Trusted Gate Closes on Thin-Client Computer Network Security Holes
Ultimate goal is to store data from different classification levels separately but enable viewing them concurrently.
Researchers at Sandia National Laboratories are developing an architecture to eliminate threats to thin-client computer networks. These networks rely on applications servers to drive desktop workstations. Coupling security elements that will evolve from their work with commercial technology, the scientists hope to create a computing environment that offers increased flexibility and accessibility for network users without compromising security.
The effort, known as the need to know enforcement-common network computer architecture, or NTKE-CNCA, will produce circuitry and software to block security holes in thin-client networks. Explored by NTKE-CNCA Project Manager John G. Burns in a November 1998 paper, the proposal received funding this spring from the U.S. Department of Energy’s Office of Safeguards and Security. The Albuquerque, New Mexico, laboratory’s team began work on the project in October.
In the next two years, phase one of the project will focus on moving information between different computer network domains one domain at a time. Burns expects that a beta test of a full-fledged system could occur in about two and a half years. He offers that the project will include interfacing with other laboratories to identify security needs. The team will also cooperate with business to ensure that authentication and access control measures can be implemented with industry technology.
When using a server-based thin-client computing network, users access information from applications servers via personal desktop systems. At the desktop, a display, a keyboard and a mouse are the basic equipment needed to link to the system. In the thin-client architecture, all applications and files are stored on server farms. The personal computer needs no disk drives, and most of the data travels from the server to the desktop, called the thin client, as opposed to traveling from the thin client to the server.
The heart of the researchers’ security concept for the thin-client environment is a hardware-based device called a trusted gate. This approach involves discrete circuitry that controls switching functions to separate classified networks electronically as data moves to and from the system-high domain. The gate sits between the application servers and the thin-client module. The idea is that the gate will provide a number of security elements that exceed the capabilities of today’s firewalls, routers and network switches. The technology would provide specific types of protection against breaches such as covert channels, erroneous or malicious code.
For security reasons, the government does not use a single common architecture that allows access to data networks having different security classifications. Data is typically isolated on separate networks to meet the security classification needs. This often drives up equipment costs and decreases the efficiency of employees who lack high clearances but still need access to data that is mixed in with classified material.
If continued development occurs after this first phase of research, designers foresee the technology eventually allowing certain data to be moved between computer domains that have different sensitivities. To accomplish this, the gate would incorporate strong access controls and security barriers. A number of techniques would be used on the applications server side or the trusted gate, including high-speed multiplexing between differently classified domains.
Eventually, researchers would like to run unique windows sessions simultaneously. To do this, they must be certain that no connection disturbs the integrity of sensitive systems. To offer maximum flexibility, the desktop must have the appearance of a seamless environment in which data could be moved from area to area without the data becoming commingled. Data with varying classification levels would remain separate but could be viewed in sessions running concurrently. If successful, the trusted gate will eliminate holes in the system that open when users access different networks such as the Internet from which a virus or Trojan horse could be introduced to disturb private files.
The team is designing the gate to be implemented in systems that use both commercial off-the-shelf technology and government off-the-shelf technology. In addition to the trusted gate, a system could house multiple layers of security hardware and software such as biometric devices that scan retinas, software packages that include security profiles at the gate, or smart card technologies that include information about the user. Proximity scanners could be used to shut down a machine if the user leaves the area.
Spurred by headlines this past year about the vulnerability of the national laboratories’ information systems, the Department of Energy has moved security initiatives to the top of its agenda. “A tremendous amount of energy is going into looking at what security issues should be funded,” Burns says. Ideas are now being proposed to address the issue.
Burns maintains that thin-client computing with the necessary security tools could increase efficiency at the national laboratories. “It could decrease cost by about 75 to 80 percent,” he estimates. By automating computer counterintelligence efforts in software plugged into the thin-client environment, the amount of time and effort put into monitoring networks decreases. The technology will secure information as if it is in a vault, Burns allows.
Other agencies are concerned about security as well. The U.S. Department of Defense, U.S. Central Command and the Defense Information Systems Agency Joint Program Office have expressed interest in the completion of a fielded system, according to Burns. Storing and retrieving classified information on networks is an issue for the Defense Department, whose employees often interface with material that spans different classification levels. Typically, the department operates in a system-high mode assuming the greater security classification for networks that contain any sensitive information. When lower-classification data is commingled with the sensitive data, accessibility to that data is limited for employees without higher clearances. By using thin-client computing with security measures in place, the department could integrate accessibility with data protection.
The government and the military have many applications for thin-client computing and security techniques, especially in mobile command centers. In these centers, analysts must have rapid access to information to make decisions quickly and respond to changing situations during military operations. Often, multiple computers are deployed for one analyst to allow access to different levels of classified material housed on separate machines. This can be costly. Using thin-client computing, the military can consolidate equipment and reduce costs.
Further, for outsiders with lower security classifications, new documents must often be developed, extrapolating sensitive material from the original document. This is time consuming and leaves room for error. Also, insiders who are given high clearances to operate within the command center could pose a threat where most officials rarely suspect problems—from within. “There’s always that tradeoff between security and accessibility of information, and we’re trying to find that balance,” Burns says.
Similar to military operations, emergency response teams could also benefit from using thin-client computing with security features in deployed networks during crisis management situations.
The private sector is interested in thin-client computing combined with layers of security. Businesses want systems that allow employees to connect to company intranets, the Internet and possibly even to proprietary systems that house sensitive corporate information. Being able to access multiple information sources from one desktop machine that interacts with applications servers is an attractive feature for many businesses. Integrating security elements into that environment is crucial. If a secure system can be developed that allows maximum access to information from a simple user setting, companies will realize cost savings down to the desktop as systems require minimal maintenance and do not need costly application upgrades.
But one problem, Burns warns, is that security is more than just an architecture or software issue. “Computer network security is not just related to computers and networks. It relates to human behavior and physical vulnerabilities as well. Often, carelessness creates security holes. These gaps must be filled by hardware and software security methods,” Burns emphasizes.
Eventually, technologies created by other researchers at Sandia might be integrated in the security architecture that is being explored. For example, a high-speed encryption device (SIGNAL, October 1999, page 47) designed at the laboratory could be useful in such a system. Researchers might also explore security options on both sides of the trusted gate.