The Trusted Workstation: Protecting the Achilles Heel of Network Security
Articles and Tips: tip
Senior Research Engineer
Roger Schell
Security Development Manager
01 Mar 1998
Last year, an international consortium of global corporations sent delegates to discuss and disclose some of their most demanding information technology needs. One of the results of this meeting was the Black Forest Group's 15-point security document (see "15 Top Level Security Needs Identified by the Black Forest Group" in the January 1998 NetNotes). Last month we talked about point one of that document, a framework for international authentication. This month we discuss point number two-trusted workstations.
A Real Weak Spot
Due to a variety of factors, the workstation is a weak spot in network security. Most commercial PC-based workstations lack adequate safeguards to protect end-users. Such insecure and compromisable devices are unacceptable for use in electronic transactions. Only an evaluated and trustable workstation with a known configuration can pass muster in a secure working environment.
In 1993, responding to widespread demand for network security from major customers, Novell launched its security effort by formulating the Novell Global Security Architecture (NGSA). The NGSA is based on the technical principles defined in the U.S. Government's Trusted Network Interpretation (TNI) of the Trusted Computer System Evaluation Criteria (TCSEC). The TNI describes how to construct a secure network out of trusted components, while using the Network Security Architecture and Design (NSAD) to design component security and interconnectivity. The NSAD documents the security architecture of the network, the types of components that make up the network, and the protocols used. It also defines which components constitute a secure network and gives the requirements for secure network behavior of each type of component.
Using the NGSA and our NSAD as a framework, Novell submitted NetWare 4.11 for Class C2 evaluation in the United States. Novell has also initiated two evaluations by Commercially Licensed Evaluation Facilities (CLEFs), one in the United Kingdom and the other in Germany, for an E2/F-C2 & E3 rating under the Information Technology Security Evaluation Criteria (ITSEC). With NetWare 4.11, Novell offers a Class C2-evaluated network system complete with server, workstation, and connection components.
Both the U.S. and European evaluations cover complete network systems including clients and servers. Novell is working with the evaluators to establish a process whereby additional components, such as clients, can be evaluated separately for Class C2 compliancy. Such components can be developed by partners and other third-party developers, and they can be added to the configuration without having to re-evaluate the entire network. The evaluation of the new component focuses on whether it meets the technical requirements of the TNI for Class C2 security criteria, and whether it properly implements the NetWare protocols in order to be included as part of the Network Trusted Computing Boundary (NTCB).
The U.S. government's TNI extends the notion of the Trusted Computing Boundary (TCB) from that of just a workstation or server, to security in the form of a Network TCB (NTCB). Because the network is made up of a number of components, each component must have an appropriately self-protecting and resource-isolating NTCB partition that implements the necessary security functions for that component. When taken together, all of the component NTCB partitions make up the NTCB for the network. This allows real networks that have only a few trusted components to continue to operate.
The Class C2-evaluated workstation called for in the Class C2-evaluated configuration of NetWare 4.11 is known as the Trusted Workstation. Novell presently supports the evaluation of products from four workstation partners under the same criteria, thereby nurturing NetWare-compatible security-engineered products from other vendors.
The Need for Security-Engineered Network Products
Security engineers have long known that simply adding security features to existing systems does not solve security problems. In fact, such cosmetic solutions can foster ill-founded complacency, which make matters worse. The Internet, particularly the World Wide Web, has brought these issues to the forefront, as layer upon layer of add-on cryptographic solutions fail to solve any real security problems. These solutions fail because they reside on fundamentally insecure DOS/ Windows or Windows 95 platforms.
One prominent provider of Internet funds transfer software has publicly expressed its horror at the discovery that it is a trivial matter to construct software that monitors user keystrokes and intercepts user passwords before they can be encrypted. For more than a decade, the need for a self-protecting TCB with a Trusted Path to the user has been among the fundamental security engineering principles embodied in the TCSEC and the TNI.
For client components, the NTCB must provide certain controls over the actions of untrusted elements, such as user application programs, within the component. Sound security engineering principles, as embodied in the TNI's assurance requirements, dictate that the security functions of the client component be implemented in a self-protecting NTCB partition. These controls include prohibiting the ability to perform the following:
Send direct signals over the network cable
Modify the component's link layer address
Access unauthorized link layer packets
Modify the component's IPX address
Use protocols other than IPX
Act as a server or router
Communicate with untrusted elements in other components
Access or modify materials used in user authentication or inter-component authentication, such as passwords, keys, or certificates.
The NSAD defines multiple methods for fulfilling some of these requirements. Some of these methods require complementary mechanisms to exist in other network components.
The Novell Security Development team is focused on offering customers, developers and partners a safe alternative on the course of public networking. Novell's initial offering has been engineered to meet the U.S. Class C2 and the European E2/F-C2 security criteria. NetWare 4.11, along with the workstation product of our initial partner, Cordant, Inc.(now Sistex), has successfully completed the formal C2 evaluation process in the U.S.
What Will Network Customers Buy?
The typical Fortune 500 company has on the order of 15,000 client seats. One-third of these are replaced every year, yielding approximately 2.5 million desktop units per year for this market segment. This refresh cycle is typically accompanied by modifications to the network configuration and/or functions, not through retrofit. Using this method, the cost per seat tends to remain constant, while the evolution of technology over the three-year life of a desktop unit accounts for a manifold increase in capability each time it is replaced.
This increase means that there is some room for the addition of new functions, such as security, in each refresh cycle. The fact that the expenditure per desktop unit is "flat" means that there will be aggressive competition among prospective new functions for the desktop dollar. The upshot of this competition is that the incremental cost to the customer for a security solution that is to be part of the desktop refresh cycle must be low, on the order of tens of dollars.
Solutions that involve significantly greater incremental cost must supply recognizably greater security-especially for sensitive applications. In any case, these solutions will capture only a small percentage of this market. Since the competitors for this niche will be few, products that address this high-security niche can represent a healthy business for a small company who can supply an "enabler" for a commodity security product line.
Novell's Yes Program
Novell has undertaken an intensive security engineering program to ensure that NetWare 4 meets the security requirements for today's environment, without sacrificing compatibility. Years of effort, including external review by acknowledged security engineering experts, have yielded a version of NetWare designed to meet the exacting requirements for Class C2 under the TNI, as well as the pragmatic security requirements presented by today's enterprise network environment What's more, partners are now able to certify hardware platforms through Novell's "Yes Tested and Approved" program, giving customers the advantage of running "trusted" NetWare in heterogenous environments.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.