beach@DDNUVAX.AF.MIL (darrel beach) (08/31/90)
A simple question... Has anyone heard of a system of products from a company called verdix that will make a LAN a B1 system. B1 meaning security acreditation to have multi level things connected. They make a Q-bus card and some others, or so I've heard. I'm just trying to pin down who these folks are and what they really have. The journals don't have a thing in the way of ads or articles. Darrel Beach
hsw@SPARTA.COM (Howard Weiss) (09/04/90)
Unfortunately, there are no ultimate network security solutions for
LANs in existance - although there are several products available that
can help solve various LAN security problems. The Verdix Secure LAN
(SLAN) is one product (being evaluated for a B2 rating - see the
attached product evaluation bulletin), but it does not "make" an
unsecure LAN into a secure LAN if you think that you can reuse all
your existing hardware and software. You can re-use your existing
Ethernet cable plant, but all the network controllers need to be
replaced with Verdix Network Security Devices (NSDs). Boeing also has
built a secure LAN and its Network Security Controller (NSC) is being
evaluated as an A1 component. There are also a couple of LAN
encryption devices that could be used to provide data confidentiality
on a LAN - the Xerox Encryption Unit (XEU) and the Motorola Network
Encryption System (NES).
I've got addresses for Verdix and Boeing:
Verdix Corporation
14130-A Sullyvield Circle
Chantilly, VA 22021.
(703) 378-7600
Boeing Aerospace Company
Dan Schnackenberg
P.O. Box 3999, MS 94-64
Seattle, Washington 98124-2499
(206) 657-5595
email - Schnackenberg@dockmaster.ncsc.mil
Attached are the product evaluation bulletins from the National
Computer Security Center on both the Verdix and Boeing secure LANs.
Howard Weiss
Sparta, Inc.
Columbia, Md.
(301)381-9400 x201
hsw@sparta.com
____________________________________________________________________
Subject: VSLAN PB
PRODUCT EVALUATION BULLETIN
Report No. CSC-PB-004-88
AS OF: 4 October 1988
PRODUCT: VSLAN(1)
VENDOR: VERDIX Corporation
CANDIDATE CLASS: B2 MDIA Network Component
PRODUCT DESCRIPTION:
The VERDIX Secure Local Area Network (VSLAN) is a network
component designed to interconnect clients (e.g., mainframe
computers, workstations, servers) operating at different security
levels in accordance with Department of Defense (DOD) security
policies and procedures. The VSLAN operates at the physical and
data-link protocol layers of the Open System Interconnection
(OSI) reference model. It operates independently of higher layer
host-to-host protocols and can be used to integrate a variety of
host systems including internet gateways and application specific
systems.
The VSLAN consists of a single Network Security Center (NSC)
and multiple (up to 64) Network Security Devices (NSDs)
interconnected by a LAN transmission medium. The NSC is a
dedicated computer system that provides a centralized management
facility to control the operation of the VSLAN and to collect and
export audit data. Each individual NSD provides a trusted LAN
interface for its client that mediates incoming and outgoing
datagrams according to the VSLAN security policy. The NSD
implements the VSLAN communications protocol (IEEE 802.3) and
provides end-to-end encryption for all data transfers accross the
network. The encryption protocol used is the Data Encryption
Standard of the National Institute of Standards & Technology
(NIST). The encryption protocol is not used to enforce the VSLAN
security policy, but is used as an integrity mechanism to provide
protection against modification, insertion, deletion, or replay
of data packets. As such, the encryption protocol itself is not
evaluated.
PRODUCT STATUS:
The VSLAN is marketed and supported by the VERDIX
Corporation and was released in October 1988.
_________________________________________________________________
(1) VSLAN is a registered trademark of the Verdix Corporation
EVALUATION STATUS:
A formal evaluation of the VSLAN began in October 1988 and
is scheduled for completion during the first quarter of the
calendar year, 1990. The VSLAN is being evaluated against
Appendix A of the Trusted Network Interpretation (TNI) of the
Trusted Computer System Evaluation Criteria, NCSC-TG-005
Version-1, July 1987, as a candidate B2 MDIA network component.
It can potentially be incorporated into a network system that can
meet the TNI Part 1 requirements for class B2. At the completion
of the evaluation, a final evaluation report will be produced by
the National Computer Security Center and the VSLAN will be
placed on the Evaluated Products List.
A Product Bulletin does not assign any rating to a product.
It merely establishes the candidate class which is the highest
class the system could attain should the formal evaluation be
completed. As with all evaluations, a system must complete the
formal evaluation phase before being assigned any rating.
ENVIRONMENTAL STRENGTHS:
The VSLAN is designed to act as a communications reference
monitor between attached clients. The VSLAN, by itself, is not
intended to be a complete network system as defined by the TNI,
but can be used as a trusted building block upon which trusted
network systems can be built. The VSLAN only controls access to
the LAN and does not mediate access attempts of host processes to
information on local or remote host systems.
The VSLAN was developed to provide the following services to its
clients:
- a system bus interface to external clients
- mediation of all data transfers between attached clients
in accordance with the VSLAN Mandatory Access Control
(MAC) and Discretionary Access Control (DAC) policies
- identification and authentication of the individual
responsible for operating a node of the network
- centralized management functions for security officers
to exercise control over the operation of the LAN
- a datagram oriented communications service
The ability of the VSLAN to correctly enforce the VSLAN
security policy depends entirely upon the trusted components of
the VSLAN and on the correct input of the security parameters by
the security officer.
______________________________________________________________________
Subject: Boeing MLS LAN PB
PRODUCT EVALUATION BULLETIN
Report No. CSC-PB-003-88
AS OF: 14 Sept. 1988
PRODUCT: Boeing MLS LAN
VENDOR: Boeing Aerospace
CANDIDATE CLASS: A1 MI Network Component
PRODUCT DESCRIPTION:
Boeing Aerospace's Multi-Level Secure Local Area
Network (MLS LAN) is a network component providing multilevel
secure communications between attached devices. These devices
include, for this evaluation, terminals, host computers, serial
devices, video devices, and stream devices. Within limits, a
site is free to choose how many of each type of device to attach.
The NCSC considers that the Boeing MLS LAN is a
candidate for A1 MI network component and is capable (when
properly supported by a special Network Management node and
attached devices) of supporting a network system with Mandatory
Access Control, Discretionary Access Control, Identification and
Authentication, and Auditing commensurate with the A1
requirements.
The MLS LAN consists of a set of one or more nodes
called Secure Network Servers (SNSs). Each SNS may support
physical interfaces for terminals, host computers, serial
devices, video devices, or stream devices. A group of SNSs may
be connected to one another by a transmission medium (either
fiber optic or coaxial cable), enabling devices on separate SNSs
to communicate. The SNS provides the following services:
1) host-to-host communication
2) terminal-to-host communication
3) terminal-to-terminal communication
4) terminal/host-to-serial-device communication
5) video and stream circuit-switched communication
Host-to-host communication is supported by TELNET,
Transmission Control Protocol (TCP), and User Datagram Protocol
(UDP) service. Terminals may communicate with hosts and serial
devices through TELNET and with other terminals through an
Inter-Terminal Message service. Serial devices are supported
with TELNET service. Video and stream circuit-switching is
controlled through the terminal interface. All of these
communications services are governed by a mandatory security
policy. The MLS LAN maintains sensitivity labels for devices and
data that include both secrecy and integrity components at the
granularity of 8 hierarchical levels and 256 non-hierarchical
categories. In addition, the MLS LAN requires all network
terminal users to identify and authenticate before allowing them
to use any network resources. End-to-end user identity and
network addresses are provided to hosts.
PRODUCT STATUS:
The MLS LAN is developed and supported by Boeing
Aerospace, a division of The Boeing Company.
SECURITY EVALUATION STATUS:
A formal evaluation of the MLS LAN will commence in
October 1988 and is scheduled for completion in 1990. At the
completion of the formal evaluation, the National Computer
Security Center will produce a final evaluation report, and place
the MLS LAN on the Evaluated Products List. The MLS LAN will be
evaluated against Appendix A of the Trusted Network
Interpretation of the Trusted Computer System Evaluation
Criteria, as a candidate A1-MI network component. It can
potentially be incorporated into a network system that can meet
the TNI part 1 requirements for class A1.
A Product Bulletin does not assign any rating to a
product. It merely establishes the candidate class which is the
highest class the system could attain should formal evaluation be
completed. As with all evaluations, a system must complete the
formal evaluation phase before being assigned any rating.mckee@COMMUNITY-CHEST.MITRE.ORG (H. Craig McKee) (09/04/90)
Darrel - You want to talk to: Gaurang Shah Verdix Corp Sullyfield Business Park 14130-A Sullyfield Circly Chantilly, VA 22021 tel: (703)378-7600 We at MITRE have bought the system but don't yet have it running. The system provides a B-level Ethernet interface; ie, the Verdix Secure LAN (VSLAN) provides secure access control (between different classification levels); it does not provide confidentiality. For confidentiality you must either secure the LAN physically or use encryption such as the Xerox Encryption Unit. Regards - Craig