ITT: Dragonfly Guard
The Dragonfly Guard Model G1.2 is a network security device produced by ITT industries. A Dragonfly Guard is a simple rugged box, roughly the size of an external modem, containing a 486 motherboard. The unit has two Ethernet interfaces, a serial port, and two PCMCIA card slots. It requires two cards to operate. The first card is a Fortezza Card with several digitally signed certificates containing network configuration information.
Dragonfly Guards use National Security Agency (NSA) Fortezza Cards to provide multi-level secure (MLS) services to Internet Protocol (IP) networks. The Dragonfly Guard operates on standard IP datagrams. The Dragonfly Guard provides the following security services: mandatory access control, discretionary access control, confidentiality, integrity, source authentication,and audit. The Dragonfly Guard cryptographically labels every IP datagram with an appropriate security level, and then checks that label before releasing the underlying datagram in plaintext form. The Dragonfly Guard provides discretionary access control between the domains that it protects. All User Data is encrypted and integrity checks are applied to all messages transmitted between two Dragonfly Guards. The Dragonfly Guard can also serve as a firewall or an in-line encryptor. In order to provide these services, Dragonfly Guards set up a trusted Association based on source authentication and use the Fortezza Key Exchange Algorithm to generate a symmetric key. Any Dragonfly Guard can also be designated as an Audit Catcher. Audit Catchers receive audit reports from other Dragonfly Guards and send all messages to their serial port for printing, storage, or subsequent analysis. The selection of auditable events can be set by an Audit Mask.
Dragonfly Guards separate two Dragonfly Domains. A Dragonfly Domain is a set of computers that are networked together without any intervening Dragonfly Guards. These computers in the same domain may be PCs, Workstations, or Servers that are all at the same security level.
Dragonfly Guards always authenticate themselves to each other. All Dragonfly Messages sent before an association is formed or outside of an Association are digitally signed. This includes Association Requests and Association Grants. After an Association is formed, messages are encrypted with a symmetric key known only to the source and destination Dragonfly Guard.
The Dragonfly Guard supports Mandatory Access Control (MAC) by labeling every IP Datagram with an appropriate security level. It then checks that label against the security level of the destination domain before releasing the underlying datagram in plaintext form to the destination host. Through the sharing of security related information via an Association, Dragonfly Guards can support both Write Equal and Write Up. In the Write Equal environment, where Dragonfly Domains are at the same security level, all IP based communications are allowed according to the MAC policy. Dragonfly also allows transfer of User Data from a low level Domain to a high level Domain called Write Up.
In the case of Write Up, Dragonfly supports only the subset of IP based functionality for which the Dragonfly Guard can predict the response. Many IP-based protocols require some form of feedback. For example, the File Transfer Protocol (FTP) uses flow control. The feedback constitutes a potential Write Down. Dragonfly assures that this Write Down does not constitute a violation of the security policy by a patented scheme of anticipated messages. Each feedback message is predicted by the Dragonfly Guard based upon the Internet Control Message Protocol (ICMP) or Domain Name System (DNS) request, or the allowed Write Up FTP or Simple Mail Transfer Protocol (SMTP) command. If the actual message matches the predicted message, except for certain fixed length control fields such as sequence number and window size, the predicted message is released with the control field data from the actual message copied to the predicted message. Otherwise, no message is released and there is no feedback.
The Dragonfly Guard uses Privilege Vectors for Discretionary Access Control (DAC) between Domains. All communication allowed by DAC is bi-directional. Therefore, if the Privilege Vector of one domain allows communication with another, either Domain can initiate that communication. The primary advantage of this feature is that new domains can be added to a Deployment without requiring that the Privelege Vectors of existing Domains be updated. Access between existing domains and a new Domain can be allowed by the Privilege Vector of the new Domain. DAC checks are performed at the time an Association is formed.
The Dragonfly Guard provides Confidentiality of User Data. It uses a symmetric key generated using the Fortezza card to encrypt all User Data when it is transmitted between two Dragonfly Guards. The Guard uses the Cipher Block Chaining CBC-64 mode of operation and the Skipjack algorithm on the User Fortezza Card.
The Dragonfly Guard checks for integrity of both User Data and Dragonfly control information when messages are transmitted between two Dragonfly Guards. Messages sent outside of an association are digitally signed. When a message is sent within an association, a checksum is computed and stored in the message before the message is encrypted.