1. Tech Trend Notes
Preview of Tomorrow’s Information Technologies
Volume: 9 Edition: 4 Fall 2000
Page 3
High-Reflectance, Real T ime
Dielectric Mirrors Intrusion Detection
Page 12 Page 16
Focus - Page 22 Pointers - Page 32
Technology Forecasts - Page 28 Calendar of Events - Page 41
2. NetTop
Commercial Technology in High Assurance Applications
By Robert Meushaw and Donald Simard
Introduction of familiar COTS technology to our identify several investigated applica-
users, but they believed that we tions, and suggest future capabilities.
The decade of the nineties has would not be able to influence the
been particularly challenging for the security of COTS technology for User Requirements
National Security Agency's high assurance applications. The
Information Assurance mission. The board challenged the Information The ISSO’s customers have long
gradual but accelerating changeover Assurance Research Office to initi- identified shortcomings with the
from government produced tech- ate a project to develop architectures security technology that was avail-
nologies to commercial products and that would allow COTS technology able to them. One significant con-
services has seriously eroded our to be used safely in high assurance cern is that their workspaces are
ability to protect information applications. cluttered with computer equipment
processed by the national security to support access to multiple net-
community. Numerous government A Tiger Team was assembled for works of differing sensitivity.
programs intended to produce high a one-year effort to develop an archi- Dealing with this duplication of
assurance data systems and worksta- tectural approach to allow the safe equipment has long been a problem,
tion platforms have been largely use of COTS in sensitive since there is no single system that
unsuccessful, and the buying power Government applications. The user can support all of their access needs.
of the government has not com- should see a familiar interface, e.g., A second concern is that government
manded the attention of the IT Microsoft Windows Operating developed security solutions have
industry. The historical flow of tech- System (OS) and off-the-shelf appli- often been incompatible with other
nology from government to industri- cation software, but achieve the standards-based IT products, which
al and home users has largely been assurance needed for DoD use. The has significantly complicated the
reversed. We often find technologies NSAAB suggested that one or more interfacing and upgrading of system
that are more sophisticated in our government-off-the-shelf (GOTS) components. The cost and complexi-
homes earlier than in our govern- components be included, preferably ty of network management is also a
ment workspaces. The shortcomings as plug-ins; and their removal should steadily growing issue, particularly
of our information assurance tech- allow the system to be used as a nor- in times of declining resources and
nologies are further evidenced by the mal COTS machine. The notion of a mounting security concerns over the
shift of R&D resources away from "Vault" was introduced as an outsourcing of support. Our cus-
protection and into detection and Internet accessible, protected enclave tomers also need the ability to move
response initiatives. that would provide high assurance data across isolated networks in
services to connected user machines. order to perform their daily tasks,
To address these issues, during and the techniques to make such
the summer of 1999 the NSA The results of the Tiger Team transfers efficient and safe. Finally,
Advisory Board (NSAAB) reviewed effort are a proof-of-concept archi- the increased importance placed on
the Information Systems Security tecture and a set of components that coalition operations brings new chal-
Organization's (ISSO) commercial- are referred to as NetTop. The lenges for technology to securely
off-the-shelf (COTS) strategy. The remainder of this article will support these operations. The archi-
board acknowledged the need to describe the concept and technical tecture of the NetTop prototype sug-
provide the functionality and the feel approach used in the architecture, gests a near-term approach that can
Fall 2000 Research & Advanced Technology Publication 1
3. provide a useful and practical set of
capabilities to satisfy these needs.
An Initial Capability
To begin the development of the
NetTop architecture, a modest, initial
capability was sought. Opportunely, Figure 1 - Typical Virtual Private Network Client Configuration
the ISSO's System Solutions Group
identified an Internet-based version Recycling Technology tion software could be executed in
of the Remote Access Security VMs running more current OS ver-
Program (RASP) system as an The requirement that NetTop sions.
excellent prospect. The RASP pro- users see a familiar COTS computer
vides secure remote access to a host desktop environment was taken as a Commodity VMMs
computer over a dial-up connection, fundamental precept of the architec-
and includes a laptop computer and ture. One consequence of this During the NetTop design discus-
a specially developed encrypting approach is that for high assurance sions, we identified a new commer-
modem to protect the communica- applications, the end-user environ- cial product, VMware, that provided
tions link. Many customers have ment must be presumed to be a practical VMM capability. The
requested a similar capability for untrustworthy, and the NetTop archi- VMware product is a spin-off of
remote network connectivity, but tecture must protect against poten- DARPA-sponsored research at
using Internet connections through a tially hostile behavior. Stanford University, and is generally
local Internet Service Provider (ISP), used for providing a safe test envi-
i.e., use the public data network In order to place limitations upon ronment for OS and networking
rather than the public voice network. a potentially malicious component, software.
The ability to provide a secure, we explored the concept of encapsu-
remote connection over the Internet lation to constrain the behavior of There were several novel capabil-
to a secure enclave was selected as the end-user operating system and ities of VMware that made it attrac-
the initial NetTop goal. application software. The method tive for use in NetTop. First, it was
selected for encapsulating the OS designed for efficient operation on
An architecture that can achieve was based upon a 30-year-old tech- Intel x86 platforms rather than on
this capability has been known for nology, Virtual Machine Monitors large mainframe computers, which
some time. It typically includes an (VMM). VMM technology was made it suitable for use on common-
end-user workstation, an in-line designed and developed in the era of place personal computers, worksta-
encryptor, and possibly a filtering large IBM mainframe computers, tions, and laptops. Next, VMware
router or firewall to connect to the and was intended to help extend the operates on top of an underlying
Internet. Commercially, such solu- life of legacy software, when host OS rather than directly on the
tions are knows as Virtual Private improved hardware or OS software system hardware. VMMs that run
Networks (VPN). Figure 1 depicts a was released. In essence, a VMM directly on hardware have been stud-
typical VPN client configuration. was a software system that ran ied previously under Project
This system configuration would directly on the computer hardware, Neptune for their use in securing
provide the required functionality, and allowed multiple operating sys- systems. A Neptune type of VMM
but it would be cumbersome and tems to be installed on top of it. By would face the enormous challenge
expensive for a mobile user. running older OS versions in some of keeping pace with changes in the
virtual machines, legacy software underlying hardware platform.
could be run, while newer applica- VMware takes advantage of the host
2 Research & Advanced Technology Publication Tech Trend Notes
4. OS's need to track these changes.
This is a much more practical
approach, and would be particularly
important to produce a GOTS VMM
for NetTop. Lastly, VMware pro-
vides an abstraction for "virtual
Ethernet hubs." This capability
allows virtual machines to be inter-
connected in a fashion that is well
understood by network designers
and administrators.
A Network on a Desktop
Figure 2 - Simple NetTop System Configuration
Using VMware, the initial
NetTop system was constructed Any of the individual virtual desired technology, including dial-
using a powerful laptop computer. machines can be replaced or upgrad- up, Ethernet, ATM, wireless, etc.
The operating system chosen for the ed with standards-based compo-
host OS was Redhat Linux Version nents. The interconnection of the vir- The basic NetTop configuration
6.2. Three virtual machines net- tual machines is based upon familiar provides the same functionality as
worked by two virtual hubs were TCP/IP networking. Finally, a single three separate hardware platforms.
installed on top of the host OS, pro- platform replaces several traditional Each virtualized component should
viding an in-line configuration of components, thereby reducing hard- operate identically to its real-world
three machines comprising (1) an ware and maintenance costs. An counterpart with "bug for bug com-
end-user Windows NT machine, (2) important side benefit is that the patibility." The simple NetTop con-
an encrypting machine using IPSec, architecture makes no assumptions figuration was successfully connect-
and (3) a Filtering Router (FR) about the communications technolo- ed across the Internet to a simulated,
machine. Both the VPN and FR gy used to connect the external net- secure enclave on an unclassified
were hosted on VMs running the work. The user is free to select the NSA network, using both dial-up
Linux operating system. Figure 2
displays the initial NetTop prototype
configuration.
The initial NetTop configuration
demonstrates a number of important
capabilities. It encapsulates the
unmodified, end-user Windows
operating system in a VM. An
important characteristic of this
approach is that the encryption can
be provided as an in-line function
that cannot be bypassed by mali-
cious actions of the end-user OS or
application software. Rudimentary
protection from network attacks is
provided through a filtering router. Figure 3 - NetTop Logical Configuration
Fall 2000 Research & Advanced Technology Publication 3
5. network connections are already
physically isolated, encrypted com-
munication tunnels are not needed.
This type of NetTop configuration
may be appropriate to replace multi-
ple end user workstations, when sep-
arate communications infrastructures
are already available.
Thin-Client VMs
While the VMs described so far
have been fully configured Windows
or Linux systems, there is nothing
Figure 4 - NetTop Multiple Security Level Configuration
preventing a VM from being a "thin
and cable modem connections. Such ality. The second version of the client." In fact, there may be reasons
a configuration could have all of the NetTop prototype included another why a thin-client would be prefer-
capabilities of a locally connected Windows NT machine connected able. For example, if the Windows
machine, including the ability to directly to the filtering router as NT in Figure 4 was installed as a
connect to the Internet, if permitted shown in Figure 4. This machine "display only" thin-client, all classi-
within the enclave. Figure 3 illus- allows a user to access the Internet fied files could be kept on a remote
trates a NetTop logical configura- directly. This extended prototype server in a protected enclave. This
tion. suggests a powerful feature of the configuration increases assurance,
NetTop architecture - the ability to since the NetTop device contains
Multiple Security Levels replace multiple end-user worksta- minimal sensitive information.
tions within a single, hardware plat-
A natural extension to the first form. In theory, multiple user con- Assurance
prototype was the addition of other nections to networks of differing
VMs to provide increased function- sensitivity could be provided using Despite the functional and cost
multiple VPNs. This envi- advantages that the NetTop architec-
ronment provides ture described above may offer to
Multiple (single) Security some users, its usefulness will
Level (MSL) capability depend upon its ability to withstand
rather than true Multi- determined attacks from the external
Level Security, but still network and from malicious end-
addresses an important user software. The most sensitive
customer need. applications may require additional
protection against compromising
Another configuration system failures. While NetTop
for a MSL system is attempts to deal with insecurities
shown in Figure 5, where that may be caused by user errors,
two isolated VM worksta- no attempt has been made to thwart
tions are connected to two malicious insiders. As a practical
different networks matter, it should only be necessary
through two network to demonstrate that a NetTop config-
Figure 5 - NetTop Dual Network MSL Configuration interface cards. Since the uration provides the same degree of
4 Research & Advanced Technology Publication Tech Trend Notes
6. security as the separate network
components that it replaces. If this
can be achieved, then the basic
architectural approach is validated.
A number of approaches have
been identified to increase the assur-
ance of the NetTop architecture. The
critical aspect of the architecture that
must be validated is the ability of the
VMM/Host OS combination to suf-
ficiently isolate the various NetTop
components. Our approach to deal-
ing with security in the underlying
host is to use a Trusted Linux OS Figure 6 - NetTop Improved Assurance Configuration
prototype that has been developed
under the IARO's OS Security Another critical component of the developed to limit failure effects by
research program. Trusted Linux underlying host platform is the severing external NetTop communi-
incorporates flexible access control BIOS function that controls the ini- cations.
mechanisms. In order to bolster the tial boot-up process, and its ability to
inherent isolation provided by the arrive at a secure initial state. In order to make an effective
VMM, a tailored security policy has Vulnerabilities in the BIOS have argument for the correct operation
been developed for the Trusted long been identified as the "Achilles' of a failure checking mechanism,
Linux host. The VMM/Trusted heel" of computer systems. Work hardware and software must be
Linux combination will be evaluated presently underway to develop a completely independent of the sys-
further during an internal "red team" robust, trusted BIOS should be tem being checked. A Dallas
exercise to assess the degree of iso- incorporated into any high assurance Semiconductor Tiny InterNet
lation it provides. NetTop system. Interface (TINI) embeddable com-
puter was networked to the in-line
The Trusted Linux prototype is Failure Checking Network Encryptor machine, and
also envisioned for use as the guest was programmed to use a simple
OS in the VPN and Filtering Router Even a minimal NetTop configu- network "ping" to the VPN
VMs. It is likely that a substantially ration will be an extremely complex machine as a health check. If no
reduced Trusted Linux OS could be hardware and software system. It response was received, the Internet
configured to support each VM. In will not likely be amenable to the connection was interrupted. A more
each case, specific security policies forms of failure analysis historically robust health check could include a
need to be tailored to support the used for NSA high assurance sys- more complex set of tests to gain
limited functionality of each tems. While it might seem that sig- increased assurance that the NetTop
machine. The particular encryption nificant failures in a NetTop device device is working properly. The
and filtering router products selected would result in complete system tests could include
could be from National Information shutdown, sensitive applications challenge/response exchanges with
Assurance Partnership approved lists will require more rigorous assur- a Failure Detection Server in the
or specially developed GOTS com- ance arguments. Lacking failure protected enclave. A dead-man
ponents. detection support in the workstation switch of this type may be suitable
platform, an approach using a type for a GOTS plug-in component for
of "dead man's switch" has been high assurance applications. The
Fall 2000 Research & Advanced Technology Publication 5
7. maintained and monitored for sus-
picious activity. Figure 8 depicts
the protocol exchange between the
Regrade Server and two hosts of
different security levels. A trusted
user token is employed in a chal-
lenge/response exchange with the
trusted server in order to safeguard
against untrusted OS behavior.
Coalition Support
The paradigm of virtual
machines creates abstractions of
Figure 7 - Dead-Man Switch Architecture physical computers. Each VM is
composed of a set of files that
failure detection approach is shown capability includes a protocol for embody a hardware/software sys-
in Figure 7. performing the regrade operation, tem. This set of files can be copied
as well as a "Regrade Server" that from one physical machine to
Moving Data Safely provides a trusted network service. another. Given the portability of
By making the regrade operation a VMs, there is no inherent reason
Many organizations require the centralized service, a number of why a VM, or set of VMs, could
ability to move information advantages are gained. First, consis- not be electronically transferred. It
between networks of differing secu- tency in the regrade operation can is possible for a NetTop device to
rity levels. A common operation be achieved. Second, it would be become a member of a coalition by
involves downgrading information possible to develop and enforce a downloading an appropriately con-
from highly classified to lower clas- regrade policy that specified the figured VM over a secured commu-
sified systems, but increasingly, conditions under which each user nications channel. The set of VMs
information is imported from the could perform regrade operations. in each coalition would constitute a
Internet into classified systems. In The regrade operation could include VPN, and would not be able to
the first case, it is essential that "sanitization" functions to deter the communicate directly with VMs in
classified information not be com- transfer of covert or malicious con- other coalitions. Cross-coalition
promised, while in the second, a tent. Finally, an audit log could be communication is performed using
primary concern is the protection of
the classified host from malicious
content.
The VMware product includes a
capability to copy and paste data
between VMs via a clipboard. This
feature does not include sufficient
safeguards for use in a high assur-
ance NetTop system. In order to
provide a more trusted copy/paste
function, a new capability, dubbed a
"Regrader," was developed. This Figure 8 - Regrade Server Protocol
6 Research & Advanced Technology Publication Tech Trend Notes
8. a variation of the Regrade
Server previously described.
For some coalitions, it might
be useful to distribute applica-
tion specific VMs, such as a
secure Voice-over-IP machine.
A centralized Coalition
Management Server could be
used to manage the configura-
tion and distribution of VMs
to coalition members. The
essence of NetTop's coalition
support is its ability to distrib-
ute virtual systems electroni-
cally. Figure 9 displays a
hypothetical situation in Figure 9 - NetTop Coalition Concept
which four organizations par-
ticipate in four data coalitions and During normal operation, all disk puter used in the prototype includes
two voice coalitions. A simple capa- files, including temporary files, are a 500 MHz Pentium III processor
bility to demonstrate electronic dis- stored encrypted on the hard disk. and 384 MB of memory. The
tribution of VMs is under develop- VMware VMM is surprisingly
ment. The hardware virtualization pro- modest in its affect upon the per-
vided by the VMM also provides a formance of a VM, and only a
Additional Capabilities capability to alter the operation of slight degradation is noticed. As
the hard disks seen by each VM. In more VMs are introduced, more
A number of useful capabilities one mode, all changes made to a serious performance degradation is
are included in the prototypes that VM's hard disk are discarded when noticed, but can be minimized with
were not described in the NetTop it is powered down. This may be additional memory. The 384-MB
overview. The entire file system on useful in the operation of the IPSec configuration of the NetTop proto-
the hard disk is encrypted in order and FR machines by preventing type shown in Figure 4 was suffi-
to protect against compromise if the permanent changes to the system if cient to support the Linux host and
machine is lost or stolen. The a successful attack did occur. Any four guest VMs - two Windows NT
"International Patch" for Linux was changes would be lost when the machines for the end-user terminals
installed, which provides software VM was restarted, which would and two Linux machines for the in-
encryption capabilities and services force an adversary to repeat the line Network Encryptor and
under the control of the Trusted attack. Filtering Router. Overall, the per-
Linux host OS. The hard disk formance of the NetTop prototype
encryption is transparent to all Performance is quite satisfactory, and easily
VMs. Additionally, this disk keeps pace with a high-speed, cable
encryption cannot be corrupted or Real-world performance deter- modem connection. Continuing
bypassed by an VM. A process was mines any technology's acceptance. enhancements in hardware perform-
developed that uses a floppy disk NetTop's architecture includes a lot ance will only improve its perform-
and a user entered PIN to "boot- of functionality in a single hard- ance.
strap" the decryption and loading of ware platform, yet the performance
system files from the hard disk. is quite acceptable. The laptop com-
Fall 2000 Research & Advanced Technology Publication 7
9. Future Development · IPSec modifications for NetTop Conclusion
protocols
The NetTop proof-of-concept has · User friendly interfaces The Information Assurance
demonstrated an architecture that Research Office has responded to
appears to have significant promise The set of capabilities identified the NSA Advisory Board's challenge
for information assurance applica- as NetTop extensions - Failure with the NetTop proof-of-concept.
tions. In its current form, however, it Detection Server, Regrade Server, The novel architecture builds upon
is unsuitable for widespread use and and Coalition Management Server - COTS technology, fortifies it with
requires considerable refinement. suggests an expansion of the security GOTS components, and provides a
Our research has uncovered a num- services typically considered as part combination with the potential to be
ber of shortcomings in current tech- of a Security Management securely used for sensitive applica-
nology that need to be addressed. Infrastructure. The integration of tions. It also addresses other impor-
Additionally, important topics still these services with traditional key tant concerns, and provides a frame-
must be investigated. Areas requir- and certificate management services work for useful extensions. NetTop
ing further development are: may deserve a separate investigation depends heavily upon the isolation
to develop a concept for a more capabilities provided by the Trusted
· Identification & Authentication comprehensive security infrastruc- Linux/VMM combination. The
Architecture ture. robustness of the approach still
· Biometric activation technique requires a comprehensive security
· Key & certificate management Development of the NetTop pro- evaluation. TTN
· Filtering Router management totype is continuing. Some of the
· Un-spoofable labels for MSL concepts previously described Donald Simard is the Technical
windows including a Regrade Server, thin- Director for the System and Network
· Trusted VM switching mechanism clients, and coalition support will be Attack Center and has been with the
· Installation & configuration wizards integrated as each is developed. Agency since 1979. The majority of
his work has been in the Information
Systems Security Organization.
He is a Master in the INFOSEC
Technical Track and has a
Masters Degree in Computer
Science.
Robert Meushaw is
Technical Director for the
Information Assurance
Research Office. He joined the
Agency in 1973 with BS and MS
degrees in Electrical
A very simple NetTop configuration with only one user Virtual Machine can provide Engineering. Mr. Meushaw had
a very useful feature - media encryption - which could not otherwise be done with a long career in the Information
a high-level of confidence. Since the host operating system does not run Systems Security Organization
applications software, it is protected from virus attacks and other malicious software
prior to his current position. He
that might corrupt the user VM. With the media encryption function embedded in
the host OS, all of the files on the hard disk can be encrypted transparently to the is a Master in the Computer
user OS. The user OS cannot bypass the cryptography that is protecting the media. Systems Technical Track.
8 Research & Advanced Technology Publication Tech Trend Notes