[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Field Variance Analysis

    Craig metz writes:
	 I recall that you were mentioning IPSO. I seem to vaguely remember
	 that CISCOs can be set to add IPSO tags to outgoing packets. This
	 would seem to be something that could screw things up. Anyone recall
	 if this is the case?

And in fact, not only CAN they be configured to mess with IPSO,
CISCO's are shipped with a DEFAULT behaviour that allows only
unclassified BSO traffic thru. To allow other IPSO (of the RFC1108
flavor) thru you have to jump thru hoops to figure out how to
configure the routers. And to this day I am not sure how to do that.

Someone obviously decided that this was proper behaviour to keep
classified data from accidently being routed to unclassified networks,
but it makes deployment of classified networks an administrative
nightmare. 

Now, having gotten that off my chest, I can get off my soapbox and 
try to add my 2 cents to the issue being discussed. 

The filtering of packets that do not meet a set of configured criteria,
such as the above, is an extreme case of (perhaps inappropriate) behaviour
on the part of a router, that can lead to connectivity problems. It relates
only tangentially to the more general isues of:

  a) Whether IPSO options should/may be modified by any router
  b) Whether IPSO options should be part of the authentication stream
  c) Whether the IPSO options should be included at all

The answer to (a) is yes in the most common deployed MLS (multi-level
security) configurations that I am aware of. In this case, however, 
the "router" in question is really an MLS gateway between networks
with differing security policies. It could, potentially, be something like
a CISCO configured to filter and add IPSO appropriately, but will often
be a B1 or B1/CMW or B2 evaluated MLS system. A configuration might
look something like this:

   Unclassified                                             Classified
   Single Level ---+ MLS     +---+ WAN +---+ MLS      +---+ Single Level
   Network           Gateway 1      +        Gateway 2      Network
                                    |
                                    |                                    
                                    |                                    
                                    +
                                  MLS +-----+ Multi-level
                                  Gateway 3   Network


In this case, the single level systems are assumed to be non-MLS systems
which generate and expect traffic with no IPSO. The MLS gateways add
IPSO with the appropriate classification and compartments before
putting it on the WAN. They strip the IPSO before forwarding packets
to the single level networks. 

The MLS gateway 3 probably just passes the IPSO on unmodified but here
there are also cases where the IPSO could be changed to reflect differing
policies. A case in point might be where the WAN has routers that only
pass RFC1108 BSO IPSO. In that case the ESO (compartments) would be
dropped before going out on the WAN.

The WAN is assumed to be reliably authenticated, possibly encrypted, 
and physically secure data link. In IPv4 this is presumably done with
special hardware. In IPv6, hopefully, the authentication features would
come into play. The caveat here of course would be that it is unlikely
that highly classified data would be routed over the big bad Internet
but certainly some of it could be. For example, unclassified and
confidential compartmented data could perhaps be routed over the Internet
with secret and top secret data going over the protected links.

So now on to (b). I see the following cases:

  1) The endpoint systems are IPv6 security aware (but not necessarily
     MLS) and do end-to-end authentication. Here, the answer is obviously
     that the IPSO CANNOT be part of the authentication stream, since the
     MLS gateways will be adding, stripping or possibly modifying them.

     This presents a problem to the gateways in that IPSO coming from
     the WAN cannot be authenticated and cannot be used reliably for
     routing/filtering decisions.

  2) The endpoint systems use unauthenticated IPv6 (or IPv4) possibly
     with IPSO in the case of the multi-level network. In this case
     the MLS gateways would add the authentication.

       (NOTE: I am assuming that this is possible. Can someone please
              tell me if it is so?)

     In this case, if we assume the routers on the WAN do not muck
     with the IPSO, the IPSO could and probably should be part of the
     authentication stream. This gives us assurance that the IPSO is what
     it says it is, but it still has the well-known flaw of putting up the
     bright red flag that says this secured data worthy of analysis.

  3) We attempt to use the Security Association features of the 
     authentication mechanism. If the S/A is strictly end-to-end
     (is this TRUE?), then the answer is simple. The endpoint
     systems (even the single level ones in my diagram) become MLS aware
     to the extent that the S/A has an implied senstivity level. The MLS
     gateways become simple routers, since they are presumably no privy
     to the S/A and cannot make routing decisions based on the
     sensitivity level.

Number (3) provides the best security and it works for deployment of new
programs with endpoint systems that use the latest technology. Unfortunately, 
in my experience, that is rarely the case. Usually, there is a VERRRYYYY 
long lag time between program inception and actual deployment and once 
deployed it is extremely difficult to inject updates. 

I suspect that the answer will probably be encapsulation, as suggested by 
Hillarie. I am not completely sure how works in gory detail, but seems
to be the only real answer in this type of configuration.

	/andy
Follow-Ups: