Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROTECTION OF NATO INFORMATION AND NATO CIS Col

Published byNicholas Ford Modified over 8 years ago

Similar presentations

Presentation on theme: "PROTECTION OF NATO INFORMATION AND NATO CIS Col"— Presentation transcript:

1 PROTECTION OF NATO INFORMATION AND NATO CIS Col
PROTECTION OF NATO INFORMATION AND NATO CIS Col. Augusto DEL PISTOIA NHQC3S INFOSEC Branch Chief Thank you Mr. . Good Ladies and Gentleman, First of all, allow me to thanks the Czech Republic Security Authorities for having invited NATO to this very important and comprehensive Conference. The aim of my presentation today is to give you an high level overview of the ongoing activities in NATO for the protection of NATO information and supporting systems and resources.

2 CONTENT NATO Policy NATO CIS Overview NATO CIS Implementation Pillars
Common Criteria NATO Computer Incident Response Capability NATO Public Key Infrastructure During my presentation I will address the items shown in the slide

3 NATO POLICY NATO Information Management Policy NATO Security Policy
NATO CIS Policy The NATO (#) Information Management Policy mandates that NATO information, classified and unclassified, shall be protected to ensure its confidentiality, integrity and availability throughout its lifecycle, regardless of the medium and format in which the information is held. In addition, the integrity and availability of supporting services and resources must be ensured. The NATO (#) Security Policy mandates that security measures shall be in place to guarantee, at least: Identification and Authentication Confidence in protection mechanisms Mechanisms to deter, prevent, detect and recover Need-to-Know Separation. The NATO CIS Policy (#) mandates the use as extensively as possible of Commercial of Shelf products and technologies with the exception of cryptographic products that must be NATO Nations Government Approved

4 NATO CIS OVERVIEW PSTN NCN Infrastructure SECURITY DOMAIN NETWORK DOMAIN Remote Site Static Site NCIRC Security Management Center Internet Deployed NIDTS USER DOMAIN NATO Computer Incident Response Capability NATO Core Network NATO Initial Data Transfer Service Public Switched Telephone Network NPKI NATO Public Key Infrastructure Before addressing how NATO is implementing those Policies, I would like to provide you an overview of NATO Communication and Information systems (#). If we consider a Communication and Information System as the aggregation of (#) user domains, network domain and Security network Infrastructures it should be noted that in the network domain NATO will typically use several types of networks to carry its traffic and provide the required connectivity to NATO sites, national users, remote users, deployed and mobile users and partners. These networks will include the NGCS, National Defence Networks, PSTNs and the Internet. Not all of the aforementioned networks, except the NGCS, are under NATO control, and consequently cannot be afforded the same protection as NATO owned segments. In such a context, how will NATO information and systems be protected?

5 NATO CIS OVERVIEW AR – Access Router BME – Bandwidth Management Equipment BPD – Boundary Protection Device BRI - Basic Rate Interface DSE – Digital Switching Equipment NSIE – NATO Secure ISDN Equipment NICE – NATO IP Crypto Equipment PRI - Primary Rate Interface TA - Terminal Adapter BRI PRI PSTN NCS ISDN Terminals TA Non ISDN Terminals Network Domain User Domain VTC BPD AR NU LAN NS LAN IS- PABX PKI-based security services in the NSIE NICE BME The following slide gives you a very simplified view (#) of a NATO typical user domain (#). The top of the diagram represents the circuit-switched domain, which provides ISDN services to the user for voice, fax, data, and video teleconferencing (VTC). The circuit-switched user domain is protected by ISDN crypto equipment labelled NSIE. The bottom of the diagram represents the packet-switched domain, which provides IP services to the user. Each segment in the IP domain is independently protected with both IP cryptography, labelled NICE, and BPS. The circuit-switched services and packet-switched services are combined by the bandwidth management equipment (BME) to form the NGCS network node. Each node is connected to the Digital Transmission Infrastructure (DTI) and collectively form the NATO core network (NCN). In conclusion, the confidentiality of NATO information will be achieved by encryption in the user domain before it is transmitted on the network. The same applies to the integrity and availability that will be provided at the application level. In the network domain, security services might be limited to counter Traffic Flow Analysis and provide communication privacy, if required by the threat risk assessment of the communication asset used to connect to other nodes. In the network domain, availability will be provided by redundancy of the connections among nodes.

6 NATO CIS IMPLEMENTATION PILLARS
Adoption of Common Criteria NATO Computer Incident Response Capability (NCIRC) NATO Public Key Infrastructure (NPKI) The implementation of this security Architecture requires the support of some pillars (#) The first (#) is the adoption of Common Criteria. It is quite easy to say that the evaluation of IT products and systems is of extreme interest for NATO, because as an organisation of Information Technology users it represents exactly the kind of entities that normally initiate or require such evaluations The second pillar (#) is the implementation of a NATO Computer Incident Response Capability. With the increasing implementation of communication and information systems (CIS) interconnectivity within NATO civil and military bodies, NATO is faced with an increasing challenge to protect its information and supporting systems and resources. The protection of critical CIS resources not only requires implementing and managing the necessary security measures, but also the capability to prevent, detect, react and recover from computer security related incidents. The third pillar (#) is the implementation of a NPKI. The NATO Information Management Policy mandates to ensure a secure, effective and efficient management of NATO information. This means, in particular, that any individual within NATO must have easy access to NATO information (on the basis of need to know) and have the capacity of exchanging information in a timely and secure manner, without the contents being altered or inadvertently disclosed. Modern evolution of cryptography offers a unique opportunity to fulfil the objectives of availability, integrity and confidentiality of NATO information.

7 COMMON CRITERIA Let’s (#) us see why NATO consider CC a pillar for securing its CIS

8 NATO AND COMMON CRITERIA
Statement of Operational Requirements Requirement NC3S Overarching Architecture CC concept and terminology POLICY DIRECTIVES GUIDELINES Reference Architecture NC3S Security Annex Capability Package Target Architecture NC3S Type B Cost Estimate (TBCE) Security Requirement Statement Invitation For Bid (IFB) To explain that (#), allow me to go quickly through the NATO CIS life-cycle description. The procurement of a capability to support NATO mission starts (#) with the definition of a Statement of Operational Requirement (SOR). This SOR, considering (#) policies directives and guidelines, impacts (#) the Overarching NATO C3 Systems Architecture that captures the complete set of NATO requirements at a high level. The Overarching Architecture is refined (#) in Reference Architecture(s) to which a Capability Package derived from the SOR shall be conformant. A security annex captures the security requirements in the Capability Package. The Reference Architecture is finally refined (#) in Target Architectures (TA) on a project basis from which a cost estimate is derived. A Security Requirement Statement uses the INFOSEC view of the Target Architecture as the basis for accreditation. In this context, why can CC be considered a pillar? CC (#) concept and terminology can be used to clearly capture and express the security requirements. Moreover (#), the use of (#) a Protection Profile and/or a Functional/Assurance Package may help to define the Reference Architecture and be (#) included in the Capability Package. Definitely, a Protection Profile, with appropriate extensions to cover non Information Technology aspects, can be the best way to express Security Requirement Statements. A Target Architecture (#), an Invitation for Bid as well as (#) a Security Requirement Statement may mandate the use of a Security Target (i.e., a given evaluated product). I have to apologise for the slide containing too much information, however I hope I have given a clear rationale as to why NATO consider CC a pillar to better secure its CIS. ISO/ National NATO PP Repositories Evaluated Products Lists

9 NATO TRANSITION TO CC Documentation
Process and Procedures for Protection Profiles and Packages NATO Protection Profiles and Packages Repository Registration of CC Evaluated Products Previously, NATO criteria (#) were based on the Trusted Computer Security Evaluation Criteria and consequently a transition plan has been developed for the adoption of CC. This transition plan identifies (#) the documentation required for the adoption of CC, the (#) process and procedures for the development, validation, evaluation, and certification of PPs and Packages within NATO as well as (#) the requirement for the establishment of a "NATO Protection Profiles and Packages Repository”. The transition plan (#) also identifies the process and the procedures for the registration of CC evaluated products.

10 PROTECTION PROFILES AND PACKAGES
Selection and/or Development Evaluation and Certification Repository As the documentation required for CC adoption by NATO is certainly not of interest, let’s move to (#) Protection Profiles and Packages. As I said earlier, a PP or Package can be in response to the need to specify security requirements for NATO procurement. NATO (#) needs not to develop every PP or Package it might require, especially those specifying generally required security functionality. Such PPs or Packages are already available from NATO and non-NATO nations or in the commercial sector. However, NATO may need to express specific requirements (functions or assurances) as a Package that is in addition to available PPs or Packages (e.g. a PKI PP has an assurance level of EAL3, whereas NATO may require a higher level). Moreover, NATO may have the need to express classified requirements, as NATO specific PPs and Packages for cryptographic products, but also as a classified Package in addition to commercially available PPs and Packages. Consequently, NATO needs to (#) evaluate and certify those PPs and Packages. The evaluation and certification will be performed either by a NATO nation with accredited evaluation facilities and CC recognised national certification/validation scheme or by a NATO organisation (e.g. SECAN and EUSEC) adopting the technical criteria and supporting common methodology. The need to develop classified PPs/Packages and the evaluation/certification process performed by NATO organisations (#) require the establishment of a NATO PPs/Packages Repository that will be based on the ISO/IEC project "Protection Profile registration procedures”. The repository will differ if a PP/Package is classified or not. So there will be two repositories, one for the classified PPs/Packages available on a "need-to-know" basis and a second one available for public consultation.

11 IT PRODUCTS PRODUCT ENDORSEMENT NATO LIST SSA VALIDATION CERTIFICATION
NATIONAL SPONSORED PRODUCTS PRODUCT ENDORSEMENT NATO LIST SSA VALIDATION CERTIFICATION SECAN EUSEC NATO NATION IDENTIFY PRODUCT NATIONAL CC REPOSITORY NATO PRODUCT LIST NATO registers the products with secure features in NATO products Lists. Accordingly (#), it has to revise the List to accommodate IT products evaluated and certified according to CC. The transition plan identifies a general procedure that will be used during the revision process. The process of course starts when in a project the need (#) to identify a product arises and the first places to look at are the NATO Product List and the CC repository. If an evaluated and certified product exists (#), its use has to be endorsed by the Security Accreditation Authority for the specific project and will be registered in the NATO Product List if not already contained. Whether a product exists, but its evaluation and certification has not been done or is ongoing, NATO (#) will require a validation/certification to be performed either by a NATO nation with accredited evaluation facilities and CC recognised national certification/validation scheme or by a NATO organisation (e.g. SECAN and EUSEC) adopting the technical criteria and supporting common methodology. Once evaluated and certified, the product has to be endorsed by the SAA and then will be registered. Of course (#) a product may not exist, and in that case a development process should be included in the mentioned events chain. The transition plan also envisages that in the Product List (#) all the CC evaluated and certified products that a NATO Nation would like to sponsor for their use in NATO should be recorded. DEVELOPMENT PROCESS

12 CURRENT SITUATION Transition phase Implementation Directive
Interim guidance IT Products, PPs, Packages Database Implementation Directive Under approval Objective: 2 Q 2003 Currently (#), NATO is in a transition phase. A CC (#) Interim guidance has been agreed and is used. This document provides guidance on how to apply CC concepts and methods during the transition from NATO Trusted Computer Security Evaluation Criteria (NTCSEC) to CC for new projects and procurements. Meantime, a database is under development for the registration of Information Technology Products, Protection Profiles and Packages. The (#) Directive on the use of CC has been finalised and is under approval. It will mandate the use within NATO of the Common Criteria - and thereby the Common Methodology - and establish the process and procedures for their use with respect to CIS life cycle, Security Requirement Statements, Procurement Documentation and Evaluation and Certification. The objective(#) to adopt Common Criteria by 2 Q 2003 is going to be met.

13 NATO COMPUTER INCIDENT RESPONSE CAPABILITY
Another NATO fundamental objective (#) is the implementation of a NATO Computer Incident Response Capability

14 NCIRC Central Capability Incident Handling and Reporting
Implementation Approach The implementation of a Computer Incident Response Capability (NCIRC) (#) will allow NATO to respond to computer security related incidents such as computer viruses, unauthorised user activity, and serious INFOSEC vulnerabilities in an efficient and timely manner. Conceptually, (#) the NCIRC is a central capability for dealing with virtually any incident that occurs. It provides a means for (#) handling and reporting incidents and disseminating important incident-related information to system security management and users. It concentrates incident handling into one centralised and co-ordinated effort. The NCIRC will be implemented following a two steps (#) approach: establishment of an Initial Operational Capability (IOC) making use, as extensively as possible, of existing resources and organisational structure. The IOC would provide NATO with the ability to handle incident response during normal office hours transition to a Full Operational Capability (FOC) that will be established in accordance with lessons learned during the initial operation of the NCIRC. The Full Operational Capability of the NCIRC would provide NATO with the ability to handle incident response on 24 hours/7 days basis.

15 TECHNICAL SUPPORT CENTRE CIS OPERATING AUTHORITIES
NCIRC ORGANISATION CO-ORDINATION CENTRE TIER 1 TECHNICAL SUPPORT CENTRE TIER 2 CIS OPERATING AUTHORITIES TIER 3 From an Organisational (#) perspective, the NCIRC will take a 3-tier management structure. At Tier 3,(#) the existing CIS operating authorities in NATO civil and military bodies who are responsible for day-to-day system and security administration. Their primary responsibilities, in respect to the NATO CIRC, are to perform intrusion detection, to report detected events, incidents and vulnerabilities, and perform malicious code prevention and detection; At Tier 2, (#) the NATO CIRC Technical Support Centre, carrying out CERTTM typical functions. The primary purposes are to perform incident response, recovery and reporting activities; and to provide technical support and assistance to CIS operating authorities in respect to intrusion detection and malicious code prevention; At Tier 1, (#) the NATO Computer Incident Response Capability Co-ordination Centre. Its main responsibility is to co-ordinate response, recovery, and forensic activities and to liase with appropriate national authorities and international CERT organisations

16 CURRENT SITUATION NCIRC documentation
NC3B Guidance and Direction CONOPs Handbook NCIRC activated on a limited scale Establishment of links with national CERTs The (#), implementation of the NCIRC is based (#) on a set of documents already approved that includes: the NC3B direction and guidance for the implementation of the NATO Computer Incident Response Capability (NCIRC); the NCIRC Concept of Operations; The NCIRC Handbook that contains the procedures that the CIRC will follow and refer to during its daily activities. Being the implementation of the NCIRC an urgent requirement, by prioritising assigned tasks and reassigning in-house personnel resources, (#) the NCIRC Co-ordination Centre and the Technical support Centre have been activated on a limited scale. Actions are ongoing to procure the assets and select the personnel for the establishment of the NCIRC IOC. Furthermore, (#) the NCIRC-CC, in co-ordination with the NCIRC Technical Centre, is planning the activities for the establishment of links with national and international CERTs for a timely exchange of information on threats, vulnerabilities, alert bulletins etc.

17 NATO PKI The last NATO fundamental objective (#) I’m going to address today is the implementation of a NATO Public Key Infrastructure

18 NATO PKI NPKI Goal NPKI Implementation Approach:
Establish the governing Authority (NPMA) Field the Root CA Regulate the implementation of the other PKI components The (#) NPKI goal (#) is to ensure and maintain the NC3S security objectives supporting, at least, the users (and electronic entities) security services related to Identification and Authentication, Integrity, Confidentiality and Non-Repudiation of origin. The implementation approach (#) envisages to deploy basic components and to guide NPKI implementation according to NATO civil and military bodies operational requirements and priorities. To follow this approach, it has been decided: to establish a governing authority for the development of rules and guidance both for the use of PKI services (e.g. PKI usage Policy, Certificate Policy, Tokens policy, etc.) and for its implementation; to establish and field the Root CA to carefully regulate the implementation of CAs, RAs, Certificate Repositories and PKI enabled applications by the NATO civil and military bodies to guarantee the desired level of trust, interoperability, cross-certification and avoid duplications and waste of resources (e.g. the number of CAs, repositories, etc.)

19 CERTIFICATION AUTHORITIES
NPKI ORGANISATION NPMA TIER 1 ROOT CA NPAC CERTIFICATION AUTHORITIES TIER 2 SUBORDINATE CAs OR RAs TIER 3 Also the NPKI (#) will take a 3-tier management Organisation. At Tier 1, directly under the NC3B (#): the NATO PKI Management Authority (NPMA) supported by the NATO PKI Advisory Cell (PAC) responsible for the development of rules and guidance both for the use of PKI services and for NPKI implementation The Military Committee Distribution and Accounting Agency (DACAN) that will perform the role of the NATO Root CA At tier 2 (#), the Certification Authorities. With the aim to save resources and duplication of efforts, NATO intends to field the minimum number of CAs compatible with NATO organisation. At tier 3 (#), the responsibility to carry out the NPKI management and operational functions identified in the NATO PKI Concept of Operations will be assigned to appropriate bodies by the relevant NATO CIS planning and implementation authority.

20 CURRENT SITUATION PKI documentation: Fielding of NATO Messaging System
NPKI Legal Aspects PKI Policy for NATO CIS NPKI High Level Concept Of Operations NPKI Certificate Policy NPKI Security Architecture NPKI Interoperability Strategy Fielding of NATO Messaging System First Root Certificate by 2 Q 2003 Where is NATO with NPKI (#) implementation? Lessons learned have demonstrated that the implementation of a Public Key Infrastructure relies more on a sound basis of policies (#) than on technology. Policy and guidance formulation is more time consuming and difficult than procuring the components of the PKI. A PKI cannot hope for success unless these issues are addressed early and continuously. For this reason, the NPMA, supported by the PAC, has concentrated its efforts in the development of the set of documents shown on the slide with the objective to have them approved not later that 1 Q 2003. The objective to have all the required documentation developed by 1 Q 2003 is fundamental because NATO is fielding the (#) NATO messaging system in compliance with STANAG 4406 that requires PKI support for authentication and integrity purposes. The NMS will be deployed starting from the 3 Q 2003, therefore, it is required that DACAN, under the direction of the NPMA, achieves the establishment of the infrastructure required to perform the role of NATO Root CA in time to (#) release the first NATO PKI Certificate by June 2003 to the NATO Certification Authority for the NATO Messaging System.

21 CONCLUSIONS NATO Policy NATO CIS Overview
NATO CIS Implementation Pillars Common Criteria NATO Computer Incident Response Capability NATO Public Key Infrastructure This, Ladies and Gentlemen, concludes my presentation (#). I hope I have been able to give you an high level overview of the ongoing activities in NATO for the protection of NATO information and supporting systems and resources by addressing the items shown in the slide

22 Questions? Thanks again to the Czech Republic Security Authorities for having given NATO this opportunity and thank you very much to all of you for your attention. Should you have any questions, I would try to answer them.

Download ppt "PROTECTION OF NATO INFORMATION AND NATO CIS Col"

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
AMHS/SWIM Seminar Chiang Mai, Thailand 5-6 March 2012

AMHS/SWIM Seminar Chiang Mai, Thailand 5-6 March 2012
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
There are many types of WAN technologies that can be used to solve the problems of users who need network access from remote locations. We will go through.

There are many types of WAN technologies that can be used to solve the problems of users who need network access from remote locations. We will go through.
FOR COALITION INTEROPERABILTIY

FOR COALITION INTEROPERABILTIY
Mr. Mark S. Loepker Colonel Enrico Bologna SC/4 Co-Chairmen

Mr. Mark S. Loepker Colonel Enrico Bologna SC/4 Co-Chairmen
Security and Protection of Information 2009 BUILDING CIRC CAPABILITIES IN THE CZECH ARMY 6/5 2009, BRNO IDET 2009 LtCol. Roman SEKANINA, Cpt. Milan DANĚK.

Security and Protection of Information 2009 BUILDING CIRC CAPABILITIES IN THE CZECH ARMY 6/5 2009, BRNO IDET 2009 LtCol. Roman SEKANINA, Cpt. Milan DANĚK.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
AFCEA ‘INTEROPERABILITY REVISITED’

AFCEA ‘INTEROPERABILITY REVISITED’
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.

IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.
MINISTRY OF NATIONAL DEFENCE REPUBLIC OF POLAND CLASSIFIED INFORMATION PROTECTION DEPARTMENT COL. PIOTR GRZYBOWSKI, Director, Classified Information Protection.

MINISTRY OF NATIONAL DEFENCE REPUBLIC OF POLAND CLASSIFIED INFORMATION PROTECTION DEPARTMENT COL. PIOTR GRZYBOWSKI, Director, Classified Information Protection.
Standardization Framework (Myanmar) Ye Yint Win President Myanmar Computer Professionals Association Chair-Standardization Committee, Myanmar Computer.

Standardization Framework (Myanmar) Ye Yint Win President Myanmar Computer Professionals Association Chair-Standardization Committee, Myanmar Computer.
2002 10 21 Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
Public Key Infrastructure Ben Sangster February 23, 2006.

Public Key Infrastructure Ben Sangster February 23, 2006.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
The HITCH project: Cooperation between EuroRec and IHE Pascal Coorevits EuroRec 2010 Annual Conference June 18 th 2010.

The HITCH project: Cooperation between EuroRec and IHE Pascal Coorevits EuroRec 2010 Annual Conference June 18 th 2010.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google