Executive Summary 3 Four Phase ViSion development Strategy 5 Phase I – Secure Smartphone and Tablet System 5



Download 206.13 Kb.
Page1/4
Date20.10.2016
Size206.13 Kb.
#6523
  1   2   3   4


Table of Contents

  1. Executive Summary 3

  2. Four Phase ViSioN Development Strategy 5

Phase I – Secure Smartphone and Tablet System 5

  1. NSA Suite B Initiative. 5

  2. ViSioN Secret Network. 6

  3. Technology Trend 7

  4. Virtualization and Consolidation. 8

  5. Commercial Off The Shelf (COTS) Equipment. 8

  6. Value Proposition. 9

Phase II –Advanced Server Development 10

  1. The GUI, WFM and Collaborative Workspace. 10

  2. Multi-factored Authentication 12


  3. Intrusion Detection and Access Control System. 12


  4. Multi-Abstractions System Reasoning Infrastructure toward Achieving
    Adaptive Computing Systems 12


  5. Cross Domain and Multi-Level Security 13


  6. Virtual Applications 14


  7. Advanced Cloud Server. 15


Phase III – Special Operations Command 16

  1. Counterinsurgency System 16

  2. MESH Wireless System Integration 17


  3. COIN Distance Learning System 18


Phase IV – Virtual Systems Integration Management 18

  1. The Autonomous Virtual Object Model. 18

  2. Need to Know 20

  3. Pilot Test and Certification 20

Appendices

Appendix A – Scalability 21

Appendix B – ViSioN System Description 22

Appendix C – Management Related Experience 29

Appendix D - Biographical Summaries 31

Appendix E - Graphical User Interface 32

Appendix F – Intrusion Detection System 33

Appendix G – ViSioN System Block Diagrams 33

Appendix H - Multi-Abstractions System Reasoning Infrastructure toward
Achieving Adaptive Computing Systems 34

Appendix I - Autonomous Virtual Object Model 38

Appendix J Major Milestones 45

Appendix K Cost Quotation 46



References:

  1. A Roadmap for Cybersecurity Research, Homeland Security, November 2009

  2. Air Force Cyber Command Strategic Vision

  3. DOD Cloud Computing Strategy July 6, 2012

  4. US Government Cloud Computing, NIST, November 2011

  5. The Secret and Below Interoperability (SABI) Process, Assessing Community Risk#1.

  6. TCS thin client SABI-certified, ByJoab Jackson, Jul 15, 2008

  7. Reference: Artificial Neural Networks, Kishan Menrotra, Chilukuri K. Mohan, Sanjay Ranka, MIT Press.

  8. A Virtual Machine Introspection Based Architecture for Intrusion Detection, Tal Garfinkel Mendel Rosenblum, Computer Science Department, Stanford University

The ViSioN Deployment Plan

  1. Executive Summary

The ViSioN System is a secured cloud computing network serving “SECRET” and below classified communications. As stated by NSA, “The secure sharing of information among Department of Defense, coalition forces, and first responders motivates the need for widespread cryptographic interoperability and for NSA-approved information assurance products that meet appropriate security standards to protect classified information.” The cornerstone of the system is Suite B, a cryptography that addresses the need for SABI (Secret and Below Interoperability). The NSA Mobility initiative will take Suite B as far as it will go.” Type 1 is a cryptology that supports Top Secret and Above. It is expected that Suite B will evolve into a system that encompasses a large portion of the Type 1 segment.

The proposed Development and Deployment Plan is implemented in four (4) phases. The foundation of the development is COTS (Commercial Off The Shelf) product. Each phase consists of progressively increased functionality.




Figure 1

SOCOM is the most challenging requirement for the Suite B initiative. Figure 1 illustrates a Secure Adhoc Cloud Network based upon the CyverOne ViSion System. The network connects intelligence sources with a group of counterinsurgency warfighters. The system features “end-point to end-point” encryption for the Mobility devices, the smartphone and tablet. The system provides a “trusted connection over an untrusted network”, the Internet. The four phase pilot and deployment strategy is described herein.

As intelligence and an action plan are developed for the warfighters, the network adds and removes collaborators, the intelligence agents, “local partners” and warfighters. The ado network is automatically configured, linking a dynamically changing group of collaborating participants with varying levels of security clearance.

Initiation of the adhoc network shown in Figure 1 could be a data mining program that identifies a group of insurgents manufacturing Innovative Explosive Devices (IED). As the intelligence is corroborated, intelligence agents collaborate to provide actionable intelligence. Rather than forwarding the information from the mid-east to NMEC in Fairfax, VA, the ViSioN cloud server is capable of processing the data in hours instead of months. The Field Commander formulates and communicates the action plan with a select group of war fighters authorized to receive classified information on their mobile device.

An identity detection system that is intercepts an insurgent hacker may initiate an “Attack the Attacker” action. Once the identity is made, a policy and analytics program initiates a process to take defense action as well as an attack plan.

The Objective - Securing the Internet has been a complex network management task. It involves authentication, authorization, need to know, encryption, auditing, networking, storage and cost. The complexity of the network management program has often defeated the “secrecy” objective. A ViSioN Graphical User Interface (GUI) combined with an Adaptive Work Flow Management System offers a major simplification in the task at hand. NSA assumes that COTS (Commercial Off The Shelf) commercial products are the foundation for the system. The Mobility Devices, the smartphone and tablet, are the foundation of the system. The Mobility Devices provides an emerging a commodity type, universally accepted user interface with the cost benefit realized by manufacturing of these devices for millions of people. The key to achieving this goal is providing a “trusted connection over an untrusted network.” Virtualization and Consolidation of the equipments and the operating environment into a unified system is critical to overcoming a “mission impossible.”

The CyverONE centralizes technical support. The GUI allows the Mobile Device user screens to be shared with remotely located end users for the purpose of network configuration, user training and network maintenance (Figure 2). The command line interface is replaced with “drag and drop” objects. The goal is to make the interface “idiot proof.”

The alternative is replacing a $15,000 secured phone with a superior $100 smartphone. It will allow each warfighter and “local partner” to have a highly secure phone a commodity prices.

Phase II - Advanced Secured Server Implementation applies a “massive parallel processor” with a small “foot print” for the counterinsurgency team. It represents a “disruptive technology” for advancing military command and control on a COTS budget. It provides the basis for “unlimited” scalability, strong cross domain support, multi-level security, interoperability and diverse, cross platform application processing capability, a hosted unified communication environment at commodity prices. In order to share Type 1 Secret and Above communication with a collaborating combat team, it will be necessary to deliver a unified communication bridge. The CyverONE Enterprise PBX is the basis for this bridge. MESH technology will consolidate the VMs on the PBX Bridge with the WAN routers. NSA certification of the Vision Secret Network described in Phase I is the initial objective.

The major Milestone Schedule is shown in Figures 5a. & 5b schedules the implementation and certification of the “Virtual Secret Network” for mobile devices. Authentication and Identity Detection are relied upon to provide strong security protections in Phase II. Phase III Special Operations Command presents a system that focuses on “Attacking the Attackers. Phase IV Virtual System Integration Management proposes a system that facilitates the implementation of “fine grain” Need to Know facilitated by the Autonomous Virtual Object Model (AVOM). The AVOM will interconnect geographically distributed databases with a net centric view. The AVOM will eliminate Cross Domain Breeching. The AVOM will facilitate Multi-level Security and Real Time Auditing. The AVOM will eliminate Standard Communication Protocols and Storage Mapping. The current Program Process Model will be replaced with a Method Object Model. A next generation “collaborative” storage system will empower a revolutionary information and service economy. The AVOM will be a disruptive technology and the foundation for the cloud computing revolution.

Figure 2


Figure 2

  1. Four Phase ViSioN Development Strategy

Phase I - Secure Smartphone and Tablet System

1. NSA Suite B Initiative - - The National Security Agency has launched the Suite B Cryptology initiative. CyverONE is applying the highest priority to the implementation of this initiative.

On March 19, 2012 NSA issued a statement referring to the NSA Suite B Cryptography initiative. Excerpts from the statement are as follows:



“A process, known as GOTS (Government Off The Shelf) for Secret, is being developed. This process will allow vendors who have NSA-certified Type 1 cryptographic products to develop a version of this product that uses Suite B cryptography and meets a revised set of NSA's security standards which are appropriate for protecting information up to the SECRET level. Also, depending on our clients' needs, it will allow vendors to develop cryptographic products that only meet the set of NSA's security standards that are appropriate for protecting information up to the SECRET level. When these products do not contain any classified algorithms or technology, the handling and accountability requirements will be less stringent than for a Controlled COMSEC Item (CCI).

The Commercial Solutions Partnership Program (CSPP) is being developed to enable the use of a combination of COTS information assurance products composed to form a particular application solution to protect information up to the SECRET level. A streamlined National Information Assurance Partnership (NIAP) with new Standard Protection Profiles and relying on NIST's Cryptographic Module Validation Program for products with embedded cryptography will form the basis of the CSPP. Visit the National Information Assurance Partnership (NIAP)/ Common Criteria Evaluation and Validation Scheme (CCEVS) site for more information.”

CyverONE’s interpretation of paragraph 1 is as follows: “This process will allow vendors who have NSA-certified Type 1 cryptographic products to develop a version of this product that uses Suite B cryptography” It identifies a Type 1 vendor, Sypris Electronics. The 2nd paragraph refers to the CSPP partnership program that enables the use of COTS (Commercial Off The Shelf) IA products. CyverONE is qualified to be a CSPP partner.



2. ViSioN Secret Network - Today, the world’s computers and smartphones/tablets are connected to each other through the Internet. The Internet serves as our communication highway. Inherently, it is an “untrusted” path. With relative ease, hackers utilize the Internet to hack into Government and Enterprise Networks, all of which ride on the public Internet. Current Industry solutions to this problem have failed.

In 2011CyverONE began to share its developments with the NSA (National Security Agency). CyverONE’s ViSioN System Architecture for Secure Mobile Communications is comprised of the following hybrid (open source & proprietary) software components:



ViSioN System software for the Cloud Server:

  • CyverGIX Virtual Cloud Server.

  • CyverPBX Virtual PBX.

  • CyverGUIGraphical User Interface

  • CyverSAFE Interactive Access Device IPsec VPN.

  • CyverSPACESimplified Object based Graphical User Interface.

One of the problems confronting the VoIP supplier has been quality of service (QoS). As the mobile devices took the market by storm, the demand for high performance, broadband Internet service has been overwhelmed with demand. When voice competes with video and data resulting in too little bandwidth, voice jitter is experienced. The network service must support a QoS priority for the voice service. This capability is integrated into the CyverSPACE Interactive Access Device (IAD). It includes a PBX, router, IPsec VPN and QoS.

In order to deliver “end-point to end-point” encryption to 2 or more secured end-point devices it is essential of have a VoIP PBX. The PBXs are installed on virtual machines (VMs). When an encryption transmission is received at the PBX for connection to multiple end-point devices where each end point maintains a unique encryption key, it is necessary for the PBX to decrypt the originating transmission and re-encrypt it for each encryption key for each end user device.

In order to move the needle from Suite B Secret and Below Interconnection (SABI), Type 1and other forms of encryption, NSA must be assured that the decrypted in the PBX Router must not be vulnerable to interception.

Internet security has been too complex even when the traditional IPsec VPN with AES encryption involved a single encryption key. With the upgrade to Suite B the complexity of secure network management is sharply increased. CyverONE adopts a “drag and drop” object oriented Graphical User Interface. Suite B adopts Strong SWAN, a key management system. The CyverONE GUI converts a complex, “command line” Mobile Device Manager (MDM) into an “object oriented” GUI.

To facilitate the downloading of programs to an MDM, it will be necessary to obtain the cooperation of the Mobile Device manufacturer. The downloading of encryption keys requires an ODE (Object Device Encryptor). The ODE requires NSA approval. Otherwise, the encryption key must be installed manually by a direct connection to the Mobile Device.



In those cases where the end user wants a cross domain capability CyverONE proposes to install Android on the Server, a VNC from the Server to the Mobile Device and the installation of CyverGIX and Suite B IPsec in the Mobile Device. The CyverGIX VNC configuration of the Mobile Device eliminates Deborah Plunkett’s carrying 4 phone problem. It is a form of cross domain.

Reference: In computing Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the RFB protocol (remote frame buffer) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network.
VNC is platform-independent – a VNC viewer on one operating system may connect to a VNC server on the same or any other operating system. There are clients and servers for many GUI-based operating systems and for Java. Multiple clients may connect to a VNC server at the same time. Popular uses for this technology include remote technical support and accessing files on one's work computer from one's home computer, or vice versa. Wikipedia.
Reference: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.[1] TLS and SSL encrypt the segments of network connections at the Application Layer for theTransport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message authentication codes for message integrity.
Several versions of the protocols are in widespread use in applications such as web browsingelectronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).
TLS is an IETF standards track protocol, last updated in RFC 5246, and is based on the earlier SSL specifications developed by Netscape Communications.[2] .Wikipedia




  1. Technology Trends – Microsoft has been the leading supplier of operating system software and productivity tools. A number of de facto industry standards have been established in the area of operating system, database management, storage management, network management, virtualization and application support. Microsoft is experiencing a major challenge from Apple, Google, VMware and semiconductor manufacturers. Apple has demonstrated a unique level of quality and performance, integrating hardware and software into a highly efficient product. Apple adopted the UNIX operating system as the base software for its products. The Intel processor is optimized for Microsoft. Competitive systems are optimized for Linux where the opportunity for security and reliability is dramatically improved. Eight of the top ten hosted services are now basing their service on Linux.

  2. Virtualization and Consolidation – Virtualization and Consolidation (Figure 3) makes it practical to consolidate applications on a ViSioN Virtual Server and to assign applications to an underutilized VM. It is the foundation of the configuration, installation and management of a secure adhoc cloud network.

    The ViSioN virtual server can support third party applications. These may include an electronic Medical Record for the VA Healthcare Management System written in Dot.Net. A data mining program can help to identify a group of insurgents manufacturing Innovative Explosive Devices (IED). It can support the VistA Healthcare Management System written in JAVA.

    As the intelligence is corroborated, intelligence agents collaborate and communicate actionable intelligence to the warfighters. The Field Commander formulates and communicates the action plan with a select group of warfighters authorized to receive secure information on their smartphones.
    With an adhoc network it is practical to reduce the time to hours instead of days. It becomes clear that the TACLAN intelligence could be delivered in hours instead of days.


Reference: IntuView provides artificial intelligence systems. The IntuView vision is to revolutionize knowledge mining and cross-language extraction of information by replacing current technology of language-dependent, generic lexical searches with language-independent, domain-oriented "idea mining".

The CyverGIX operating environment features the integration of open source software, the Linux operating system, the SQL Database, the Asterisk PBX, the hypervisor virtual system with kernel storage management (KSM) and the MESHing of both the Server VMs and the external routers. A Graphical User Interface (GUI), Work Flow Management System (WFM) and Collaborative Workspace (CWS) are wrapped around the Open Source Software to simplify the management process.




Figure 3


  1. Commercial Off The Shelf (COTS) – A major objective of DOD and the NSA is to utilize COTS equipment to take advantage of advanced commercial technology and a dramatic reduction in system management and maintenance cost. The ViSioN System is based upon open source software and equipment that is manufactured and distributed to commodity type commercial markets.

    Another major factor is the consolidation of system components so that these components run as a single system. The software that is unified includes the operating system, database management system, pbx, router hardware and the data mining system, storage systems and user access interfaces. The Mobility Device features a universal user interface and access system for Information Technology.

    Currently, a mobility connection is not available with the Type 1 Crypto Devices. These devices could be attached external server ports. However, the functionality of the system, the ability to share information with each user who has a unique encryption key, is awkward and restrictive. Assuming NSA approves the security of the system, the Type 1 encryption keys should be implemented as a software function internal to the server. The flexibility of server based encryption and the flexibility to share information with multiple users is significantly increased.

    The security level of Suite B has yet to be determined. Installing the system in a cloud server permits the application of multi-level authentication, proactive analytics, identity detection routines, attack the attackers processes and high security virtual object storage to, potentially, extend the security of the system beyond Type 1 at substantially less cost..




  2. Value Proposition

Figure 4


NSA has launched Project Fishbowl and the Suite B Initiative to elevate network security and reduce the cost to create, operate and maintain the networks. Figure 4 shows the relative cost range of Legacy versus ViSioN System implementations. Legacy Top Secret and Above Type 1 installation including set up expense may be $15,000 per key. It does not have a Mobility connection. The Legacy SIPRNET is considered vulnerable with a set up cost per connection in the $5000 per key range.

The ViSioN Suite B installation is expected to replace Type 1. Suite B can be hosted and installed from a remote location. Assuming an Encryption Device Object (EDO) can be certified for the remote downloading of encryption keys to each mobile device, the cost to set up and maintain the system will be dramatically reduced.



Phase II Advanced Server Development”

The DOD Cloud Computing Strategy was published July 6, 2012. Teri Tekai, DOD Chief Information Officer, sites the need for a small footprint, cross domain, multi-level security, interoperability, scalability and reduced cost. The DOD has spent an estimated $250 Million in R & D attempting to identify a solution to these requirements.

CyverONE observes that there are two major problems to be solved. First, the Insider Threat Problem and second, simplification of the user management issue. Reference: Understanding the Insider Threat, Richard C. Brackney, Robert H. Anderson, Rand Corporation.

Second, system management of the security issue has been complex, requiring high trained and costly expertise that are in very limited supply. The Mobile Device system interface promises to be a disruptive technology as it is gaining recognition as the universal computer interface.

The relational database, such as, Oracle or the Microsoft SQL Server, is inherently vulnerable. Once an unauthorized agent is granted access to a database table, it is difficult to limit their access to other tables and data in the system, regardless of their authorized Need to Know. DOD and the NSA Enterprise Group identify the need for cross-domain security and multi-level security (MLS). These system goals are discussed in Phase IV.

The NSA Mobility Group is not demanding cross-domain and multi-level security (MLS) for the immediate Suite B IPsec VPN deployment. The NSA Mobility Group favors a timely implementation on COTS low cost equipment. Deferring cross-domain and MLS places a higher dependence on Authentication. The objective is to keep the hacker outside the system perimeter.

Keyboard entered passwords is inherently insecure. Speech Identification and Retinal Scan appear very promising.



  1. Download 206.13 Kb.

    Share with your friends:
  1   2   3   4




The database is protected by copyright ©ininet.org 2024
send message

    Main page