Security Testing and Evaluation Labs

ITT: Dragonfly Guard Companion V3.02, Build 129

Dragonfly Companion software is installed on a host Personal Computer (PC) with an Intel CPU running Microsoft Windows 95 operating system. The host PC must have an external network connection, a host PCMCIA slot, and a PCMCIA card reader. The Dragonfly Companion uses a Fortezza Card to provide cryptographic services and to store several digitally signed certificates containing network configuration information.

Dragonfly Companions use National Security Agency (NSA) Fortezza Cards to provide multi-level secure (MLS) services to Internet Protocol (IP) networks. The Dragonfly Companion operates on standard IP datagrams. The Dragonfly Companion provides the following security services: mandatory access control, discretionary access control, confidentiality, integrity, source authentication, and audit. The Dragonfly Companion cryptographically labels every IP datagram with an appropriate security level, and then checks that label before releasing the underlying datagram in plaintext form. The Dragonfly Companion provides discretionary access control between the domains it protects. All User Data is encrypted and integrity checks are applied to all messages transmitted between two Dragonfly Companions. The Dragonfly Companion can also serve as a firewall or an in-line encryptor. In order to provide these services, Dragonfly Companions set up a trusted Association based on source authentication and use the Fortezza Key Exchange Algorithm to generate a symmetric key. The Dragonfly Companion can send audit reports to a Dragonfly Guard that is serving as an Audit Catcher for printing, storage, or subsequent analysis. The selection of auditable events can be set by an Audit Mask.

Dragonfly Companions separate two Dragonfly Domains. A Dragonfly Domain is a set of computers that are networked together without any intervening Dragonfly Companions. For the Dragonfly Companion, the PC that it protects is the local domain. The remote domain can be made up of PCs, Workstations, or Servers that are all at the same security level.

Dragonfly Companions always authenticate themselves to each other. All Dragonfly Messages sent before an association is formed or outside of an Association are digitally signed. This includes Association Requests and Association Grants. After an Association is formed, messages are encrypted with a symmetric key known only to the source and destination Dragonfly Companion.

The Dragonfly Companion support Mandatory Access Control (MAC) by labeling every IP Datagram with an appropriate security level. It then checks that label against the security level of the destination domain before releasing the underlying datagram in plaintext form to the destination host. Through the sharing of security related information via an Association, Dragonfly Companions can support both Write Equal and Write Up. In the Write Equal environment, where Dragonfly Domains are at the same security level, all IP based communications are allowed according to the MAC policy. Dragonfly also allows 'Write Up', the transfer of User Data from a low level Domain to a high level Domain.

In the case of Write Up, Dragonfly supports protocol feedback for the subset of IP based functionality for which the Dragonfly Companion can predict the response. Many IP-based protocols require some form of feedback. For example, the File Transfer Protocol (FTP) uses flow control. The feedback constitutes a potential Write Down. Dragonfly assures that this Write Down does not constitute a violation of the security policy by a patented scheme of anticipated messages. Each feedback message is predicted by the Dragonfly Companion based upon the Internet Control Message Protocol (ICMP) or Domain Name System (DNS) request, or the allowed Write Up FTP or Simple Mail Transfer Protocol (SMTP) command. If the actual message matches the predicted message, except for certain fixed length control fields such as sequence number and window size, the predicted message is released with the control field data from the actual message copied to the predicted message. Otherwise, no message is released and there is no feedback.

The Dragonfly Companion uses Privilege Vectors for Discretionary Access Control (DAC) between Domains. All communication allowed by DAC is bi-directional. Therefore, if the Privilege Vector of one domain allows communication with another, either Domain can initiate that communication. The primary advantage of this feature is that new domains can be added to a Deployment without requiring that the Privilege Vectors of existing Domains be updated. Access between existing domains and a new Domain can be allowed by the Privilege Vector of the new Domain. DAC checks are performed at the time an Association is formed.

The Dragonfly Companion provides Confidentiality of User Data. It uses a symmetric key generated using the Fortezza card to encrypt all User Data when it is transmitted between two Dragonfly Companions. The Companion uses the Cipher Block Chaining CBC-64 mode of operation and the Skipjack algorithm on the User Fortezza Card.

The Dragonfly Companion checks for integrity of both User Data and Dragonfly control information when messages are transmitted between two Dragonfly Companions. Messages sent outside of an association are digitally signed. When a message is sent within an association, a checksum is computed and stored in the message before the message is encrypted.

The Dragonfly Companion TOE consists of the following:

• ITT Industries Dragonfly Companion, Version 3.02, Build 129
• ITT Industries Dragonfly Guard, Model G.12, Software Release 3.0, and the
• Microsoft Windows 95 Operating System.