Return-Path: <NIEMCZUKJ@bah.com> Date: Wed, 03 Jul 1996 5:45pm From: "Niemczuk John" <NIEMCZUKJ@bah.com> To: vanbelld@bah.com, hapemand@bah.com, anthony.vitale@qmgate.trw.com, balenson@tis.com, ballodi@paralon.com, bdorsey@v-one.com, benner_tim@bah.com, bitting@mitre.org, bonatti@bah.com, cme@cybercash.com, crowan@jgvandyke.com, cscrugg@spyrus.com, dale@sctc.com, davidh@checkpoint.com, davids@checkpoint.com, fred.unterberger@east.sun.com, ghilborn@csc.com, hecker@netscape.com, hh@columbia.sparta.com, hittman@v-one.com, housley@spyrus.com, hthomas@smiley.mitre.org, iolson@mitre.org, j_rolen@hud.gov, jacksont@lfs.loral.com, jalexand@aero.org, james.prohaska@litronic.com, janispel@caas.com, janisple@caas.com, jbiggs@csc.com, jfurlong@mitre.org, jharrell@centech.com, jim.beattie@network.com, jim@lsli.com, jmat@vnet.ibm.com, jmyers@mitre.org, jswang@v-one.com, kearny@betuvic1.vnet.ibm.com, khrose@annap.infi.net, khutton@lfs.loral.com, kurowski@lfs.loral.com, lnotargi@us.oracle.com, louden@mitre.org, luther@sware.com, migues_sammy@prc.com, mikez@secureware.com, mjm@reston.ans.net, mkrenzin@mail.hcsc.com, mmancuso@v-one.com, mulvihil@smiley.mitre.org, netland@scc.com, olkowskid@comm.hq.af.mil, oswald@columbia.sparta.com, pguay@mitre.org, price_bill@prc.com, ray@sesi.com, sferry@raptor.com, shlomo@checkpoint.com, sledgerw@bdm.com, smith@sctc.com, tcfarin@sed.csc.com, tehrsam@us.oracle.com, thomps1r@ncr.disa.mil, vritts@cscmail.csc.com, watt@sware.com, wneugent@smiley.mitre.org, woycke@mitre.org Cc: jhsteve@missi.ncsc.mil Subject: Minutes Of the WWW I&A Forum
Multilevel Information Systems Security Initiative (MISSI) Identification and Authentication (I&A) Forum 3 June 1996, Meeting Minutes
The theme of this I&A Forum was security for the World Wide Web (WWW). The following was the agenda for the meeting:
- Introduction - Dave Luddy, National Security Agency (NSA) - Web Technology Overview - Dave Dodge, NSA - INTELINK Security Needs - Susanne Rosewell, ISMC - Mitre Corporate Experiences Using The Web (An Information Security [INFOSEC] Point Of View) - Michael Louden, Mitre - Security Policy Summary - Dale Hapeman, Booz, Allen & Hamilton - Internet Engineering Task Force (IETF)/Worldwide Web Consortium (W3C) Secure Web Standard Activities - Judy Furlong, Mitre - Netscape and Web Security - Frank Hecker, Netscape - Protecting Web Sites From Attack - Dr. Rick Smith, Secure Computing Corporation - Security products For WWW Applications - Mike Zauzig, SecureWare - WWW Access (Attempting Solutions) - Dale Hapeman, Booz, Allen & Hamilton - Forum Wrap-up - Dave Luddy, NSA
Mr. Dave Luddy, the Forum Chairperson, opened the meeting with an overview of the forum. He discussed: - The goal of the forum is "to insure the commercial availability of affordable I&A solutions that meet our customer's security, performance, interoperability, and security management needs." - The focus is on MISSI FORTEZZA based solutions. - The development of an I&A Concept Of Operations (CONOPS) will be used as the means of capturing I&A requirements for WWW access and other network applications. - The forum participants and modus operandi are documented in the I&A Forum Charter.
Mr. Dave Dodge, from the Operations Directorate of NSA, presented an introduction to the WWW technology. Mr. Dodge presented an overview of: - The Hypertext Transport Protocol (HTTP) which is one of the most flexible tools for navigating the Internet. - Uniform Resource Locators (URLs) which allow a user to identify the location of a resource and the method used to retrieve it. - The HyperText Mark-up Language (HTML) which is used to format Web pages and present URLs to users. - The Common Gateway Interface (CGI) which allows programs run on a server to receive data from a user via an HTTP connection. - JAVA which allows a program to be moved from the server to a client and then executed on the client. JAVA is designed to "protect you from itself". It has checks that are made during execution. JAVA is not universally implemented yet. There is no tag in the HTML - The Secure Socket Layer (SSL) - The Secure-HTTP (S-HTTP)
Questions and Answers: Q: Is a firewall able to differentiate an access made by a user from an access originated by a JAVA applet? A: (from Dave Dodge and Frank Hecker): No. A JAVA applet can open any random port to the server that provided it. Q: Can a JAVA applet make an access through a proxy? A: (from Frank Hecker). Either the applet needs to know about that proxy ahead of time or it can make use of the existing HTTP browser. Q: Do search engines present any special I&A issues? A: Most search engines are implemented using the GET or POST HTTP commands which feed a program running on the server. Control of access to that program is the same as access to any Web page. Q: Is there an IETF Working Group (WG) for WWW? A: The W3C is an industry consortia that deals with Web issues (it's responsible for the new HTML standard). There are many IETF WGs and standards related to Web topics.
Ms. Susanne Rosewell, from the ISMC Security office presented a briefing on INTELINK security needs. She pointed out that there is a panel working on security issues that meets monthly. They are supported by several WGs that are addressing: - JAVA - Access Control - Firewalls - Inter Domain security
Ms. Rosewell discussed some of the security issues and goals related to INTELINK: - Currently, Local Administrators provide security by reviewing server logs to track who has had access to a server (i.e., no access control). INTELINK would like to provide access control at the "front door" and not at individual servers. - They are looking at using X.509 Version 3 certificates to provide the ability to limit access to no foreign (NOFORN) information. They also want to use X.509 certificates to identify community of interest (COI). - The Inter Domain WG is investigating the use of commercial off-the-shelf (COTS) multi-level security (MLS) servers to allow a Secret user to access Secret and below data from a server that also contains Top Secret data. - A long term goal is to provide "true data labeling" so that data may carry and maintain a sensitivity label.
Questions and Answers: Q: Isn't it harder to get Secret data into a Top Secret enclave than to get Secret data out of a Top Secret enclave? A: Yes. Q: Is the goal to provide servers that contain both Top Secret and Secret data that is connected to both (S and TS) networks? A: Yes. Q: Is data aggregation an issue? A: Current efforts are to only label individual data objects. Q: How will an individual user determine what technology to use and when to upgrade? A: INTELINK will be mandating a SSL capable browser in the future and is asking people to comply with that requirement now. Q: Will the INTELINK e-mail solution be Simple Mail Transfer Protocol (SMTP) or X.400. A: The E-mail application package that INTELINK will standardize on is still an issue. They need a application now and consider SMTP as the only current option. X.400 applications (from the Defense Message System [DMS]) are somewhere down the road. Q: Commercial MLS servers are not readily available, the market has not been established. How will INTELINK obtain COTS MLS servers? A: There are a few MLS workstations available. INTELINK is working with NSA and vendors to solve this issue. Q: INTELINK is requiring the use of Version 3 X.509 certificates, DMS has an infrastructure based on Version 1 certificates. Is anyone working on solving this issue. A: There is an INTELINK representative on the MISSI Key Privilege & Certificate WG (KP&CWG) which is working on the problem of incompatible X.500 infrastructures. Conversion from Version 1 to Version 3 X.509 certificates is a transition issue for DMS. The issue is the timing of the conversion to Version 3 certificates. There was never any intention to interoperate between the two versions.
Mr. Michael Louden, who is involved with Mitre corporate management of computer and network operations briefed "A Corporate Experience Using The Web (An INFOSEC Point Of View). The briefing provided an overview of the Mitre Information Infrastructure (MII). In the area of security, the briefing included the MII security environment, key security features, security trade-offs, and security issues. Miter has different access control mechanisms (e.g., Passwords, Tickets) for different servers and would like to centralize/standardize the access control mechanisms.
Questions and Answers: Q: When Mitre splits into two separate organizations, will you have to totally rework your access control rights? A: Mitre plans to duplicate the access control system and then delete the individuals from the other organization.
Mr. Dale Hapeman, the Booz(Allen I&A task leader, presented a briefing on "Sensitive But Unclassified (SBU) WWW Requirements." He started the brief by reviewing the Context Diagram from the I&A CONOPS and presented an operational environment which showed Web clients an servers relative to SBU enclaves. Mr. Hapeman followed with an explanation of how each facet of a MISSI security policy could be applied to data as it is being transferred between a Client and Server through multiple firewalls. He provided definitions of Authorized and Authenticated. Mr. Hapeman finished with an invitation to the audience to consider the policies they would like to see implemented at the different components involved in a WWW access (client, server, and firewall).
Ms. Judith Furlong is a lead INFOSEC Engineer at the Mitre corporation. She presented a briefing titled "IETF/W3C Secure Web Standards Activity." Ms. Furlong started her briefing with a discussion of the following existing Web security standards - SSL Protocol - S-HTTP - Private Communication Technology (PCT) protocol - Secure Electronic Transaction (SET) Protocol
Ms. Furlong followed with an overview of the W3C, including a discussion of the W3C Security WG. Ms. Furlong covered: - The Protocol Extension Protocol (PEP), a W3C proposal for extending HTTP to accommodate additional capabilities such as security, watermarks, labeling etc. She further described the Security Extension Architecture (SEA) using the proposed PEP. - The Joint Electronic Payment Initiative (JEPI), a joint WG between the W3C's Electronic Payments WG and CommerceNet which is developing an Internet payment protocol negotiation scheme and a standard interface for payment modules. - The Digital Signature Initiative which deals with issues associated with applying digital signatures to objects such as video frames. - The Platform for Internet Content Selection (PICS) WG which has the charter to design technology to support "values-based" content rating/labeling. The PICS technology has security applicability.
Ms. Furlong provided an overview of the IETF and its Web Transaction Security (WTS) and Transport Layer Security (TLS) WGs. She completed her briefing with a discussion of the following security areas not being addressed by standards efforts: - Secure Search capabilities - Mobile Code Security - Security Management Functions - Interfaces to Security Infrastructures
Mr. Frank Hecker, a senior systems engineer with Netscape Communications Corporation, presented a briefing on Netscape and Web Security. The briefing covered the security areas and technologies that Netscape is active in. Mr. Hecker started with a discussion of SSL and how Netscape has improved it through upgrades to their Navigator software as well as additional SSL issues they are investigating. He also covered Netscape's security related issues: - Support for hardware tokens other than FORTEZZA. - Making a browser "firewall aware" (e.g., able to authenticate to intermediate firewalls) without becoming susceptible to man-in-the-middle attacks. - Providing directory services for use by many different types of applications. - Downloadable applications (JAVA and JAVASCRIPT) - Financial transactions - Netscape will implement SET - Secure e-mail - S/multipurpose internet mail extensions (MIME) (initially not FORTEZZA) - Public key infrastructure - Committed to X.509 Version 3 Certificates - User and/or administrator configurability - Netscape will have a toolkit to support Navigator 3.0.
Questions and Answers: Q: What are Netscape's plans for supporting applications other than Web browsing over SSL connections? A: Netscape currently implements HTTP, NNTP over SSL. They plan on implementing lightweight directory access protocol (LDAP) over SSL in the future. file ransfer protocol (FTP), TELNET, and SMTP/POP3/IMAP4 are possible but not planned. Other vendors or individuals have implemented TELNET and FTP over SSL. Q: How does a user deal with non-SSL servers or optionally implementing SSL on a connection? A: A page that must be accessed with SSL is designated with a URL starting with https:// (instead of http://).
Dr. Rick Smith an information security consultant with Secure Computing Corporation presented a briefing titled "Protecting Web Sites From Attack". Dr. Smith started his presentation with a history of some of the more well known sever penetrations. Dr. Smith discussed several types of attacks and methods of protection with Type Enforcement Encapsulation.
Questions and Answers: Q: Where are the tables used for type enforcement defined? A: There is an Administrators Tool that includes this function. Q: How many domains and types can Sidewinder implement? A: Dozens.
Mr. Mike Zauzig, a senior products development engineer with SecureWare, presented a briefing on "Security Products For WWW Applications." Mr. Zauzig provided an overview of his company, aspects to web security, and the following SecureWare products: - Hannah - Network Security - Troy - Platform Integrity Assurance - SecureMail - E-mail Security - Secure Web Platform Integrity - Safe Web Server - Interceptor - Transmission Control Protocol (TCP)/IP Firewall - Internet Scanner - Attack Simulator
Questions and Answers: Q: Is SecureWare's mail package interoperable with other FORTEZZA e-mail implementations. A: Yes (Dave Luddy). Q: The Security First Network Bank shows a Web server that is connected to directly the Internet (not through the firewall). Is this machine running SSL on one side and Hannah on the other? A: Yes.
Mr. Hapeman presented a briefing which attempted to summarize the security requirements presented at the day's meeting. He reviewed the security services needed and the requirements that are allocated to components. He also discussed the protocol requirements and possible solutions available to secure the Web. Different options for authenticating to firewalls placed between clients and servers were presented. Much work remains to secure the proxy or tunneling solutions.
Questions and Answers: Q: The Internet Protocol Security (IPSec) protocol has not been mentioned all day. It is very mature and has had much NSA input (especially the Internet Security Association and Key Management Protocol [ISAKMP] key management protocol). It should be considered as a security solution. A: Agreed. IPSec is a viable option, especially for authenticated firewall-to-firewall connections. It was not mentioned by name but is certainly being considered as a solution.
Mr. Luddy's closing comments were: - NIST FIPS PUB JJJ has been discussed at previous I&A Forums. Although it presents an authentication scheme, it does not provide for interoperable solutions. Dave Kemp has authored a Public Key Login Protocol that provides the detail needed for interoperability. The document will be submitted as an IETF Internet draft. Comments are solicited. - The I&A CONOPS document will be sent out by e-mail to everyone who registered. - The topic for the next I&A Forum is Access Control. It is scheduled for 8-9 July 1996.