.2.1 (U) Core RAdAC Functions................................................................2.2-2 75 2.2.2.2 (U) Assured Metadata and Data Describing Enterprise Elements......2.2-4 76 2.2.2.3 (U) Digital Access Control Policy.......................................................2.2-5 77 i UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.2.2.4 (U) IA Enabler Dependencies.............................................................2.2-6 78 2.2.3 (U) Policy-Based Access Control: Technologies.......................................2.2-6 79 2.2.3.1 (U) Core RAdAC.................................................................................2.2-7 80 2.2.3.2 (U) Assured Metadata.......................................................................2.2-15 81 2.2.3.3 (U) Digital Access Control Policy.....................................................2.2-40 82 2.2.4 (U) Distributed Policy Based Access Control: Gap Analysis...................2.2-44 83 2.2.4.1 (U) Core RAdAC: Gap Analysis.......................................................2.2-44 84 2.2.4.2 (U) Assured Metadata: Gap Analysis................................................2.2-46 85 2.2.4.3 (U) Digital Access Control Policy: Gap Analysis.............................2.2-49 86 2.2.5 (U) Policy Based Access Control: Recommendations and Timelines......2.2-50 87 2.3 (U) Protection of User Information............................................................2.3-1 88 2.3.1 (U) GIG Benefits Due to Protection of User Information..........................2.3-2 89 2.3.2 (U) Protection of User Information: Description........................................2.3-3 90 2.3.3 (U) Protection of User Information: Technologies.....................................2.3-7 91 2.3.3.1 (U) Technologies for Protecting Data-at-Rest.....................................2.3-8 92 2.3.3.2 (U) Technologies for Protecting Data-in-Transit..............................2.3-10 93 2.3.3.3 (U) Trusted Platforms........................................................................2.3-87 94 2.3.3.4 (U) Trusted Applications...................................................................2.3-98 95 2.3.3.5 (U) Cross Domain Solution Technologies......................................2.3-106 96 2.3.3.6 (U) Non-Repudiation.......................................................................2.3-116 97 2.3.4 (U) Protection of User Information: Gap Analysis.................................2.3-126 98 2.3.5 (U) Protection of User Information: Recommendations and Technology 99 Timelines.................................................................................................2.3-130 100 2.3.5.1 (U) Data-in-Transit..........................................................................2.3-130 101 2.3.5.2 (U) Cross Domain Solutions...........................................................2.3-132 102 2.4 (U) Dynamic Policy Management...............................................................2.4-1 103 2.4.1 (U) GIG Benefits due to Dynamic Policy Management.............................2.4-2 104 UNCLASSIFIED//FOR OFFICIAL USE ONLY ii UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.4.2 (U) Dynamic Policy Management: Description.........................................2.4-2 105 2.4.3 (U) Dynamic Policy Management: Technologies.......................................2.4-6 106 2.4.3.1 (U//FOUO) Development of Policies..................................................2.4-6 107 2.4.3.2 (U) Distribution of Policies...............................................................2.4-22 108 2.4.3.3 (U) Policy Management Architectures..............................................2.4-29 109 2.4.4 (U) Dynamic Policy Management: Gap Analysis....................................2.4-31 110 2.4.5 (U) Dynamic Policy Management: Recommendations and Timelines.....2.4-33 111 2.4.5.1 (U) Standards.....................................................................................2.4-33 112 2.4.5.2 (U) Technology.................................................................................2.4-34 113 2.4.5.3 (U) Infrastructure...............................................................................2.4-34 114 2.5 (U) Assured Resource Allocation................................................................2.5-1 115 2.5.1 (U) GIG Benefits of Assured Resource Allocation....................................2.5-3 116 2.5.2 (U) Assured Resource Allocation: Description..........................................2.5-3 117 2.5.3 (U) Technologies........................................................................................2.5-5 118 2.5.3.1 (U//FOUO) IA Policy-Based Routing.................................................2.5-6 119 2.5.3.2 (U//FOUO) Operational-Based Resource Allocation........................2.5-17 120 2.5.3.3 (U//FOUO) Integrity of Network Fault Monitoring/Recovery and 121 Integrity of Network Management & Control...................................2.5-26 122 2.5.4 (U) Assured Resource Allocation: Gap Analysis.....................................2.5-38 123 2.5.5 (U) Assured Resource Allocation: Recommendations and Technology 124 Timelines...................................................................................................2.5-40 125 2.6 (U) Network Defense and Situational Awareness.....................................2.6-1 126 2.6.1 (U) GIG Benefits due to Network Defense and Situational Awareness.....2.6-2 127 2.6.2 (U) Network Defense and Situational Awareness: Description.................2.6-3 128 2.6.3 (U) Network Defense and Situational Awareness: Technologies...............2.6-8 129 2.6.3.1 (U) Protect Technologies.....................................................................2.6-9 130 2.6.3.2 (U) Deception Technologies.............................................................2.6-14 131 UNCLASSIFIED//FOR OFFICIAL USE ONLY iii UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.6.3.3 (U) Situational Awareness.................................................................2.6-21 132 2.6.3.4 (U) Network Mapping.......................................................................2.6-26 133 2.6.3.5 (U) Intrusion Detection Systems.......................................................2.6-30 134 2.6.3.6 (U) Intrusion Prevention Systems (IPSs)..........................................2.6-37 135 2.6.3.7 (U) User Activity Profiling................................................................2.6-39 136 2.6.3.8 (U) Cyber Attack Attribution............................................................2.6-44 137 2.6.3.9 (U) Correlation Technologies............................................................2.6-49 138 2.6.3.10 (U) CND Response Actions..............................................................2.6-54 139 2.6.3.11 (U) Automated IAVA Patch Management........................................2.6-58 140 2.6.4 (U) Network Defense and Situational Awareness: Gap Analysis............2.6-63 141 2.6.5 (U) Network Defense and Situational Awareness: Recommendations and 142 Timelines...................................................................................................2.6-66 143 2.6.5.1 (U) Standards.....................................................................................2.6-66 144 2.6.5.2 (U) Technology.................................................................................2.6-66 145 2.6.5.3 (U) Infrastructure...............................................................................2.6-69 146 2.6.5.4 (U) Technology Timelines................................................................2.6-69 147 2.7 (U) Management of IA Mechanisms and Assets.......................................2.7-1 148 2.7.1 (U) GIG Benefits due to Management of IA Mechanisms and Assets.......2.7-1 149 2.7.2 (U) Management of IA Mechanisms and Assets: Description...................2.7-1 150 2.7.2.1 (U) Identity Management....................................................................2.7-2 151 2.7.2.2 (U) Privilege Management..................................................................2.7-5 152 2.7.2.3 (U) Key Management..........................................................................2.7-9 153 2.7.2.4 (U) Certificate Management..............................................................2.7-11 154 2.7.2.5 (U) Configuration Management of IA Devices and Software..........2.7-14 155 2.7.2.6 (U) Inventory Management...............................................................2.7-16 156 2.7.2.7 (U) Compromise Management of IA Devices..................................2.7-16 157 2.7.2.8 (U) Audit Management.....................................................................2.7-17 158 UNCLASSIFIED//FOR OFFICIAL USE ONLY iv UNCLASSIFIED//FOR OFFICIAL USE ONLY 2.7.3 (U) Management of IA Mechanisms & Assets: Technologies.................2.7-18 159 2.7.3.1 (U) Identity Management..................................................................2.7-18 160 2.7.3.2 (U) Privilege Management................................................................2.7-26 161 2.7.3.3 (U) Key Management........................................................................2.7-33 162 2.7.3.4 (U) Certificate Management..............................................................2.7-49 163 2.7.3.5 (U) Configuration Management of IA Devices and Software..........2.7-59 164 2.7.3.6 (U) Inventory Management...............................................................2.7-68 165 2.7.3.7 (U) Compromise Management of IA Devices..................................2.7-76 166 2.7.3.8 (U) Audit Management.....................................................................2.7-82 167 2.7.4 (U) Management of IA Mechanisms & Assets: Gap Analysis.................2.7-93 168 2.7.4.1 (U) Identity Management..................................................................2.7-96 169 2.7.4.2 (U) Privilege Management................................................................2.7-96 170 2.7.4.3 (U) Key Management........................................................................2.7-97 171 2.7.4.4 (U) Certificate Management..............................................................2.7-97 172 2.7.4.5 (U) Configuration Management of IA Devices and Software..........2.7-98 173 2.7.4.6 (U) Inventory Management...............................................................2.7-99 174 2.7.4.7 (U) Compromise Management of IA Devices..................................2.7-99 175 2.7.4.8 (U) Audit Management.....................................................................2.7-99 176 2.7.5 (U) Management of IA Mechanisms and Assets: Recommendations and 177 Timelines.................................................................................................2.7-100 178 2.7.5.1 (U) Standards...................................................................................2.7-100 179 2.7.5.2 (U) Technology...............................................................................2.7-101 180 2.7.5.3 (U) Infrastructure.............................................................................2.7-101 181 3 (U) Summary......................................................................................................3-1 182 3.1 (U//FOUO) Assured information Sharing Summary...............................3.1-3 183 3.1.1 (U) Identification and Authentication Technologies..................................3.1-3 184 3.1.2 (U) Access Control and Data Labeling Technologies................................3.1-5 185 UNCLASSIFIED//FOR OFFICIAL USE ONLY v UNCLASSIFIED//FOR OFFICIAL USE ONLY 3.1.3 (U) Cross-Domain Technologies................................................................3.1-7 186 3.1.4 (U) Trusted Platform Technologies............................................................3.1-9 187 3.2 (U) Highly Available Enterprise Summary.............................................3.2-11 188 3.2.1 (U//FOUO) IA Policy-based Routing for Mobile/Tactical Environments 189 Technologies.............................................................................................3.2-11 190 3.2.2 (U) End-to-End Resource Allocation Technologies.................................3.2-12 191 3.2.3 (U//FOUO) Edge-to-Edge Boundary Protection Technologies................3.2-13 192 3.2.4 (U) Secure Voice Technologies................................................................3.2-13 193 3.2.5 (U) Enforcement of QoP in Transit Technologies....................................3.2-14 194 3.2.6 (U//FOUO) Protection of High Risk Link Technologies..........................3.2-14 195 3.3 (U) Assured Enterprise Management and Control Summary...............3.3-15 196 3.3.1 (U) Identity Management Technologies...................................................3.3-16 197 3.3.2 (U) Inventory Management Technologies................................................3.3-16 198 3.3.3 (U) Privilege Management Technologies.................................................3.3-17 199 3.3.4 (U) Key Management Technologies.........................................................3.3-18 200 3.3.5 (U) Certificate Management Technologies...............................................3.3-19 201 3.3.6 (U) Configuration Management Technologies.........................................3.3-20 202 3.3.7 (U) Policy Management Technologies.....................................................3.3-20 203 3.3.8 (U) Audit Management Technologies......................................................3.3-22 204 3.3.9 (U) Confidentiality & Integrity of Network Management & Control 205 Technologies.............................................................................................3.3-23 206 3.4 (U) Cyber Situational Awareness and Network Defense Summary......3.4-24 207 3.4.1 (U) Protection Technologies.....................................................................3.4-25 208 3.4.2 (U) Monitoring Technologies...................................................................3.4-25 209 3.4.3 (U) Detection Technologies......................................................................3.4-26 210 3.4.4 (U) Analysis Technologies.......................................................................3.4-28 211 3.4.5 (U) Response Technologies......................................................................3.4-29 212 UNCLASSIFIED//FOR OFFICIAL USE ONLY vi UNCLASSIFIED//FOR OFFICIAL USE ONLY 213 4 (U) Acronyms and Abbreviations.....................................................................4-1 214 Appendices 215 (U//FOUO) Appendix A: Mapping of technologies to IA System Enablers............A-2 216 (U//FOUO) Appendix B: TV-1 for IA.........................................................................A-6 217 (U//FOUO) Appendix C: TV-2 for IA.......................................................................A-23 218 219 UNCLASSIFIED//FOR OFFICIAL USE ONLY vii UNCLASSIFIED//FOR OFFICIAL USE ONLY (U) LIST OF FIGURES 220 Figure Title Page 221 Figure 1.3-1: (U) GIG Mission Concepts, IA Cornerstones, and IA System Enablers..................1-3 222 Figure 1.3-2: (U) Iterative Development of the GIG IA Capability/Technology Roadmap..........1-5 223 Figure 2.1-1: (U) Examples of time-driven hardware tokens......................................................2.1-6 224 Figure 2.1-2: (U) DoD Common Access Card..........................................................................2.1-10 225 Figure 2.1-3: (U) Example of a Hybrid Device.........................................................................2.1-14 226 Figure 2.1-4: (U) Biometric System Block Diagram.................................................................2.1-15 227 Figure 2.1-5: (U) Network Authentication Framework.............................................................2.1-37 228 Figure 2.1-6: (U) Device Authentication Framework................................................................2.1-37 229 Figure 2.1-7: (U) Centralized Architecture for Single Sign-On................................................2.1-48 230 Figure 2.1-8: (U) Federated KEBEROS Based Single Sign-On................................................2.1-50 231 Figure 2.1-9: (U) Federated PKI-based Single Sign-on.............................................................2.1-51 232 Figure 2.1-10: (U) Federated SAML-Based Single Sign-On....................................................2.1-52 233 Figure 2.2-1: (U) RAdAC Functional Model..............................................................................2.2-3 234 Figure 2.2-2: (U) Codifying the Net-Centric Data Strategy......................................................2.2-22 235 Figure 2.2-3: (U) Encapsulation Notional Diagram..................................................................2.2-38 236 Figure 2.2-4: (U) Policy-Based Access Control Gap Closure Timelines..................................2.2-51 237 Figure 2.3-1: (U) Context of Non Real-Time Application Security..........................................2.3-11 238 Figure 2.3-2: (U) Layered Protocol Wrapping Concept.............................................................2.3-12 239 Figure 2.3-3: (U) CMS Supports S/MIME and Other Secure Applications...............................2.3-16 240 Figure 2.3-4: (U) TLS Handshake Protocol...............................................................................2.3-23 241 Figure 2.3-5: (U) Model for Web Services Security..................................................................2.3-30 242 Figure 2.3-6: (U) FNBDT Location in Network Protocol Stack...............................................2.3-33 243 Figure 2.3-7: (U) Packet Jitter Mitigation Process....................................................................2.3-35 244 Figure 2.3-8: (U//FOUO) FNBDT Frame Structure for Signaling Reliability and Reliable 245 UNCLASSIFIED//FOR OFFICIAL USE ONLY viii

Description:
UNCLASSIFIED//FOR OFFICIAL USE ONLY. UNCLASSIFIED//FOR OFFICIAL USE ONLY. 1. 2. National Security Agency. 3. Information Assurance. 4.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.