PRODUCT DESCRIPTION
The Dragonfly Guard Model G1.2 is a network security device produced by
ITT Industries. A Dragonfly Guard is a simple rugged box, roughly the
size of an external modem, containing a 486 motherboard. The unit has
two Ethernet interfaces, a serial port, and two PCMCIA card slots. It
requires two cards to operate. The first card is a Fortezza Card with
several digitally signed certificates containing network configuration
information.
Dragonfly Guards use National Security Agency (NSA) Fortezza Cards to
provide multi-level secure (MLS) services to Internet Protocol (IP)
networks. The Dragonfly Guard operates on standard IP datagrams. The
Dragonfly Guard provides the following security services: mandatory
access control, discretionary access control, confidentiality, integrity,
source authentication,and audit. The Dragonfly Guard cryptographically
labels every IP datagram with an appropriate security level, and then
checks that label before releasing the underlying datagram in plaintext
form. The Dragonfly Guard provides discretionary access control between
the domains that it protects. All User Data is encrypted and integrity
checks are applied to all messages transmitted between two Dragonfly
Guards. The Dragonfly Guard can also serve as a firewall or an in-line
encryptor. In order to provide these services, Dragonfly Guards set
up a trusted Association based on source authentication and use the
Fortezza Key Exchange Algorithm to generate a symmetric key. Any Dragonfly
Guard can also be designated as an Audit Catcher. Audit Catchers receive
audit reports from other Dragonfly Guards and send all messages to
their serial port for printing, storage, or subsequent analysis. The
selection of auditable events can be set by an Audit Mask.
Dragonfly Guards separate two Dragonfly Domains. A Dragonfly Domain is
a set of computers that are networked together without any intervening
Dragonfly Guards. These computers in the same domain may be PCs, Workstations,
or Servers that are all at the same security level.
Dragonfly Guards always authenticate themselves to each other. All Dragonfly
Messages sent before an association is formed or outside of an Association
are digitally signed. This includes Association Requests and Association
Grants. After an Association is formed, messages are encrypted with
a symmetric key known only to the source and destination Dragonfly
Guard.
The Dragonfly Guard supports Mandatory Access Control (MAC) by labeling
every IP Datagram with an appropriate security level. It then checks
that label against the security level of the destination domain before
releasing the underlying datagram in plaintext form to the destination
host. Through the sharing of security related information via an Association,
Dragonfly Guards can support both Write Equal and Write Up. In the
Write Equal environment, where Dragonfly Domains are at the same security
level, all IP based communications are allowed according to the MAC
policy. Dragonfly also allows transfer of User Data from a low level
Domain to a high level Domain called Write Up.
In the case of Write Up, Dragonfly supports only the subset of IP based
functionality for which the Dragonfly Guard can predict the response.
Many IP-based protocols require some form of feedback. For example,
the File Transfer Protocol (FTP) uses flow control. The feedback constitutes
a potential Write Down. Dragonfly assures that this Write Down does
not constitute a violation of the security policy by a patented scheme
of anticipated messages. Each feedback message is predicted by the
Dragonfly Guard based upon the Internet Control Message Protocol (ICMP)
or Domain Name System (DNS) request, or the allowed Write Up FTP or
Simple Mail Transfer Protocol (SMTP) command. If the actual message
matches the predicted message, except for certain fixed length control
fields such as sequence number and window size, the predicted message
is released with the control field data from the actual message copied
to the predicted message. Otherwise, no message is released and there
is no feedback.
The Dragonfly Guard uses Privilege Vectors for Discretionary Access Control
(DAC) between Domains. All communication allowed by DAC is bi-directional.
Therefore, if the Privilege Vector of one domain allows communication
with another, either Domain can initiate that communication. The primary
advantage of this feature is that new domains can be added to a Deployment
without requiring that the Privelege Vectors of existing Domains be
updated. Access between existing domains and a new Domain can be allowed
by the Privilege Vector of the new Domain. DAC checks are performed
at the time an Association is formed.
The Dragonfly Guard provides Confidentiality of User Data. It uses a
symmetric key generated using the Fortezza card to encrypt all User
Data when it is transmitted between two Dragonfly Guards. The Guard
uses the Cipher Block Chaining CBC-64 mode of operation and the Skipjack
algorithm on the User Fortezza Card.
The Dragonfly Guard checks for integrity of both User Data and Dragonfly
control information when messages are transmitted between two Dragonfly
Guards. Messages sent outside of an association are digitally signed.
When a message is sent within an association, a checksum is computed
and stored in the message before the message is encrypted.
SECURITY EVALUATION SUMMARY
A Security Target provided by ITT Industries describes these security
features using the requirements from the Common Criteria for Information
Technology Security Evaluation, Version 2. The functionality classes
include Audit, User Data Protection, Identification and Authentication,
Security Management, Protection of Security Functions, and Trusted
Path/Channels. The threats addressed include threats to accountability,
confidentiality, integrity of data and software, hardware availability,
violation of Mandatory Access Control, and others. (See ITT INDUSTRIES
DRAGONFLY GUARD SECURITY TARGET for complete description.) The User
Fortezza card must be configured correctly by the local authority,
and the user must insert the correct Fortezza card for his environment
into the Guard. The configuration is accomplished using a PC Windows-based
Administration System that was not evaluated. The Security Target specifies
the assurance requirements as Evaluation Assurance Level 2 (EAL2).
The Security Evaluation Laboratory of CygnaCom Solutions, Inc. evaluated
the Dragonfly Guard against the Security Target as authorized by NSA
under its Trust Technology Assessment Program. It found that the Dragonfly
Guard meets all the requirements of the Security Target and should
be awarded a certificate at EAL2. The evaluation was completed September
18, 1998. (See the ITT INDUSTRIES DRAGONFLY GUARD FINAL EVALUATION
REPORT by CygnaCom Solutions, Inc. for more details).
ENVIRONMENTAL STRENGTHS
Configured correctly, the Guard is simple to use, and the security policy
it enforces is difficult to compromise short of its capture, in a military
environment, by enemy forces.
|
![[X]](/assets/images/button_close.gif){kind=small}
