NSA develops cross-domain for the masses

Architecture for classified data likely to be approved for wide use<@VM>Sidebar | NetTop technology keeps users in mind

Ready to go: Grant Wagner, technical director of the National Security Agency's National Information Assurance Laboratory, says NSA has cleared most of the hurdles to make NetTop available for wide use.

GCN Photo by Zaid Hamid

Government-developed technology for accessing and sharing data across classification levels could soon spread to many users as agencies adopt systems based on the National Security Agency's NetTop architecture, intelligence information technology sources said.
By the end of this year, federal technologists and information security policy leaders likely will approve NetTop systems for a broad array of uses in the law enforcement, military and homeland security worlds, sources said.

The pending approvals could expand the use of systems based on NetTop technology by many thousands of systems.

The NetTop architecture allows users to connect simultaneously to domains at different security levels and to carry out, under specified policies, the two forms of cross-domain data sharing: accessing data across domains and moving data from one domain to another, a function sometimes called guarding or transferring the data between domains.

Two companies have licensed the NetTop technology and built systems based on it ' Hewlett-Packard's federal division and Trusted Computer Solutions.

Both the HP and TCS NetTop products already have been approved for use to access data in top secret and below environments (TSABE) under certain conditions, IT security officials said.

For example, the products are cleared to access TSABE data in highly secure locations when they are used in locations staffed by people who have high-level security clearances, such as at an intelligence agency's headquarters, the officials said. In the jargon of the cryptological world, the technology 'has been approved for use in low-risk environments by highly trusted users,' according to one intelligence specialist.

The HP and TCS systems also have been approved to access, but not transfer, data in the secret and below (SABE) world under limited conditions, the sources also said.

In the zone

The next step is for the NetTop systems to be approved to transfer data in the SABE zone in more demanding and risky missions, the security specialists said. That SABE world includes a very broad arena of locations, including those much closer to battlefields, or possibly on them, as well as others in law enforcement and homeland security operations.

'Wars are fought by people with secret-level clearances,' according to one senior IT executive, who noted that the combatants are far more numerous than the high-level intelligence analysts who handle top-secret information.

Many intelligence and military IT officials see advantages in NetTop's use of Security Enhanced Linux. 'One reason you see Linux in NetTop is that the architecture takes advantage of the security controls in Security Enhanced Linux,' said Grant Wagner, technical director of NSA's National Information Assurance Laboratory.

'Linux has security features that are important,' Wagner said.

Also, the NetTop architecture facilitates the use of thin clients. Those systems limit users' ability to introduce security risks, such as additional software. They can also limit risks posed by the possible capture of systems by enemy forces because classified information does not reside on the thin clients.

The approval of NetTop systems to access and transfer SABE data and to transfer TSABE information down to secret domains will snap into place once the existing systems have completed the process of certification and accreditation, said IT executives inside and outside the government.

In the certification phase, NSA teams have exhaustively studied and documented the systems' security strengths and weaknesses. That process is almost complete, officials said.

The accreditation phase, which by contrast is fundamentally a policy and legal activity, will engage high-level security decision-makers in the task of weighing the systems' vulnerabilities against the costs and consequences of a security breach.

'There is always some level of risk in a system,' one source said, describing the problem in general terms. 'The question in an accreditation decision is whether, given what is known about the security provided by the certification of a given system, that system should be accredited for use for an additional specific, well-defined mission.'

Typically, an agency would apply to use a NetTop-based system for a new type of mission; for example, to handle certain classified data used in a shipboard command center.

At that stage, a series of committees would evaluate the legal and administrative consequences of that application. A 'flag level' committee with members holding ranks at the admiral and general level would issue the final accreditation approval.

NSA began developing the NetTop technology in the 1990s to meet special needs that were arising in the classified computing sphere, including the agency's desire to obtain a safe container in which insecure programs could be executed.

Those insecure programs included a menagerie of commercial applications.

One factor driving the decision to develop the NetTop architecture was the failure of NSA's efforts in the early 1990s to convince commercial software vendors to bolster the security of their applications.

But NSA and other intelligence agencies saw compelling benefits to be gained by developing a new architecture that would facilitate the use of insecure commercial applications by insulating them from trusted networks and databases.

Since then, the 'bad guy' battalions of malware developers have shifted many of their attacks away from operating systems, which have been hardened continually in the past decade, to exploit the countless vulnerabilities in applications, security experts said.

Another critical, and related, benefit NSA sought from the NetTop research was to design an architecture that would allow a single workstation to present information from networks that themselves were not directly connected and couldn't link up because they operate at different classification levels.

Rules and procedures that govern the use of classified data specify carefully defined methods for moving information from a 'high side' or more highly classified domain to a corresponding 'low side' system, sources said.

Review required

According to one security practitioner, 'the intelligence community's interdomain transfer policy is a very specific policy that calls for review [of each transfer] by two [people with security clearances].'

When the NetTop systems gain full approval to access and transfer TSABE and SABE data and to fully function as cross-domain interfaces, they will also bring intelligence analysts' offices into line with Real Simple interior design guidelines.

The single cross-domain entity's box will replace the rows of separate CPUs, tangles of wires and other hardware that clutter analysts' workstations because the systems are physically separated by 'air gaps' and can't be hosted on the same system with currently deployed technology.

Ed Hammersla, TCS' chief operating officer, said the HP and TCS systems are in the 'information assurance' or certification and accreditation process now and that those approvals likely will be finished by the end of the calendar year.

The C&A approvals 'will not apply to the NetTop [architecture] generically,' Hammersla said. 'They will apply to the NetTop versions developed by TCS and HP, when they are used for specific purposes in specific environments.'

'NetTop wasn't an endpoint,' Wagner said. 'As the solutions get better, the adversaries get better. It is where we are today.'
The National Security Agency's eight-year project to bring NetTop into wide use developed as a result of rapid commercial technology advances in the frenzied closing days of the dot-com boom and their progressive eclipse of federally developed systems.

The agency's goal was 'to solve the challenge of creating trusted products using commercial technologies,' said Grant Wagner, technical director of the National Security Agency's National Information Assurance Laboratory.

'The challenge was to come up with a commercially based solution,' Wagner said.
A key basis of the NetTop architecture is the use of virtual machines as hermetically sealed units inside the system that exchange information only according to strictly defined policies.

NSA relied on technology from VMWare to achieve the virtual machine function using an Intel processor. 'VMWare was at the time [the early 1990s] the only solution that was doing virtualization using Intel architecture,' Wagner said.

NetTop enthusiasts note that the system's ability to rely on Linux is not apparent to its users. But using Linux does allow NetTop owners to change hardware without adjusting the software ' for example, in the event of a newly discovered, hardware-based security flaw ' without changing the system's software.

NetTop's advocates also point to the fact that incorporating Linux into the NetTop architecture will make it easier for users to migrate applications to the systems until all the apps have been ported.

The Hewlett-Packard and Trusted Computer Solutions systems that use NetTop technology have been cleared for membership in the elite 'baseline' group of cross-domain interface entities chosen by the Cross Domain Solutions Office (CDMO) in Adelphi, Md.

That office is a joint project of the Office of the Director of National Intelligence's chief information officer organization and its Pentagon counterpart. The CDMO so far has added about 14 systems to its baseline collection of cross-domain entities. The baseline pantheon includes about five access solutions and nine data-transfer solutions or guards, sources said. In addition, there are a handful of exceptions to that baseline list.

NSA decided to market NetTop via integrators as part of a candid self-assessment of its own ability to keep pace with users' needs.

This approach allows NSA to benefit from those companies' various skills in commercializing research discoveries while promoting the spread of secure systems, officials said.

The codewriting and codebreaking agency's marketing skills don't rival those of the Madison Avenue companies that built multibillion-dollar campaigns around slogans such as 'Winston Tastes Good Like a Cigarette Should' and, more recently, created the global 'American Idol' marketing phenomenon. But NSA technologists have posted online a summary of NetTop's benefits that likely has a catchy ring to its target users, as follows:

'The benefit of the NetTop architecture is that it removes security functionality from the control of the end-user [operating system] and applications,' according to the federal marketing blurb.

'Important security functions such as communications encryption can be placed in a separate protected environment that cannot be influenced by user software,' the agency description says.

'Similarly, an isolated filtering router function is used to provide protection from rudimentary network attacks,' NSA said. 'The modularity of the NetTop architecture and the use of standard TCP/IP networking to connect virtual machines facilitate simple replacement or upgrade of individual components.'

The first rule of advertising: Know your audience.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above