INDEX
PARTITIONED NETWORKS
1. PARTITIONING IN A NETWORK. Partitioning is a method of implementing an
Interconnected Network (see Page XI-3, paragraph 4) using Controlled
Interfaces such as guards and gateways to separate portions of the
network into different segments, each of which has different maximum
classification levels, categories, and/or compartments of information.
This is done by securely preventing data from one specific segment of
the network (e.g., one operating at the Secret Restricted Data level)
crossing the boundary (gateway) to another segment of the network (e.g.,
one operating at the unclassified level).
2. PARTITIONING WITHIN A SINGLE AIS. Partitioning is sometimes implemented
within a single AIS by treating the AIS as though it were two or more
different virtual machines. This implementation is not a partitioned
network. This method of partitioning shall not be permitted for use in
DOE classified AISs with a Protection Index of three or greater.
3. PARTITIONED NETWORKS.
a. Discussion. In a Partitioned Classified Network, the network
control nodes segregate the users and host AISs into logically-
separate, single-level AIS networks. In practice, the nodes that
implement this separation are the Controlled Interfaces (Controlled
Interfaces). For a secure Partitioned Classified Network, the
control nodes shall base their routing decisions on information not
supplied by the user. For example, the routing decisions can be
based on the physical line onto which the user is logged. This
last characteristic allows the Controlled Interfaces, for example,
to refuse to link between an illegal (e.g., open) terminal and a
secure host AIS under all conditions. The Controlled Interfaces
shall prevent the access violation that would occur if a user with
the proper user ID and password attempted to sign onto a secure
host AIS from a host or terminal of lesser security level.
b. Security Support Structure. Implicit in this description of a
Partitioned Classified Network is the fact that the Controlled
Interfaces, along with other components of the Security Support
Structure, are "trusted" to make multilevel access decisions. This
further requires that the classified AISs's CSSO understand what
the Security Support Structure is doing.
(1) Software Security. The security of the software can be
established by formal software validation and verification
techniques or by having all the software in the Controlled
Interface either written by, or meticulously examined by,
several cleared personnel.
(2) Hardware Security. The security of the hardware can be
established by using formally verified hardware or by using
multiple Controlled Interfaces in series. A security failure
involving Controlled Interfaces in series requires multiple,
concurrent and synergistic hardware failures; such failures
are unlikely.
(3) Certification Testing. For Partitioned Classified Network
with a Protection Index of two or greater, the secure
operation of the Security Support Structure shall be validated
and verified by an Independent Verification and Validation
team appointed by the CSPM.
c. Host. In the context of a Partitioned Classified Network, a host
is a network component that runs user code.
NOTE: No matter what a network component is called by its
developer, if that component runs any user code, that component is
a host.
d. Server. In the context of a Partitioned Classified Network, a
server is a network component that (1) is not a host AIS, (2) is
not a Controlled Interface, and (3) provides some needed
functionality to the network's hosts and/or Controlled Interfaces.
Examples of servers include file systems, network printing systems,
and network graphic recording systems. If a network component
executes any user code, it is a HOST AIS, not a SERVER.
e. Multilevel Security. A Partitioned Classified Network can run at
multiple security levels securely and can use relatively
untrustworthy host hardware. All the separation trust is placed in
the Controlled Interfaces and other components of the Security
Support Structure. Because these Controlled Interfaces can be, and
usually are, smaller classified AISs that are running a dedicated
program (as opposed to a typical operating system), the Controlled
Interfaces are well-understood and reliable.
f. Host AIS. In contrast to a Classified AIS operating with a
Protection Index of zero, one, or two, the security of a
Partitioned Classified Network depends least on the security
capabilities of the host AISs. These machines are the only
components of the network that are directly accessible by the
users. As a rule, the other network components are, if not
transparent, at least "translucent" to the users. A Partitioned
Classified Network is designed assuming that, because the host AISs
run user programs, the actions of the host AISs cannot be given any
security credence. This does not mean that security features in
the host AISs are unnecessary or undesirable; it does mean that the
network itself can have no confidence in the actions of a host AIS.
4. REQUIREMENTS. A secure Partitioned Classified Network shall be in
compliance with the following design requirements because, without such
compliance, the Partitioned Classified Network degenerates into a simple
network running at multiple security levels. Thus, violation of any of
these assumptions results in what is, in effect, a complicated AIS
system running at multiple security levels. At the overview level, the
requirements for implementing a secure Partitioned Classified Network
are:
a. Location of Components. The network routing entities (e.g.,
Controlled Interfaces) know the partition that a host or terminal
is in based on information not supplied by the host or terminal.
For example, in most Partitioned Classified Networks, the partition
that a terminal is in is determined by the physical line a terminal
uses to communicate to the Partitioned Classified Network. In one
extant Partitioned Classified Network, approximately 32 dial-up
lines lead into the open partition. In the same Partitioned
Classified Network, lines from terminals in the secure partition
come into the network through a Protected Distribution System from
secure areas.
b. Location of User Code. The only machines in the Partitioned
Classified Network that can execute a user's programs are the host
AISs. No user code can be executed in the Controlled Interfaces or
servers. This assumption is the basis for the trust placed in the
network routing nodes and in the servers.
c. Servers. Servers that allow read/write access by hosts will
separate data by partition. Because servers do not execute user
programs, this assumption is usually validated by having the
server's software written and checked by cleared people.
Techniques for assuring this separation are straight forward.
d. Perimeter of the Classified AIS. The security perimeter of a
secure Partitioned Classified Network includes all Controlled
Interfaces, all lines from Controlled Interfaces, all secure
terminals, all secure hosts, and all lines to secure terminals.
e. Security Controls. Some trusted node in the Partitioned Classified
Network has a list of user IDs, passwords, and privileges. Many
Partitioned Classified Networks refer to this node as a Network
Security Controller. This is the node from which first-level
Controlled Interfaces request permission to make a terminal-to-host
connection.
f. Star (*) Property. Servers that allow read/write access, such as
common file systems, enforce the "star (*) property." Star (*)
property is a process in a partition which can, with proper
authorization, read a file from a less sensitive partition, but not
vice versa. In other words, a secure host can read a "lower level"
file but cannot write to a file accessible from the lower level
partition.
g. Untrustworthy. The terminals (that is, the users at terminals) and
host AISs are assumed to be untrustworthy. For example, the
Partitioned Classified Network, itself, shall prevent a terminal
from accessing a secure host, even if both the terminal and the
secure host want to make the connection. The Partitioned
Classified Network, itself, shall prevent a secure terminal or host
from placing data in an unapproved partition.
5. INDEPENDENT VALIDATION AND VERIFICATION REQUIREMENT. Partitioned
Classified Networks have demonstrated their usefulness in effective
implementation of security policies involving secure, multilevel
processing. However, this utility is obviated if any of the above
assumptions are violated. CSSOs should be aware that unintentional
violations of these requirements can be subtle and difficult to detect.
An outside examination of a Partitioned Classified Network by an
Independent Validation and Verification team shall be required before
accreditation of the classified AIS.