PRODUCT DESCRIPTION
The Dragonfly Companion is a network security device produced by ITT
Industries. The Dragonfly Companion is a software only version of
the Dragonfly Guard which provides confidentiality and integrity
protection when sending sensitive information over an IP-based network.
Dragonfly Companion software is installed on a host Personal
Computer (PC) with an Intel CPU running Microsoft Windows
95 operating system. The host PC must have an external
network connection, a host PCMCIA slot, and a PCMCIA card
reader. The Dragonfly Companion uses a Fortezza Card to
provide cryptographic services and to store several digitally
signed certificates containing network configuration information.
Dragonfly Companions use National Security Agency (NSA)
Fortezza Cards to provide multi-level secure (MLS) services
to Internet Protocol (IP) networks. The Dragonfly Companion
operates on standard IP datagrams. The Dragonfly Companion
provides the following security services: mandatory access
control, discretionary access control, confidentiality,
integrity, source authentication, and audit. The Dragonfly
Companion cryptographically labels every IP datagram with
an appropriate security level, and then checks that label
before releasing the underlying datagram in plaintext form.
The Dragonfly Companion provides discretionary access control
between the domains it protects. All User Data is encrypted
and integrity checks are applied to all messages transmitted
between two Dragonfly Companions. The Dragonfly Companion
can also serve as a firewall or an in-line encryptor. In
order to provide these services, Dragonfly Companions set
up a trusted Association based on source authentication
and use the Fortezza Key Exchange Algorithm to generate
a symmetric key. The Dragonfly Companion can send audit
reports to a Dragonfly Guard that is serving as an Audit
Catcher for printing, storage, or subsequent analysis.
The selection of auditable events can be set by an Audit
Mask.
Dragonfly Companions separate two Dragonfly Domains. A
Dragonfly Domain is a set of computers that are networked
together without any intervening Dragonfly Companions.
For the Dragonfly Companion, the PC that it protects is
the local domain. The remote domain can be made up of PCs,
Workstations, or Servers that are all at the same security
level.
Dragonfly Companions always authenticate themselves to
each other. All Dragonfly Messages sent before an association
is formed or outside of an Association are digitally signed.
This includes Association Requests and Association Grants.
After an Association is formed, messages are encrypted
with a symmetric key known only to the source and destination
Dragonfly Companion.
The Dragonfly Companion support Mandatory Access Control
(MAC) by labeling every IP Datagram with an appropriate
security level. It then checks that label against the security
level of the destination domain before releasing the underlying
datagram in plaintext form to the destination host. Through
the sharing of security related information via an Association,
Dragonfly Companions can support both Write Equal and Write
Up. In the Write Equal environment, where Dragonfly Domains
are at the same security level, all IP based communications
are allowed according to the MAC policy. Dragonfly also
allows 'Write Up', the transfer of User Data from a low
level Domain to a high level Domain.
In the case of Write Up, Dragonfly supports protocol feedback
for the subset of IP based functionality for which the
Dragonfly Companion can predict the response. Many IP-based
protocols require some form of feedback. For example, the
File Transfer Protocol (FTP) uses flow control. The feedback
constitutes a potential Write Down. Dragonfly assures that
this Write Down does not constitute a violation of the
security policy by a patented scheme of anticipated messages.
Each feedback message is predicted by the Dragonfly Companion
based upon the Internet Control Message Protocol (ICMP)
or Domain Name System (DNS) request, or the allowed Write
Up FTP or Simple Mail Transfer Protocol (SMTP) command.
If the actual message matches the predicted message, except
for certain fixed length control fields such as sequence
number and window size, the predicted message is released
with the control field data from the actual message copied
to the predicted message. Otherwise, no message is released
and there is no feedback.
The Dragonfly Companion uses Privilege Vectors for Discretionary
Access Control (DAC) between Domains. All communication
allowed by DAC is bi-directional. Therefore, if the Privilege
Vector of one domain allows communication with another,
either Domain can initiate that communication. The primary
advantage of this feature is that new domains can be added
to a Deployment without requiring that the Privilege Vectors
of existing Domains be updated. Access between existing
domains and a new Domain can be allowed by the Privilege
Vector of the new Domain. DAC checks are performed at the
time an Association is formed.
The Dragonfly Companion provides Confidentiality of User
Data. It uses a symmetric key generated using the Fortezza
card to encrypt all User Data when it is transmitted between
two Dragonfly Companions. The Companion uses the Cipher
Block Chaining CBC-64 mode of operation and the Skipjack
algorithm on the User Fortezza Card.
The Dragonfly Companion checks for integrity of both User
Data and Dragonfly control information when messages are
transmitted between two Dragonfly Companions. Messages
sent outside of an association are digitally signed. When
a message is sent within an association, a checksum is
computed and stored in the message before the message is
encrypted.
The Dragonfly Companion TOE consists of the following:
- ITT Industries Dragonfly Companion, Version 3.02, Build
129
- ITT Industries Dragonfly Guard, Model G.12, Software
Release 3.0
- Microsoft Windows 95 Operating System.
The ITT Industries Dragonfly Guard has been previously
evaluated. (See the ITT Industries Dragonfly Guard EPL
entry, the ITT Industries Dragonfly Guard Final Evaluation
Report, and the ITT Industries Dragonfly Guard Security
Target for more information.) The Dragonfly Guard was included
in the evaluated configuration, because the Guard serves
as an Audit Catcher for the Dragonfly Companion. An Audit
Catcher collects audit data and sends updated Audit Masks,
Certificate Revocation Lists, and Routing Certificates
to the Companion. The operating system component of the
TOE is Microsoft Windows 95. The Companion is installed
as a virtual device driver in Windows 95. The Companion
depends upon Windows 95 to support TSF domain separation
and Non-bypassability of the TSP.
SECURITY EVALUATION SUMMARY
A Security Target provided by ITT Industries describes these security
features using the requirements from the Common Criteria for Information
Technology Security Evaluation, Version 2. The functionality classes
include Audit, User Data Protection, Identification and Authentication,
Security Management, Protection of Security Functions, and Trusted
Path/ Channels. The threats addressed include threats to accountability,
confidentiality, integrity of data and software, hardware availability,
violation of Mandatory Access Control, and others.
The IT Environmental dependencies of the Dragonfly Companion
consist of the Fortezza card and the Dragonfly Administration
System. The Dragonfly Companion relies upon the Fortezza
Card to provide the following:
- Cryptographic services including: secure hash, digital
signature, key exchange algorithm, and symmetric key
encryption.
- Storage of certificates, private keys and symmetric
keys.
- Generation of the time stored in its audit records.
The Dragonfly Companion relies upon the Dragonfly Administration
System to configure the system by setting its security
attributes and creating the User Fortezza Card. The security
attributes of a Dragonfly Companion are set by the local
authority on the Dragonfly Administration and the certificates
containing the configuration information on the Dragonfly
Companion's User Fortezza Card are signed by the local
authority.
The Security Target specifies the assurance requirements
as Evaluation Assurance Level 2 (EAL2). The Security Evaluation
Laboratory of CygnaCom Solutions, Inc. evaluated the Dragonfly
Companion against the Security Target as authorized by
NSA under its Trust Technology Assessment Program. It found
that the Dragonfly Companion meets all the requirements
of the Security Target and should be awarded a certificate
at EAL2. The evaluation was completed October 18, 1999.
ENVIRONMENTAL STRENGTHS
Configured correctly, the Companion is simple to use, and the security
policy it enforces is difficult to compromise short of its capture,
in a military environment, by enemy forces.
|
![[X]](/assets/images/button_close.gif){kind=small}
