October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD...
Transcript of October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD...
![Page 1: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/1.jpg)
October 3, 2003 1
Partnerships for VoIP SecurityPartnerships for VoIP SecurityVoIP Protection ProfilesVoIP Protection Profiles
David Smith
Co-Chair, DoD VoIP Information Assurance Working Group
NSA Information Assurance Directorate,Information Assurance Solutions Group
(410) 854-7302
E-mail: [email protected]
![Page 2: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/2.jpg)
October 3, 2003 2
AgendaAgenda
DoD IA Policies Common Criteria
– Protection Profiles & Security Targets
Information Assurance Technical Framework (IATF) and Forum
VoIP IA Initiatives– Protection Profile(s)– IATF
![Page 3: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/3.jpg)
October 3, 2003 3
DoD IA PoliciesDoD IA Policies
DoDI 8500.1 & 8500.2NSTISSP 11
By 1 July 2002, the acquisition of all COTS IA and IA-enabled IT products shall be limited only to those which have been evaluated and validated in accordance with either:
•International Common Criteria
•NSA/NIST National Information Assurance Partnership (NIAP) Evaluation and Validation Program
•NIST FIPS Validation Program
![Page 4: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/4.jpg)
October 3, 2003 4
Common Criteria (CC)Common Criteria (CC) Internationally Recognized Security
Criteria Security requirements specification
language Security functionality & assurance Provides basis for validating conformance
to specification (e.g. PP or ST) by independent third party (e.g. NIAP lab)
![Page 5: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/5.jpg)
October 3, 2003 5
Protection Profiles vs. Protection Profiles vs. Security TargetSecurity Target Protection Profile - Customer
– Statement in CC language of security and assurance requirements (“I need”)
– For DoD, NSA writes the protection profiles
Security Target - Vendor– Vendor claim in CC language of security and
assurance requirements met (“I provide”)
Target of Evaluation
![Page 6: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/6.jpg)
October 3, 2003 6
RobustnessRobustness
Basic = Best Commercial Practice Medium = Better than most current
commercial High= Usually Government Developed Robustness is the combination of
appropriate security requirements and assurance levels.– Imperative that Evaluation Report be read to
understand the IA quality. EAL doesn’t equate to Robustness level
![Page 7: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/7.jpg)
October 3, 2003 7
National Information Assurance National Information Assurance Partnership (NIAP)Partnership (NIAP)
NSA/NIST Partnership US Focal Point for Common Criteria Manage & Maintain Process
– Common Criteria Evaluation and Validation Scheme
– Protection Profile Registry– Evaluated Products Registry– List of Certified Commercial Evaluation Labs
http://niap.nist.gov/
![Page 8: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/8.jpg)
October 3, 2003 8
Information Assurance Technical Information Assurance Technical Framework (IATF)Framework (IATF)
A Technical Security Guidance Document– Unclassified– Evolving– Publicly available on IATF Web Site
UNCLASSIFIED
http://www.iatf.net
![Page 9: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/9.jpg)
October 3, 2003 9
IATF BenefitsIATF Benefits
Helps U.S. Government users become Helps U.S. Government users become wiser consumers of implementing wiser consumers of implementing security solutionssecurity solutions
Assists U.S. industry in understanding Assists U.S. industry in understanding the government’s needs and the nature the government’s needs and the nature of the desired solutions to these needsof the desired solutions to these needs
Focuses investment resources on the Focuses investment resources on the security technology gapssecurity technology gaps
UNCLASSIFIED
![Page 10: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/10.jpg)
October 3, 2003 10
Information Assurance Technical Information Assurance Technical Framework Forum (IATFF)Framework Forum (IATFF)
NSA-sponsored forum to foster dialog NSA-sponsored forum to foster dialog among U.S. Government agencies, among U.S. Government agencies, U.S. Industry, and U.S. AcademiaU.S. Industry, and U.S. Academia
Sessions approximately every 6 weeksSessions approximately every 6 weeks
Held at the Johns Hopkins Applied Held at the Johns Hopkins Applied Physics Lab, Laurel, MDPhysics Lab, Laurel, MD
UNCLASSIFIED
![Page 11: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/11.jpg)
October 3, 2003 11
IATFF BenefitsIATFF Benefits
Fosters IA DialogFosters IA Dialog– U.S. Government-U.S. Industry-U.S. U.S. Government-U.S. Industry-U.S.
Academia Academia Increases awareness of available Increases awareness of available
security solutionssecurity solutionsEstablishes contacts between Establishes contacts between
individuals and organizations dealing individuals and organizations dealing with similar problemswith similar problems
UNCLASSIFIED
![Page 12: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/12.jpg)
October 3, 2003 12
VoIP IA InitiativesVoIP IA Initiatives
LeverageLeverage– NIAP/CCNIAP/CC– IATF & IATFFIATF & IATFF– Government/Industry PartnershipGovernment/Industry Partnership
CommunicateCommunicate– Government Needs & Industry CapabilitiesGovernment Needs & Industry Capabilities
VoIP Protection ProfilesVoIP Protection Profiles VoIP IATF SectionVoIP IATF Section VoIP IATFF SessionVoIP IATFF Session
![Page 13: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/13.jpg)
October 3, 2003 13
VoIP Protection Profile(s)VoIP Protection Profile(s)
Beginning developmentIncorporate DoD Voice IA
RequirementsPartnership with vendors, users
NIAP Evaluated VoIP Products Meeting DoD IA RequirementsNIAP Evaluated VoIP Products Meeting DoD IA Requirements
![Page 14: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/14.jpg)
October 3, 2003 14
VoIP IATFFVoIP IATFF
Planning an IATFF session on VoIPLooking for session ideas
– Topics– Presenters
• Users, Vendors, Network Managers
http://www.iatf.net
![Page 15: October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfe5503460f949cf7fb/html5/thumbnails/15.jpg)
October 3, 2003 15
Wrap-UpWrap-Up
Need partnerships with– Industry & Users
NIAP and IATF are good vehicles for communication of IA requirements
Getting the process started for VoIPNeed Your Help!!