NSA develops cross-domain for the masses

 

Connecting state and local government leaders

Government-developed technology for accessing and sharing data across classification levels could soon spread to many users as agencies adopt systems based on the National Security Agency's NetTop architecture.

Government-developed technology for accessing and sharing data across classification levels could soon spread to many users as agencies adopt systems based on the National Security Agency's NetTop architecture, intelligence information technology sources said.By the end of this year, federal technologists and information security policy leaders likely will approve NetTop systems for a broad array of uses in the law enforcement, military and homeland security worlds, sources said.The pending approvals could expand the use of systems based on NetTop technology by many thousands of systems.The NetTop architecture allows users to connect simultaneously to domains at different security levels and to carry out, under specified policies, the two forms of cross-domain data sharing: accessing data across domains and moving data from one domain to another, a function sometimes called guarding or transferring the data between domains.Two companies have licensed the NetTop technology and built systems based on it ' Hewlett-Packard's federal division and Trusted Computer Solutions.Both the HP and TCS NetTop products already have been approved for use to access data in top secret and below environments (TSABE) under certain conditions, IT security officials said.For example, the products are cleared to access TSABE data in highly secure locations when they are used in locations staffed by people who have high-level security clearances, such as at an intelligence agency's headquarters, the officials said. In the jargon of the cryptological world, the technology 'has been approved for use in low-risk environments by highly trusted users,' according to one intelligence specialist.The HP and TCS systems also have been approved to access, but not transfer, data in the secret and below (SABE) world under limited conditions, the sources also said.The next step is for the NetTop systems to be approved to transfer data in the SABE zone in more demanding and risky missions, the security specialists said. That SABE world includes a very broad arena of locations, including those much closer to battlefields, or possibly on them, as well as others in law enforcement and homeland security operations.'Wars are fought by people with secret-level clearances,' according to one senior IT executive, who noted that the combatants are far more numerous than the high-level intelligence analysts who handle top-secret information.Many intelligence and military IT officials see advantages in NetTop's use of Security Enhanced Linux. 'One reason you see Linux in NetTop is that the architecture takes advantage of the security controls in Security Enhanced Linux,' said Grant Wagner, technical director of NSA's National Information Assurance Laboratory.'Linux has security features that are important,' Wagner said.Also, the NetTop architecture facilitates the use of thin clients. Those systems limit users' ability to introduce security risks, such as additional software. They can also limit risks posed by the possible capture of systems by enemy forces because classified information does not reside on the thin clients.The approval of NetTop systems to access and transfer SABE data and to transfer TSABE information down to secret domains will snap into place once the existing systems have completed the process of certification and accreditation, said IT executives inside and outside the government.In the certification phase, NSA teams have exhaustively studied and documented the systems' security strengths and weaknesses. That process is almost complete, officials said.The accreditation phase, which by contrast is fundamentally a policy and legal activity, will engage high-level security decision-makers in the task of weighing the systems' vulnerabilities against the costs and consequences of a security breach.'There is always some level of risk in a system,' one source said, describing the problem in general terms. 'The question in an accreditation decision is whether, given what is known about the security provided by the certification of a given system, that system should be accredited for use for an additional specific, well-defined mission.'Typically, an agency would apply to use a NetTop-based system for a new type of mission; for example, to handle certain classified data used in a shipboard command center.At that stage, a series of committees would evaluate the legal and administrative consequences of that application. A 'flag level' committee with members holding ranks at the admiral and general level would issue the final accreditation approval.NSA began developing the NetTop technology in the 1990s to meet special needs that were arising in the classified computing sphere, including the agency's desire to obtain a safe container in which insecure programs could be executed.Those insecure programs included a menagerie of commercial applications.One factor driving the decision to develop the NetTop architecture was the failure of NSA's efforts in the early 1990s to convince commercial software vendors to bolster the security of their applications.But NSA and other intelligence agencies saw compelling benefits to be gained by developing a new architecture that would facilitate the use of insecure commercial applications by insulating them from trusted networks and databases.Since then, the 'bad guy' battalions of malware developers have shifted many of their attacks away from operating systems, which have been hardened continually in the past decade, to exploit the countless vulnerabilities in applications, security experts said.Another critical, and related, benefit NSA sought from the NetTop research was to design an architecture that would allow a single workstation to present information from networks that themselves were not directly connected and couldn't link up because they operate at different classification levels.Rules and procedures that govern the use of classified data specify carefully defined methods for moving information from a 'high side' or more highly classified domain to a corresponding 'low side' system, sources said.According to one security practitioner, 'the intelligence community's interdomain transfer policy is a very specific policy that calls for review [of each transfer] by two [people with security clearances].'When the NetTop systems gain full approval to access and transfer TSABE and SABE data and to fully function as cross-domain interfaces, they will also bring intelligence analysts' offices into line with Real Simple interior design guidelines.The single cross-domain entity's box will replace the rows of separate CPUs, tangles of wires and other hardware that clutter analysts' workstations because the systems are physically separated by 'air gaps' and can't be hosted on the same system with currently deployed technology.Ed Hammersla, TCS' chief operating officer, said the HP and TCS systems are in the 'information assurance' or certification and accreditation process now and that those approvals likely will be finished by the end of the calendar year.The C&A approvals 'will not apply to the NetTop [architecture] generically,' Hammersla said. 'They will apply to the NetTop versions developed by TCS and HP, when they are used for specific purposes in specific environments.''NetTop wasn't an endpoint,' Wagner said. 'As the solutions get better, the adversaries get better. It is where we are today.'XXXSPLITXXX-The National Security Agency's eight-year project to bring NetTop into wide use developed as a result of rapid commercial technology advances in the frenzied closing days of the dot-com boom and their progressive eclipse of federally developed systems.The agency's goal was 'to solve the challenge of creating trusted products using commercial technologies,' said Grant Wagner, technical director of the National Security Agency's National Information Assurance Laboratory.'The challenge was to come up with a commercially based solution,' Wagner said.A key basis of the NetTop architecture is the use of virtual machines as hermetically sealed units inside the system that exchange information only according to strictly defined policies.NSA relied on technology from VMWare to achieve the virtual machine function using an Intel processor. 'VMWare was at the time [the early 1990s] the only solution that was doing virtualization using Intel architecture,' Wagner said.NetTop enthusiasts note that the system's ability to rely on Linux is not apparent to its users. But using Linux does allow NetTop owners to change hardware without adjusting the software ' for example, in the event of a newly discovered, hardware-based security flaw ' without changing the system's software.NetTop's advocates also point to the fact that incorporating Linux into the NetTop architecture will make it easier for users to migrate applications to the systems until all the apps have been ported.The Hewlett-Packard and Trusted Computer Solutions systems that use NetTop technology have been cleared for membership in the elite 'baseline' group of cross-domain interface entities chosen by the Cross Domain Solutions Office (CDMO) in Adelphi, Md.That office is a joint project of the Office of the Director of National Intelligence's chief information officer organization and its Pentagon counterpart. The CDMO so far has added about 14 systems to its baseline collection of cross-domain entities. The baseline pantheon includes about five access solutions and nine data-transfer solutions or guards, sources said. In addition, there are a handful of exceptions to that baseline list.NSA decided to market NetTop via integrators as part of a candid self-assessment of its own ability to keep pace with users' needs.This approach allows NSA to benefit from those companies' various skills in commercializing research discoveries while promoting the spread of secure systems, officials said.The codewriting and codebreaking agency's marketing skills don't rival those of the Madison Avenue companies that built multibillion-dollar campaigns around slogans such as 'Winston Tastes Good Like a Cigarette Should' and, more recently, created the global 'American Idol' marketing phenomenon. But NSA technologists have posted online a summary of NetTop's benefits that likely has a catchy ring to its target users, as follows:'The benefit of the NetTop architecture is that it removes security functionality from the control of the end-user [operating system] and applications,' according to the federal marketing blurb.'Important security functions such as communications encryption can be placed in a separate protected environment that cannot be influenced by user software,' the agency description says. 'Similarly, an isolated filtering router function is used to provide protection from rudimentary network attacks,' NSA said. 'The modularity of the NetTop architecture and the use of standard TCP/IP networking to connect virtual machines facilitate simple replacement or upgrade of individual components.'The first rule of advertising: Know your audience.

Ready to go: Grant Wagner, technical director of the National Security Agency's National Information Assurance Laboratory, says NSA has cleared most of the hurdles to make NetTop available for wide use.

GCN Photo by Zaid Hamid
















In the zone





































Review required










































X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.