Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information Assurance Directorate, Information Assurance Solutions Group (410) 854-7302 E-mail: drsmit5@missi.ncsc.mil October 3, 2003
Agenda DoD IA Policies Common Criteria Protection Profiles & Security Targets Information Assurance Technical Framework (IATF) and Forum VoIP IA Initiatives Protection Profile(s) IATF October 3, 2003
DoD IA Policies DoDI 8500.1 & 8500.2 NSTISSP 11 By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products shall be limited only to those which have been evaluated and validated in accordance with either: International Common Criteria NSA/NIST National Information Assurance Partnership (NIAP) Evaluation and Validation Program NIST FIPS Validation Program DoDI 8500.1: Information Assurance DoDI 8500.2: Information Assurance (IA) Implementation NSTISSP 11: National Security Telecommunications and Information System Security Policy 11 - National Information Assurance Acquisition Policy DoDI 8500.1 supercedes DoD 5200.28 From DoDI 8500.2 NSA Responsibilities 5.6.3. Generate Protection Profiles for IA and IA-enabled IT products used in DoD information systems based on Common Criteria (reference (j)), and coordinate the generation and review of these Profiles within the National Information Assurance Partnership (NIAP) framework. 5.6.4. Engage the IA Industry and DoD user community to foster development, evaluation, and deployment of IA solutions that satisfy the guidance contained in this Instruction. Definitions E2.1.29. IA Product. Product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control or non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices (reference (a)). E2.1.30. IA-Enabled Product. Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems (reference (a)). October 3, 2003
Common Criteria (CC) Internationally Recognized Security Criteria Security requirements specification language Security functionality & assurance Provides basis for validating conformance to specification (e.g. PP or ST) by independent third party (e.g. NIAP lab) One evaluation, accepted everywhere (EAL - 4 and below) Current membership is 16 nations Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, United States Labs certify that product complies with vendor’s specification Certificate Producing Nations: US, Canada, UK, Germany, France, Australia/NZ October 3, 2003
Protection Profiles vs. Security Target Protection Profile - Customer Statement in CC language of security and assurance requirements (“I need”) For DoD, NSA writes the protection profiles Security Target - Vendor Vendor claim in CC language of security and assurance requirements met (“I provide”) Target of Evaluation Protection Profile Product independent Contains Environment, Threats, Policies, Assumptions, Security Functional Requirements, Assurance Requirements Consumer perspective The protection profile development process has several steps including two phases of public comment. Security Target Product dependent Required for lab evaluation Can be written independent of a PP (but may claim compliance) Vendor perspective Target of Evaluation - The device/system that is evaluated by a certified laboratory for conformance to a security target or protection profile In accordance with DoDI 8500.2, NSA is responsible for creating protection profiles for DoD use. NSA Responsibilities 5.6.3. Generate Protection Profiles for IA and IA-enabled IT products used in DoD information systems based on Common Criteria (reference (j)), and coordinate the generation and review of these Profiles within the National Information Assurance Partnership (NIAP) framework. October 3, 2003
Robustness Basic = Best Commercial Practice Medium = Better than most current commercial High= Usually Government Developed Robustness is the combination of appropriate security requirements and assurance levels. Imperative that Evaluation Report be read to understand the IA quality. EAL doesn’t equate to Robustness level Basic – Good enough to protect non-mission critical unclassified systems Medium - Good enough to protect mission critical systems and sensitive unclassified information High - Required to protect classified information and systems EAL – Evaluated Assurance Level 1 – functionally tested 2 – structurally tested 3 – methodically tested and checked 4 – methodically designed, tested and reviewed 5 – semiformally designed and tested 6 - semiformally verified design and tested 7 – formally verified design and tested NSA evaluates EAL 5 and above. October 3, 2003
National Information Assurance Partnership (NIAP) NSA/NIST Partnership US Focal Point for Common Criteria Manage & Maintain Process Common Criteria Evaluation and Validation Scheme Protection Profile Registry Evaluated Products Registry List of Certified Commercial Evaluation Labs The National Information Assurance Partnership (NIAP) is a U.S. Government initiative designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers. NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under the Computer Security Act of 1987. The partnership, originated in 1997, combines the extensive security experience of both agencies to promote the development of technically sound security requirements for IT products and systems and appropriate metrics for evaluating those products and systems. The long-term goal of NIAP is to help increase the level of trust consumers have in their information systems and networks through the use of cost-effective security testing, evaluation, and assessment programs. NIAP continues to build important relationships with government agencies and industry in a variety of areas to help meet current and future IT security challenges affecting the nation's critical information infrastructure. (Source: NIAP Web page – http://niap.nist.gov) http://niap.nist.gov/ October 3, 2003
Information Assurance Technical Framework (IATF) UNCLASSIFIED Information Assurance Technical Framework (IATF) A Technical Security Guidance Document Unclassified Evolving Publicly available on IATF Web Site http://www.iatf.net October 3, 2003
UNCLASSIFIED IATF Benefits Helps U.S. Government users become wiser consumers of implementing security solutions Assists U.S. industry in understanding the government’s needs and the nature of the desired solutions to these needs Focuses investment resources on the security technology gaps October 3, 2003
Information Assurance Technical Framework Forum (IATFF) UNCLASSIFIED Information Assurance Technical Framework Forum (IATFF) NSA-sponsored forum to foster dialog among U.S. Government agencies, U.S. Industry, and U.S. Academia Sessions approximately every 6 weeks Held at the Johns Hopkins Applied Physics Lab, Laurel, MD IATFF Purpose Promote understanding of IA Technology Influence product development Identify existing technology gaps Advance the IATF document October 3, 2003
IATFF Benefits Fosters IA Dialog UNCLASSIFIED IATFF Benefits Fosters IA Dialog U.S. Government-U.S. Industry-U.S. Academia Increases awareness of available security solutions Establishes contacts between individuals and organizations dealing with similar problems October 3, 2003
VoIP IA Initiatives Leverage Communicate VoIP Protection Profiles NIAP/CC IATF & IATFF Government/Industry Partnership Communicate Government Needs & Industry Capabilities VoIP Protection Profiles VoIP IATF Section VoIP IATFF Session October 3, 2003
VoIP Protection Profile(s) Beginning development Incorporate DoD Voice IA Requirements Partnership with vendors, users NSA is planning an effort to develop protection profile(s) for VoIP. We have done a study to decompose VoIP into Targets of Evaluation. Next a Common Criteria threat assessment will be performed followed by drafting of the profiles. In developing the protection profile, we would like to incorporate as many of DoD’s voice and data IA requirements as appropriate and input from vendors. The protection profile is successful only if products are built and evaluated to it. Prior work: There was an effort to develop protection profiles for PBXs and telephone switches by NIST and Telcordia in 1999-2000. There are draft profiles available at the following URL http://niap.nist.gov/telecomm-forum.html NIAP Evaluated VoIP Products Meeting DoD IA Requirements October 3, 2003
VoIP IATFF http://www.iatf.net Planning an IATFF session on VoIP Looking for session ideas Topics Presenters Users, Vendors, Network Managers To engage users and industry, we are planning an IATFF session on VoIP and IP Telephony for 2004. We are looking for ideas for this session. If you have interesting information you’re willing to share or ideas for topics, please let me know. If you join the IATF from the IATF web site (http://www.iatf.net), you will be notified when the VoIP IATFF session as well as other IATFF sessions are scheduled. http://www.iatf.net October 3, 2003
Wrap-Up Need partnerships with Industry & Users NIAP and IATF are good vehicles for communication of IA requirements Getting the process started for VoIP Need Your Help!! October 3, 2003