NIST and NSA draft safe-IT profiles
Forthcoming guidelines will define configurations for three security levels
'We have been focusing most of our attention on the basic and medium levels' of security.
'NIST's Stu Katzke
The National Institute of Standards and Technology has partnered with the National Security Agency to draw up Protection Profiles'basic security recommendations for 10 hardware and software areas.
'A lot of profiles will be coming out in the next few months,' NSA security architect Rex Myers said at the Federal Information Assurance Conference late last year at the University of Maryland.
NSA also is developing implementation guides for configuring operating systems securely. A 2,000-page guide for Microsoft Windows 2000 is finished, and a guide for Windows XP is in beta evaluation, said William Billings, chief of operational network evaluation for NSA's Systems and Network Attack Center.
'Our guides don't address the how-to,' Billings said.
In addition, the Defense Information Systems Agency's soon-to-be-released Gold Disk tool will apply security configurations to operating systems. The Gold Disk is part of DISA's Security Technical Implementation Guidelines (STIGs), which parallel the NSA guides.Standards could go international
Agencies can adopt the NIST-NSA Protection Profiles as their standards. The profiles also could become part of the international Common Criteria evaluation program.
Profile development, which began about two years ago, already is complete for OSes, firewalls, intrusion detection systems, tokens and public-key infrastructures. Profiles should be ready by mid-2003 for wireless systems, browsers, databases, virtual private networks and biometric products.
Some vendors are awaiting completion of the profiles before submitting their products for Common Criteria evaluation, said Stu Katzke, senior NIST research scientist. But Common Criteria certifications completed before the profiles come out will continue to be valid, he said.
The profiles specify basic, medium and high levels of security.
'We don't see a big need right now for the high level,' Katzke said. 'We have been focusing most of our attention on the basic and medium levels.'
The medium level is defined as adequate for mission-critical systems handling unclassified information.
DISA has a library of STIGs for Windows and Unix OSes, Web servers, databases and network devices, said Terry Sherald, an IT specialist in DISA's Field Security Operations. Guides are scheduled in coming months for wireless networks and remote computing. DISA uses compliance with the STIGs to certify systems for its own networks.
But guidelines alone cannot configure systems, so DISA came up with the Gold Disk to apply settings and vendor patches, validate and maintain compliance, and report system status. The Gold Disk for Windows 2000 Professional will precede tools for Windows 2000 Server, Win XP, Sun Solaris, Hewlett-Packard HP-UX and other OSes.
NSA originally created the implementation guides for internal use. When it began tackling Win 2000, the agency quickly decided it couldn't handle the job alone and switched to a collaborative process, Billings said. It solicited help from the Center for Internet Security, DISA, the FBI, the General Services Administration, the Office of Management and Budget, the SANS Institute in Bethesda, Md., and other organizations.
'We lost a lot of autonomy when we put it out to the public,' Billings said, but the result is better. Twenty of the individual guides have been beta-tested at 60 sites and downloaded a total of 1.5 million times.
Billings cautioned that no implementation guide can solve all security problems and that the guides are not hard and fast rules.
'Operational needs will always drive us, so we will never get to full compliance,' he said.