Unauthorised Access UK  0636-708063  10pm-7am  12oo/24oo



                  DDN - The Defense Data Network



    The Department of Defense started the major networking scene in the US in

    the late '70s and early 80s.  Their first baby was ARPANET (Advanced

    Research Projects Agency NETwork).  It was just a development system to see

    how feasible a national computer network would be and to help facillitate

    information transfer between defense researchers (and some university

    projects).  The world of InterNET has grown up around that existing

    foundation to become one of the most (THE most?) used network in the world

    as researchers in other nations found they also needed access to

    counterparts around the nation to exchange knowledge and ideas.  Well to end

    this simple history I will get back to the DDN and its workings (what little

    I do really know of them) and it structure.



    The DoD  (Dept of Defense) has been maintaining its own separate networks

    ever since ARPANET became a success and was "gobbled up" by the growing

    InterNET structure.  The DoD wanted to be able to secure its important work

    and research and to do so it needed to be isolated from the existing

    infrastructure.  They decided that a somewhat free flow of information would

    be necessary between constituents and that some kind of framework similar to

    Internet would be beneficial but that access to their systems would have to

    be limited by means more secure than anything available on the public

    Internet system.  They developed MILNET for this specific purpose (to carry

    unclassified data traffic between defense contractors and researchers).



    Beyond MILNET there were also been establish three other military nets under

    the auspices of the Defense Secure NETwork (DSNET).  The three were DSNET1

    for Secret data, DSNET2 for Top Secret data, and DSNET3 for special Top

    Secret data (probably weapons systems and plans, and ELINT/SIGINT systems --

    but that is only a guess).  These three each had a separate communications

    hub including local and widearea nets.  The 3 DSNETS have been combined (are

    being combined) in a unified DISNET (Defense Integrated Security NETwork).



    The Defense Communication Agency (DCA) was put in charge of maintaining the

    backbones of the defense networks (except ARPANET which is primarily used by

    the R&D community and is maintained by DARPA and is not really associated

    with DDN) as part of the Defense Communication System (DCS).  All DDN Nets

    are not part (officially) of InterNET because of the security risks

    involved.



    The restructuring of DDN into DISNET is a continually evolving project

    (especially in the area of Defense Messaging System - which I know little

    about at this time and WOULD LIKE TO SEE MORE INFO about if anyone knows

    about it ), but I will explain its structure as presently laid out...



    "(1) Security architecture should include a well-defined set of network

    security services offered to subscribers"

         Services:

    CONFIDENTIALITY:

         1.Mandatory Confidentiality - protects classified data using DDN

                                       rule based security

         2.Discretionary Confid. - identity based (Need-to-Know) security

         3.Traffic Flow Confid. - protects against disclosure by observing

            \                     characteristics of data flow

              \_____See the encrypthion and communities descriptions below for

                    more on this.



    DATA INTEGRITY - protects against (OR ATLEAST TRYS TO DETECT) unauthorized

                     changes of data



    IDENTIFICATION, AUTHENTICATION, AND ACCESS CONTROL :  *

         1.Identification- standard name for each system entity (just like

                           every net.

         2.Authentication- ensures that a stated identity is correct (HOW???)

         3.Access Control- limits system resources to a correctly identified

                           system



    "(2) Subscribers should not pay for or be hampered by unneedded security"

      ^\______ Interesting...who does pay for un-needed security then?!?



    ""(4) Subscribers should share responsibility for security where appro-

       priate"  <----<<<< COULD THIS BE A MAJOR DOWNFALL?? Hmm...

         * - As for I,A, and AC(above) These services are subscriber respons-

             ibility except for major communities and subcommunities.



                        STRUCTURE OF THE DDN :

    The primary elements are computers called switches which communicate

    via inter-switch trunks.(DCA owns the switches and leases most trunks)



    Each subscriber connects to DDN as a HOST or a TERMINAL.  DDN serves hosts

    at the OSI (Open Systems Interconnect) network level; the Host - Switch

    interface is the standard X.25 (CCITT). Many of the hosts are gateways to

    other nets (mainly LANs) and the number of gateways is increasing.



    Special Hosts:

         Montitor Centers (MC) : they manage the switches, trunks, and other

                   special hosts.

         Name Server hosts - they translate the addresses of the other hosts



         Terminal Access Controllers (TACs) - more limited DDN service. Instead

                   of a direct Host-to-Switch connection you can connect to a

                   TAC (via dial-up) and be addressed as a terminal by DDN

                   through TAC. TAC uses TELNET protocol so terminal can

                   communicate with a second DDN Host as if directly connected.



         TAC Access Control Systems (TACACS) - prompt user to login at a TAC



    Priority Access:

    All DDN switches can handle data packets according to 4 level hierarchy

    system.  precedence lavels are assigned to hosts and terminals by the Joint

    Chiefs of Staff.  To my knowledge this hasn't been implemented yet.



    Host to Host Encryption:

    DISNET uses a end-to-end encryption system (E3) called BLACKER. These are

    installed on each host-to-switch path of all hosts including TACs .  These

    BLACKER front end devices (BFEs) encrypt all data packets but leave the X.25

    header unencrypted for the backbone to use.  The BLACKER system includes a

    Key Distribut-ion Center (KDC) and Access Control Center (ACC) hosts.

    BLACKER is a Class A1 System (under the Trusted Computer System Evaluation

    Criteria / "Orange Book"), and it will be able to prevent a community MC

    from communicating with other MCs in other communities; this will not happen

    for a while and the MC sites will still have a terminal through a TAC

    directly to a switch without going through BFE.



    Bridges between Nets:

    The plan calls for limited gateways between MILNET and DISNET to allow

    unclassified data traffic (in the form of store-and-forward electronic mail

    in both directions).  Data entering DISNET from MILNET will be identified as

    such by the bridge.

    The DDN plans forbid a subscriber from connecting to both MILNET and DISNET

    and also forbids DoD system to connect both to a DDN segment and to a

    segment that does not conform to DDN security structure.



    Other Stuff:

    To insure that every subscriber system can exercise discretionary access

    control over its resources through DDN, and of DDN resources via the

    subscriber system, DDN requires that all subscribers be TCSEC Class C2

    secure.  By september '92 any non-complying system will need OSD and JCS

    waivers or DCA can remove them from the Net.



    DDN plans to segregate subscribers according to whether or not they meet the

    TCSEC C2 requirement.  Conforming systems comprise a Trusted Subcommunity

    within each security level.  Within this subcommunity hosts can freely

    communicate.  NonConforming systems with waivers will form Closed

    Communities within each  level.  Direct net communications between

    subcommunities will be prevented by switching logic in MILNET and by BLACKER

    in DISNET except over trusted bridges.







             Downloaded From P-80 Systems 304-744-2253