Unauthorised Access UK 0636-708063 10pm-7am 12oo/24oo
DDN - The Defense Data Network
The Department of Defense started the major networking scene in the US in
the late '70s and early 80s. Their first baby was ARPANET (Advanced
Research Projects Agency NETwork). It was just a development system to see
how feasible a national computer network would be and to help facillitate
information transfer between defense researchers (and some university
projects). The world of InterNET has grown up around that existing
foundation to become one of the most (THE most?) used network in the world
as researchers in other nations found they also needed access to
counterparts around the nation to exchange knowledge and ideas. Well to end
this simple history I will get back to the DDN and its workings (what little
I do really know of them) and it structure.
The DoD (Dept of Defense) has been maintaining its own separate networks
ever since ARPANET became a success and was "gobbled up" by the growing
InterNET structure. The DoD wanted to be able to secure its important work
and research and to do so it needed to be isolated from the existing
infrastructure. They decided that a somewhat free flow of information would
be necessary between constituents and that some kind of framework similar to
Internet would be beneficial but that access to their systems would have to
be limited by means more secure than anything available on the public
Internet system. They developed MILNET for this specific purpose (to carry
unclassified data traffic between defense contractors and researchers).
Beyond MILNET there were also been establish three other military nets under
the auspices of the Defense Secure NETwork (DSNET). The three were DSNET1
for Secret data, DSNET2 for Top Secret data, and DSNET3 for special Top
Secret data (probably weapons systems and plans, and ELINT/SIGINT systems --
but that is only a guess). These three each had a separate communications
hub including local and widearea nets. The 3 DSNETS have been combined (are
being combined) in a unified DISNET (Defense Integrated Security NETwork).
The Defense Communication Agency (DCA) was put in charge of maintaining the
backbones of the defense networks (except ARPANET which is primarily used by
the R&D community and is maintained by DARPA and is not really associated
with DDN) as part of the Defense Communication System (DCS). All DDN Nets
are not part (officially) of InterNET because of the security risks
involved.
The restructuring of DDN into DISNET is a continually evolving project
(especially in the area of Defense Messaging System - which I know little
about at this time and WOULD LIKE TO SEE MORE INFO about if anyone knows
about it ), but I will explain its structure as presently laid out...
"(1) Security architecture should include a well-defined set of network
security services offered to subscribers"
Services:
CONFIDENTIALITY:
1.Mandatory Confidentiality - protects classified data using DDN
rule based security
2.Discretionary Confid. - identity based (Need-to-Know) security
3.Traffic Flow Confid. - protects against disclosure by observing
\ characteristics of data flow
\_____See the encrypthion and communities descriptions below for
more on this.
DATA INTEGRITY - protects against (OR ATLEAST TRYS TO DETECT) unauthorized
changes of data
IDENTIFICATION, AUTHENTICATION, AND ACCESS CONTROL : *
1.Identification- standard name for each system entity (just like
every net.
2.Authentication- ensures that a stated identity is correct (HOW???)
3.Access Control- limits system resources to a correctly identified
system
"(2) Subscribers should not pay for or be hampered by unneedded security"
^\______ Interesting...who does pay for un-needed security then?!?
""(4) Subscribers should share responsibility for security where appro-
priate" <----<<<< COULD THIS BE A MAJOR DOWNFALL?? Hmm...
* - As for I,A, and AC(above) These services are subscriber respons-
ibility except for major communities and subcommunities.
STRUCTURE OF THE DDN :
The primary elements are computers called switches which communicate
via inter-switch trunks.(DCA owns the switches and leases most trunks)
Each subscriber connects to DDN as a HOST or a TERMINAL. DDN serves hosts
at the OSI (Open Systems Interconnect) network level; the Host - Switch
interface is the standard X.25 (CCITT). Many of the hosts are gateways to
other nets (mainly LANs) and the number of gateways is increasing.
Special Hosts:
Montitor Centers (MC) : they manage the switches, trunks, and other
special hosts.
Name Server hosts - they translate the addresses of the other hosts
Terminal Access Controllers (TACs) - more limited DDN service. Instead
of a direct Host-to-Switch connection you can connect to a
TAC (via dial-up) and be addressed as a terminal by DDN
through TAC. TAC uses TELNET protocol so terminal can
communicate with a second DDN Host as if directly connected.
TAC Access Control Systems (TACACS) - prompt user to login at a TAC
Priority Access:
All DDN switches can handle data packets according to 4 level hierarchy
system. precedence lavels are assigned to hosts and terminals by the Joint
Chiefs of Staff. To my knowledge this hasn't been implemented yet.
Host to Host Encryption:
DISNET uses a end-to-end encryption system (E3) called BLACKER. These are
installed on each host-to-switch path of all hosts including TACs . These
BLACKER front end devices (BFEs) encrypt all data packets but leave the X.25
header unencrypted for the backbone to use. The BLACKER system includes a
Key Distribut-ion Center (KDC) and Access Control Center (ACC) hosts.
BLACKER is a Class A1 System (under the Trusted Computer System Evaluation
Criteria / "Orange Book"), and it will be able to prevent a community MC
from communicating with other MCs in other communities; this will not happen
for a while and the MC sites will still have a terminal through a TAC
directly to a switch without going through BFE.
Bridges between Nets:
The plan calls for limited gateways between MILNET and DISNET to allow
unclassified data traffic (in the form of store-and-forward electronic mail
in both directions). Data entering DISNET from MILNET will be identified as
such by the bridge.
The DDN plans forbid a subscriber from connecting to both MILNET and DISNET
and also forbids DoD system to connect both to a DDN segment and to a
segment that does not conform to DDN security structure.
Other Stuff:
To insure that every subscriber system can exercise discretionary access
control over its resources through DDN, and of DDN resources via the
subscriber system, DDN requires that all subscribers be TCSEC Class C2
secure. By september '92 any non-complying system will need OSD and JCS
waivers or DCA can remove them from the Net.
DDN plans to segregate subscribers according to whether or not they meet the
TCSEC C2 requirement. Conforming systems comprise a Trusted Subcommunity
within each security level. Within this subcommunity hosts can freely
communicate. NonConforming systems with waivers will form Closed
Communities within each level. Direct net communications between
subcommunities will be prevented by switching logic in MILNET and by BLACKER
in DISNET except over trusted bridges.
Downloaded From P-80 Systems 304-744-2253