Multilevel Security Solutions Advance for Operating Systems

February 1999
By Mark H. Kagan

Commercial sector leaps ahead of government sector in demand for more secure products.

The information technology industry is increasingly directing its efforts to commercial security requirements and less so to those of government. The result is that the private sector is overtaking its government counterpart in maintaining computer network security.

The intelligence community and the commercial sector both continue to require multilevel secure operating system solutions to protect sensitive information from internal and external threats. These solutions must reconcile conflicting requirements that operating systems be secure against access by unauthorized users while simultaneously being easy to access by authorized users.

The intelligence community’s need to protect access to sensitive information initially spurred efforts to find such solutions, but the commercial sector’s requirements in an increasingly network-centric world now dwarf those of the intelligence community. These requirements come from all areas of industry. Financial institutions need to provide accessible service to customers while guarding against unauthorized users. Health care institutions have an obligation to safeguard patient records. Electronic commerce vendors must protect their customers’ account information, and manufacturers must shield new product designs from the competition. Educational institutions have the responsibility of keeping records and transcripts confidential as well as ensuring alumni donor anonymity.

One of the companies that is producing solutions for the security needs of both the government and the commercial sector is Sun Microsystems Federal Incorporated. The McLean, Virginia, firm supplies government and commercial customers with distributed computing technologies, products and services. Late last year, Sun released Trusted Solaris 2.5.1, which is a follow-on to the Trusted Solaris 2.5 operating environment. This system supports Sun’s line of hardware based on peripheral component interconnect architecture, as well as new transmission media, including asynchronous transfer mode, fiber distributed data interface, Token Ring and gigabit Ethernet.

“During the past year, federal government agencies have increased their purchases of trusted systems by 200 percent,” Joe A. Alexander, Sun’s Trusted Solaris product line manager, says. He predicts that this will increase even more in 1999, especially by the Justice Department in general and the Federal Bureau of Investigation in particular. Alexander believes that the biggest government growth area will be among the non-Defense Department agencies. However, the commercial sector, and especially electronic commerce businesses, will be the largest market for Trusted Solaris.

“We are basically going through an economic revolution as we move to a network economy,” Alexander relates. “However, as the Internet becomes more essential for commerce, and network-centric computing becomes the norm, the issue of providing access becomes increasingly important. The questions of who gets access to what information to do their jobs mean that the subject of security becomes very critical. That is why the opportunity is as great, if not greater, on the commercial side for Trusted Solaris as the opportunities within the government, military or intelligence sectors. There are simply more customers out there.”

Trusted Solaris 2.5.1 is based on Solaris 2.5.1, Common Desktop Environment 1.1, and Solstice AdminSuite 2.1. It controls users’ access to information as well as what the users are permitted to do on the system. The new product is more functional and more secure than Trusted Solaris 2.5, company officials claim, and it provides safeguards against internal and external threats that exceed protections commonly available with standard UNIX systems.

The other difference between the 2.5 and 2.5.1 operating systems is that the U.K. information technology security evaluation criteria (ITSEC) board evaluated the Trusted Solaris 2.5.1 operating environment and awarded it an E3/F-B1 certification, which exceeds the U.S. trusted computer system evaluation criteria (TCSEC) B1 rating. The board also awarded Trusted Solaris 2.5.1 the E3/F-C2 certification, which includes access control lists and trusted advisory labeling.

ITSEC is a British government-backed initiative that certifies the level of assurance that can be placed on tested products or systems.

ITSEC certification is accepted in Europe, Canada and Australia. Under ITSEC, products can be evaluated for both assurance and functionality. Assurance ratings range from the lowest (E1) to the highest (E6) levels. Functionality for operating systems is measured by a mapping of the U.S. TCSEC, also known as the “Orange Book,” which uses discretionary access control. E3/F-B1 equates to B1, which uses mandatory access controls. Discretionary access control allows users to log on to the system once they have entered the proper password and encounter no restrictions on the information that they can access.

The company focused on obtaining ITSEC certification because of its long experience with the National Security Agency’s (NSA’s) trusted product evaluation program evaluation of Trusted Solaris 1.x, which was never completed, according to Alexander. He adds that Sun is working closely with the Defense Intelligence Agency’s defense information infrastructure common operating environment (DIICOE) program office, and it is currently focusing on partner solutions that meet the requirements of the intelligence community. Trusted Solaris 2.5.1 exceeds all DIICOE certification security requirements, Alexander asserts, and with its ITSEC certification, U.S. intelligence agencies are increasingly procuring the operating environment for specific requirements.

Sun also chose not to participate in NSA’s trusted product evaluation program. According to Alexander, the time frame in which the company needed to have Trusted Solaris evaluated could not be met by working with the agency.

However, NSA is now working with the National Institute of Standards and Technology to develop a process that will parallel the U.K. certification, which could mean that NSA will eventually accept Sun’s ITSEC certification.

According to company officials, organizations can use Trusted Solaris 2.5.1 to fine tune security protections to their own specific requirements. Multiple workstations and servers can be configured together in a distributed client-server system whereby users can share files, send mail, remotely log in and print—all at multiple security levels. Customers can implement a consistent enterprisewide security policy, relying on protection within the Trusted Solaris environment, including NIS+, the trusted version of Sun’s national file system—known as NFS—and secure networking. Selected features can be enabled or disabled to configure a system that meets a site’s security and usability requirements.

The Trusted Solaris 2.5.1 operating environment can be customized to meet C2, B1 or compartmented mode workstation security requirements. It offers advanced multithreading and support for symmetric multiprocessing, giving organizations that are moving to web-based computing the ability to handle an increased number of network transactions. In addition, the product now has sensitivity labels, and the windowing system has been extended to enforce access to data based on their sensitivity.

The operating environment supports UltraSPARC processor-based machines, providing scalable secure computing from Sun Ultra 5 desktop workstations through the 30-central processing unit Sun Enterprise Server 6500. The software enforces the same policies and attributes over NFS distributed networks and other Trusted Solaris 2.5.1 systems, and it supports the MAXSIX standard to enable interoperability with Trusted Solaris 1.2 systems.

Unauthorized users trying to access sensitive information on a server running Trusted Solaris 2.5.1 are denied access without knowing whether the information exists. This is done by invoking mandatory access controls, which enforce a site’s customer-specified security policy concerning what information or which activities a user can access on a workstation. These controls raise the system’s security certification from a C to a B level. Windows NT currently is not equipped with this feature, according to Alexander.

Sun Microsystems has been working with a number of partner companies to develop and market solutions based on Trusted Solaris, Alexander says. These include Trusted Computer Solutions, Herndon, Virginia, which now has a number of commercial applications based on Trusted Solaris 2.5.1. One of these applications is SecureOffice. This product allows users to see, manipulate, and cut and paste from their Microsoft Windows applications simultaneously—including Word, Excel, Powerpoint, Access and Netscape Navigator—along with mission-critical UNIX applications, while operating at multiple security levels from the same computer.

SecureOffice can simultaneously connect to the secret Internet protocol router network (SIPRNET) and the unclassified Internet protocol router network (NIPRNET), enabling access to the global command and control system and the Internet from the same workstation. The system can also connect to top secret networks such as the joint worldwide intelligence communication system (JWICS) as well as allied country networks.

Another application is TCSecure, which is a secure proxy gateway that provides a web-based interface to a series of back-end hosts that have different information. “You enter the web server and, if you authenticate yourself properly, and if you correctly identify and locate the information you want, then the secure hypertext transfer protocol [http] daemon, which is a program that handles your request, will retrieve that information and display it for the authorized user,” Alexander explains.

Another partner is Authentica Security Technologies Incorporated, Montgomery Village, Maryland, which recently brought out PageVault. This is a package of integrated tools that can be used to increase the protection and control of sensitive and proprietary documents created by Adobe Systems’ portable document format, while simultaneously allowing considerable flexibility in their distribution.

“PageVault allows a user to secure pieces or internal parts of a document,” Alexander asserts. For example, users can put out a request for proposal with a PageVault timestamp that directs when the proposal is to be made available on the web. The timestamp will shut off the access when a specified amount of time is over. The information does not move, but the PageVault timestamp determines when it should not be seen anymore.

PageVault can also be used to secure sensitive documents with various pieces of highly classified information. Using PageVault, “you can screen off pieces of the document from unauthorized users based on how they’ve authenticated themselves,” Alexander says. “An executive summary can be treated as open information, while parts of the document can be restricted from different people based on their access profiles.”

According to Alexander, two commercial firewall products that run on Trusted Solaris will be available by this spring. V-One, Germantown, Maryland, has released a virtual private network application, called SmartGate, that provides end-to-end, application-level, network data security between distant workstations. It also provides two-factor identification, mutual authentication, encryption and access control.

Sun Microsystems’ SunScreen division will release its 3.0 version of SunScreen EFS in April or May. EFS can be used throughout an organization to enforce access control policies for network services over its intranets.

Sun’s next Trusted product release will be Trusted Solaris 7, with a target date of September. It will be based on Sun’s Solaris 7 operating environment.