beach@DDNUVAX.AF.MIL (darrel beach) (08/31/90)
A simple question... Has anyone heard of a system of products from a company called verdix that will make a LAN a B1 system. B1 meaning security acreditation to have multi level things connected. They make a Q-bus card and some others, or so I've heard. I'm just trying to pin down who these folks are and what they really have. The journals don't have a thing in the way of ads or articles. Darrel Beach
hsw@SPARTA.COM (Howard Weiss) (09/04/90)
Unfortunately, there are no ultimate network security solutions for LANs in existance - although there are several products available that can help solve various LAN security problems. The Verdix Secure LAN (SLAN) is one product (being evaluated for a B2 rating - see the attached product evaluation bulletin), but it does not "make" an unsecure LAN into a secure LAN if you think that you can reuse all your existing hardware and software. You can re-use your existing Ethernet cable plant, but all the network controllers need to be replaced with Verdix Network Security Devices (NSDs). Boeing also has built a secure LAN and its Network Security Controller (NSC) is being evaluated as an A1 component. There are also a couple of LAN encryption devices that could be used to provide data confidentiality on a LAN - the Xerox Encryption Unit (XEU) and the Motorola Network Encryption System (NES). I've got addresses for Verdix and Boeing: Verdix Corporation 14130-A Sullyvield Circle Chantilly, VA 22021. (703) 378-7600 Boeing Aerospace Company Dan Schnackenberg P.O. Box 3999, MS 94-64 Seattle, Washington 98124-2499 (206) 657-5595 email - Schnackenberg@dockmaster.ncsc.mil Attached are the product evaluation bulletins from the National Computer Security Center on both the Verdix and Boeing secure LANs. Howard Weiss Sparta, Inc. Columbia, Md. (301)381-9400 x201 hsw@sparta.com ____________________________________________________________________ Subject: VSLAN PB PRODUCT EVALUATION BULLETIN Report No. CSC-PB-004-88 AS OF: 4 October 1988 PRODUCT: VSLAN(1) VENDOR: VERDIX Corporation CANDIDATE CLASS: B2 MDIA Network Component PRODUCT DESCRIPTION: The VERDIX Secure Local Area Network (VSLAN) is a network component designed to interconnect clients (e.g., mainframe computers, workstations, servers) operating at different security levels in accordance with Department of Defense (DOD) security policies and procedures. The VSLAN operates at the physical and data-link protocol layers of the Open System Interconnection (OSI) reference model. It operates independently of higher layer host-to-host protocols and can be used to integrate a variety of host systems including internet gateways and application specific systems. The VSLAN consists of a single Network Security Center (NSC) and multiple (up to 64) Network Security Devices (NSDs) interconnected by a LAN transmission medium. The NSC is a dedicated computer system that provides a centralized management facility to control the operation of the VSLAN and to collect and export audit data. Each individual NSD provides a trusted LAN interface for its client that mediates incoming and outgoing datagrams according to the VSLAN security policy. The NSD implements the VSLAN communications protocol (IEEE 802.3) and provides end-to-end encryption for all data transfers accross the network. The encryption protocol used is the Data Encryption Standard of the National Institute of Standards & Technology (NIST). The encryption protocol is not used to enforce the VSLAN security policy, but is used as an integrity mechanism to provide protection against modification, insertion, deletion, or replay of data packets. As such, the encryption protocol itself is not evaluated. PRODUCT STATUS: The VSLAN is marketed and supported by the VERDIX Corporation and was released in October 1988. _________________________________________________________________ (1) VSLAN is a registered trademark of the Verdix Corporation EVALUATION STATUS: A formal evaluation of the VSLAN began in October 1988 and is scheduled for completion during the first quarter of the calendar year, 1990. The VSLAN is being evaluated against Appendix A of the Trusted Network Interpretation (TNI) of the Trusted Computer System Evaluation Criteria, NCSC-TG-005 Version-1, July 1987, as a candidate B2 MDIA network component. It can potentially be incorporated into a network system that can meet the TNI Part 1 requirements for class B2. At the completion of the evaluation, a final evaluation report will be produced by the National Computer Security Center and the VSLAN will be placed on the Evaluated Products List. A Product Bulletin does not assign any rating to a product. It merely establishes the candidate class which is the highest class the system could attain should the formal evaluation be completed. As with all evaluations, a system must complete the formal evaluation phase before being assigned any rating. ENVIRONMENTAL STRENGTHS: The VSLAN is designed to act as a communications reference monitor between attached clients. The VSLAN, by itself, is not intended to be a complete network system as defined by the TNI, but can be used as a trusted building block upon which trusted network systems can be built. The VSLAN only controls access to the LAN and does not mediate access attempts of host processes to information on local or remote host systems. The VSLAN was developed to provide the following services to its clients: - a system bus interface to external clients - mediation of all data transfers between attached clients in accordance with the VSLAN Mandatory Access Control (MAC) and Discretionary Access Control (DAC) policies - identification and authentication of the individual responsible for operating a node of the network - centralized management functions for security officers to exercise control over the operation of the LAN - a datagram oriented communications service The ability of the VSLAN to correctly enforce the VSLAN security policy depends entirely upon the trusted components of the VSLAN and on the correct input of the security parameters by the security officer. ______________________________________________________________________ Subject: Boeing MLS LAN PB PRODUCT EVALUATION BULLETIN Report No. CSC-PB-003-88 AS OF: 14 Sept. 1988 PRODUCT: Boeing MLS LAN VENDOR: Boeing Aerospace CANDIDATE CLASS: A1 MI Network Component PRODUCT DESCRIPTION: Boeing Aerospace's Multi-Level Secure Local Area Network (MLS LAN) is a network component providing multilevel secure communications between attached devices. These devices include, for this evaluation, terminals, host computers, serial devices, video devices, and stream devices. Within limits, a site is free to choose how many of each type of device to attach. The NCSC considers that the Boeing MLS LAN is a candidate for A1 MI network component and is capable (when properly supported by a special Network Management node and attached devices) of supporting a network system with Mandatory Access Control, Discretionary Access Control, Identification and Authentication, and Auditing commensurate with the A1 requirements. The MLS LAN consists of a set of one or more nodes called Secure Network Servers (SNSs). Each SNS may support physical interfaces for terminals, host computers, serial devices, video devices, or stream devices. A group of SNSs may be connected to one another by a transmission medium (either fiber optic or coaxial cable), enabling devices on separate SNSs to communicate. The SNS provides the following services: 1) host-to-host communication 2) terminal-to-host communication 3) terminal-to-terminal communication 4) terminal/host-to-serial-device communication 5) video and stream circuit-switched communication Host-to-host communication is supported by TELNET, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) service. Terminals may communicate with hosts and serial devices through TELNET and with other terminals through an Inter-Terminal Message service. Serial devices are supported with TELNET service. Video and stream circuit-switching is controlled through the terminal interface. All of these communications services are governed by a mandatory security policy. The MLS LAN maintains sensitivity labels for devices and data that include both secrecy and integrity components at the granularity of 8 hierarchical levels and 256 non-hierarchical categories. In addition, the MLS LAN requires all network terminal users to identify and authenticate before allowing them to use any network resources. End-to-end user identity and network addresses are provided to hosts. PRODUCT STATUS: The MLS LAN is developed and supported by Boeing Aerospace, a division of The Boeing Company. SECURITY EVALUATION STATUS: A formal evaluation of the MLS LAN will commence in October 1988 and is scheduled for completion in 1990. At the completion of the formal evaluation, the National Computer Security Center will produce a final evaluation report, and place the MLS LAN on the Evaluated Products List. The MLS LAN will be evaluated against Appendix A of the Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria, as a candidate A1-MI network component. It can potentially be incorporated into a network system that can meet the TNI part 1 requirements for class A1. A Product Bulletin does not assign any rating to a product. It merely establishes the candidate class which is the highest class the system could attain should formal evaluation be completed. As with all evaluations, a system must complete the formal evaluation phase before being assigned any rating.
mckee@COMMUNITY-CHEST.MITRE.ORG (H. Craig McKee) (09/04/90)
Darrel - You want to talk to: Gaurang Shah Verdix Corp Sullyfield Business Park 14130-A Sullyfield Circly Chantilly, VA 22021 tel: (703)378-7600 We at MITRE have bought the system but don't yet have it running. The system provides a B-level Ethernet interface; ie, the Verdix Secure LAN (VSLAN) provides secure access control (between different classification levels); it does not provide confidentiality. For confidentiality you must either secure the LAN physically or use encryption such as the Xerox Encryption Unit. Regards - Craig