Presentation is loading. Please wait.

Presentation is loading. Please wait.

Partnerships for VoIP Security VoIP Protection Profiles

Published byBenedict Austin Modified over 5 years ago

Similar presentations

Presentation on theme: "Partnerships for VoIP Security VoIP Protection Profiles"— Presentation transcript:

1 Partnerships for VoIP Security VoIP Protection Profiles
David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information Assurance Directorate, Information Assurance Solutions Group (410) October 3, 2003

2 Agenda DoD IA Policies Common Criteria
Protection Profiles & Security Targets Information Assurance Technical Framework (IATF) and Forum VoIP IA Initiatives Protection Profile(s) IATF October 3, 2003

3 DoD IA Policies DoDI 8500.1 & 8500.2 NSTISSP 11
By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products shall be limited only to those which have been evaluated and validated in accordance with either: International Common Criteria NSA/NIST National Information Assurance Partnership (NIAP) Evaluation and Validation Program NIST FIPS Validation Program DoDI : Information Assurance DoDI : Information Assurance (IA) Implementation NSTISSP 11: National Security Telecommunications and Information System Security Policy 11 - National Information Assurance Acquisition Policy DoDI supercedes DoD From DoDI NSA Responsibilities Generate Protection Profiles for IA and IA-enabled IT products used in DoD information systems based on Common Criteria (reference (j)), and coordinate the generation and review of these Profiles within the National Information Assurance Partnership (NIAP) framework. Engage the IA Industry and DoD user community to foster development, evaluation, and deployment of IA solutions that satisfy the guidance contained in this Instruction. Definitions E IA Product. Product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control or non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices (reference (a)). E IA-Enabled Product. Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems (reference (a)). October 3, 2003

4 Common Criteria (CC) Internationally Recognized Security Criteria
Security requirements specification language Security functionality & assurance Provides basis for validating conformance to specification (e.g. PP or ST) by independent third party (e.g. NIAP lab) One evaluation, accepted everywhere (EAL - 4 and below) Current membership is 16 nations Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, United States Labs certify that product complies with vendor’s specification Certificate Producing Nations: US, Canada, UK, Germany, France, Australia/NZ October 3, 2003

5 Protection Profiles vs. Security Target
Protection Profile - Customer Statement in CC language of security and assurance requirements (“I need”) For DoD, NSA writes the protection profiles Security Target - Vendor Vendor claim in CC language of security and assurance requirements met (“I provide”) Target of Evaluation Protection Profile Product independent Contains Environment, Threats, Policies, Assumptions, Security Functional Requirements, Assurance Requirements Consumer perspective The protection profile development process has several steps including two phases of public comment. Security Target Product dependent Required for lab evaluation Can be written independent of a PP (but may claim compliance) Vendor perspective Target of Evaluation - The device/system that is evaluated by a certified laboratory for conformance to a security target or protection profile In accordance with DoDI , NSA is responsible for creating protection profiles for DoD use. NSA Responsibilities Generate Protection Profiles for IA and IA-enabled IT products used in DoD information systems based on Common Criteria (reference (j)), and coordinate the generation and review of these Profiles within the National Information Assurance Partnership (NIAP) framework. October 3, 2003

6 Robustness Basic = Best Commercial Practice
Medium = Better than most current commercial High= Usually Government Developed Robustness is the combination of appropriate security requirements and assurance levels. Imperative that Evaluation Report be read to understand the IA quality. EAL doesn’t equate to Robustness level Basic – Good enough to protect non-mission critical unclassified systems Medium - Good enough to protect mission critical systems and sensitive unclassified information High - Required to protect classified information and systems EAL – Evaluated Assurance Level 1 – functionally tested 2 – structurally tested 3 – methodically tested and checked 4 – methodically designed, tested and reviewed 5 – semiformally designed and tested 6 - semiformally verified design and tested 7 – formally verified design and tested NSA evaluates EAL 5 and above. October 3, 2003

7 National Information Assurance Partnership (NIAP)
NSA/NIST Partnership US Focal Point for Common Criteria Manage & Maintain Process Common Criteria Evaluation and Validation Scheme Protection Profile Registry Evaluated Products Registry List of Certified Commercial Evaluation Labs The National Information Assurance Partnership (NIAP) is a U.S. Government initiative designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers. NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under the Computer Security Act of The partnership, originated in 1997, combines the extensive security experience of both agencies to promote the development of technically sound security requirements for IT products and systems and appropriate metrics for evaluating those products and systems. The long-term goal of NIAP is to help increase the level of trust consumers have in their information systems and networks through the use of cost-effective security testing, evaluation, and assessment programs. NIAP continues to build important relationships with government agencies and industry in a variety of areas to help meet current and future IT security challenges affecting the nation's critical information infrastructure. (Source: NIAP Web page – October 3, 2003

8 Information Assurance Technical Framework (IATF)
UNCLASSIFIED Information Assurance Technical Framework (IATF) A Technical Security Guidance Document Unclassified Evolving Publicly available on IATF Web Site October 3, 2003

9 UNCLASSIFIED IATF Benefits Helps U.S. Government users become wiser consumers of implementing security solutions Assists U.S. industry in understanding the government’s needs and the nature of the desired solutions to these needs Focuses investment resources on the security technology gaps October 3, 2003

10 Information Assurance Technical Framework Forum (IATFF)
UNCLASSIFIED Information Assurance Technical Framework Forum (IATFF) NSA-sponsored forum to foster dialog among U.S. Government agencies, U.S. Industry, and U.S. Academia Sessions approximately every 6 weeks Held at the Johns Hopkins Applied Physics Lab, Laurel, MD IATFF Purpose Promote understanding of IA Technology Influence product development Identify existing technology gaps Advance the IATF document October 3, 2003

11 IATFF Benefits Fosters IA Dialog
UNCLASSIFIED IATFF Benefits Fosters IA Dialog U.S. Government-U.S. Industry-U.S. Academia Increases awareness of available security solutions Establishes contacts between individuals and organizations dealing with similar problems October 3, 2003

12 VoIP IA Initiatives Leverage Communicate VoIP Protection Profiles
NIAP/CC IATF & IATFF Government/Industry Partnership Communicate Government Needs & Industry Capabilities VoIP Protection Profiles VoIP IATF Section VoIP IATFF Session October 3, 2003

13 VoIP Protection Profile(s)
Beginning development Incorporate DoD Voice IA Requirements Partnership with vendors, users NSA is planning an effort to develop protection profile(s) for VoIP. We have done a study to decompose VoIP into Targets of Evaluation. Next a Common Criteria threat assessment will be performed followed by drafting of the profiles. In developing the protection profile, we would like to incorporate as many of DoD’s voice and data IA requirements as appropriate and input from vendors. The protection profile is successful only if products are built and evaluated to it. Prior work: There was an effort to develop protection profiles for PBXs and telephone switches by NIST and Telcordia in There are draft profiles available at the following URL NIAP Evaluated VoIP Products Meeting DoD IA Requirements October 3, 2003

14 VoIP IATFF http://www.iatf.net Planning an IATFF session on VoIP
Looking for session ideas Topics Presenters Users, Vendors, Network Managers To engage users and industry, we are planning an IATFF session on VoIP and IP Telephony for We are looking for ideas for this session. If you have interesting information you’re willing to share or ideas for topics, please let me know. If you join the IATF from the IATF web site ( you will be notified when the VoIP IATFF session as well as other IATFF sessions are scheduled. October 3, 2003

15 Wrap-Up Need partnerships with
Industry & Users NIAP and IATF are good vehicles for communication of IA requirements Getting the process started for VoIP Need Your Help!! October 3, 2003

Download ppt "Partnerships for VoIP Security VoIP Protection Profiles"

Similar presentations

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.
DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing.

DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing.
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Copyright (C) The Open Group 2014 Securing Global IT Supply Chains and IT Products by Working with Open Trusted Technology Provider™ Accredited Companies.

Copyright (C) The Open Group 2014 Securing Global IT Supply Chains and IT Products by Working with Open Trusted Technology Provider™ Accredited Companies.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Fiscal Year 2008 Urban Areas Security Initiative Nonprofit Security Grant Program Investment Justification Questions, Criteria, and Prioritization Methodology.

Fiscal Year 2008 Urban Areas Security Initiative Nonprofit Security Grant Program Investment Justification Questions, Criteria, and Prioritization Methodology.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
8 November Common Criteria Protection Profiles and the NSA Strategy for Their Use Within the U.S. Department of Defense Louis.

8 November Common Criteria Protection Profiles and the NSA Strategy for Their Use Within the U.S. Department of Defense Louis.
Information Security Policies and Standards

Information Security Policies and Standards
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

Similar presentations

Ads by Google