Chuck Talk was fortunate enough to have a conversation with Chad Hanson, Manager of the Trusted Operating Systems Lab at Trusted Computer Solutions in Urbana, Illinois. Chad has a long history in working with Trusted Operating Systems. He came to Trusted Computer Solutions from Argus Systems, where he led the development of PitBull, itself a Trusted Operating System. Chad's experience also includes leading the design and development of new components to NSA SE Linux that are leading to greater security in the Linux kernel.
(Submitted by Chuck Talk Tue Jun 7, 2005 )
| ||In order to understand why there is a need for yet another Linux distribution in the market, I need to explain what is meant by "trusted" versus the more commercially-driven terms of "trustworthy computing initiative" or "next generation secure computing base" or "trustworthy computing environment" or any other term which merely borrows from the terminology of trusted systems, but in reality provides little more than marketing mileage for the vendors. The word "Trusted" has special meaning - a "Trusted OS" has been security-enhanced to protect files, services and processes. The key security enhancement is mandatory access control (MAC), the component that enforces access control to files, processes and decisions at the OS level versus the traditional application-level security provided by most commercial security vendors. Further, a Trusted OS is designed to provide security mechanisms and services that protect, distinguish, compartmentalize and separate classified and/or sensitive information based on rules, rights, roles and restrictions. These systems have to undergo lengthy and rigorous development, documentation, evaluation and testing to achieve the "Trusted Operating System" label.
Trusted operating systems have for many years been based on high-end UNIX platforms such as Trusted Solaris, AIX and HP-UX. All of those systems have undergone, at one point or another, the same standards of rigorous testing and evaluation to meet the requirements to merit being deemed a trusted OS. Those standards are strict, and are not driven by any marketing initiatives.
I thought that it would be interesting to reach beyond the hype and hyperbole of marketing and go to the source for answers to the questions that I had about Trusted Computer Solutions. After all, a company that was developing Trusted Linux and had experience in achieving certification and accreditation is newsworthy. For all the marketing rhetoric that says otherwise, Linux is obviously capable of being a trusted operating system platform for secure applications and information sharing. A simple list of the clientele of Trusted Computer Solutions should open the market's eyes as to the facts at hand. The work that they do is important, and delivers vital, mission-critical information technology to the men and women protecting this nation everyday on real, Trusted OS systems.
What follows below is my interview with Chad Hanson. I hope that you find it informative. I wanted to be mindful of the work they do, while trying to find some valuable insights into the company and its plans for the future. I have to thank Marie Farrar for the introduction, without her assistance, I wouldn't have been able to bring you this interview. Thank you, Marie. :)
NOTE: Where it might be necessary, I have deciphered the acronyms for you. They will appear in italics enclosed in parentheses.
Chuck Talk: Hi Chad, I have read some of your background and was impressed, I was wondering if you could fill my audience in on what you have been doing and how you came to work at Trusted Computer Solutions?
Chad Hanson: Hi Chuck, I am currently the Manager for the Trusted Operating Systems Lab here at Trusted Computer Solutions, in Urbana, Illinois, and I have been involved in trusted systems since the early 1990's. I worked previously for Argus Systems, where I helped develop PitBull, a Trusted OS environment for platforms such as AIX, Solaris and Linux. One of my roles here has been to develop the NSA SE Linux components that provide true MLS (multilevel security) capabilities in the TCS Trusted Linux ™ distribution provided by Trusted Computer Solutions. Trusted OS components provide the base of the SecureOffice ® Foundation suite of products.
Chuck Talk: Can you tell me a little bit more about Trusted Linux? Is that the basis of the SecureOffice Trusted Workstation ™, for example? Do you plan on using that on the desktop?
Chad Hanson: Well, no Chuck, the Trusted Workstation is built on Trusted Solaris and provides users with secure access to mission-critical applications on classified servers across multiple networks running at different sensitivity and security levels, all from a single desktop. Trusted Linux isn't envisioned for the Trusted Workstation just yet.
Chuck Talk: So what is it that makes Trusted Linux "trusted", exactly?
Chad Hanson: Trusted Linux is being built with the NSA SE Linux components, but Trusted Computer Solutions takes a much more comprehensive approach to developing and delivering our SE Linux implementation. The MLS components are a vital part of our distribution. We have taken a thorough approach to development using three protection profiles from the Common Criteria Evaluation and Validation Scheme (CCEVS). Those components include LSPP (Labeled Security Protection Profile), CAPP (Controlled Access Protection Profile) and RBAC (Role-Based Access Control Protection Profile), all of which supports DCID (Director of Central Intelligence Directive) 6/3 at the PL 4 level to meet the Certification and Accreditation needs required to connect to U.S. intelligence networks.
Chuck Talk: So, will those components be open source? Do you intend to release that code back to the community?
Chad Hanson: Yes, we do. In fact, we are trying to work that code into the new 2.6.12 kernel, when you should begin to see that code released.
Chuck Talk: So, if the code is open source, do you make your money from services, or are your applications proprietary?
Chad Hanson: The applications that Trusted Computer Solutions makes are proprietary. The SecureOffice family of products are not open source products - they are proprietary solutions for secure transmission, sharing, and access to classified or sensitive information. That is our area of expertise.
Chuck Talk: Speaking of the SecureOffice line, I noticed that there are several Trusted products, including the Trusted Gateway ™. Could you tell me a little bit about that solution?
Chad Hanson: Trusted Gateway is a member of the SecureOffice line of products that is primarily used for the transfer of bulk data. Trusted Gateway is used to transfer large amounts of data from a lower clearance domain to a higher clearance domain.
Chuck Talk: I see, so is the NetTop ™ product a part of that solution, or...
Chad Hanson: No, the NetTop product is a thin client workstation that is used to access different applications and networks from a single workstation device that supplies trust and security using all of the NSA SE Linux protection mechanisms. It appears to the user to be a Microsoft Windows system with standard desktop applications, but it isn't. Basically, NetTop is an NSTISSP 11 (National Information Assurance Acquisition Policy) compliant product certified by the NSA to run in PL 4 (Protection Level 4) environments.
Chuck Talk: Chad, can you tell me about the Trusted Releaser ™ solution? I have some ideas about how this works, but I am curious about that product.
Chad Hanson: Trusted Releaser is a solution that allows the dissemination of information from a higher-classified domain down to a lower-classified domain. The solution utilizes the DIA's (Defense Intelligence Agency) Reliable Human Review process for information dissemination and allows sanitized information to be shared reliably and securely.
Chuck Talk: So, that process is a workflow type process that allows information to be reviewed and either approved or rejected "as is" and sent down the chain of trust based on that determination?
Chad Hanson: That might be a good way of describing it, I suppose.
Chuck Talk: So what is the Secure Office Web Shield ™ ? Is that a firewall or web content application?
Chad Hanson: WebShield is really another solution for managing access and protecting classified systems and domains. WebShield basically allows users of higher-classified domains to safely browse lower-classified domains. It also protects the higher-classified domains from unauthorized access or intrusion.
(Chuck Talk as an Aside: Web Shield is designed for more of the classic intelligence work, operating on secret networks).
Chuck Talk: Given that you are so heavily involved in the security aspects of Trusted Operating Systems, do you think that kernel-level rootkits could still pose a problem for Security Enhanced Linux systems?
Chad Hanson: Kernel level rootkits would cause a problem for any OS, though they would tend to have less chance in the Trusted OS and Open Source world because it is easier to identify vulnerabilities and fix them when it is Open Source. The Open Source process enables peer review by the whole community instead of few individuals.
Chuck Talk: I know that Trusted Computer Solutions has been involved in Certification and Accreditation (C&A) processes helping both its own products and other organization's applications to meet federal requirements. Can you explain what it takes to obtain Common Criteria LSPP, RBAC & CAPP at the EAL 4 (Evaluation Assurance Level 4) for Trusted Linux and how you will go about Certification and Accreditation for the entire product? How long does that process take?
Chad Hanson: In order to obtain Common Criteria EAL 4+ LSPP, RBAC, & CAPP certification, it takes about a year of hard work. There is a lot that goes on in order to obtain the certification, and it is much more than just running tests. There is a lot of documentation to verify the system meets the functional and assurance requirements.
The Certification and Accreditation process, separate from the Common Criteria certification, begins by defining the solution and the environment in which it is to be used. That solution is then sent through a rigorous testing and validation procedure that involves a lot of effort, not only in testing, but also in documentation, planning, and auditing the process. Validating procedures and outcomes along the way is an important piece as well. The C&A process isn't just about the OS, it is also about the environment, the network, the entire package. There is a complete top to bottom review of the system to determine any potential risks and document those along the way. The C&A process determines what environments the system is acceptable for, where it can be placed, and at what risk. The end result is an accredited solution, by the appropriate accrediting body, that is suitable and ready for use at a specific customer site.
Chuck Talk: As Trusted Computer Solutions has been involved in these processes, are you working with other vendors in the Linux market to achieve that Common Criteria certification?
Chad Hanson: Yes, we have been working with several potential partners to achieve the EAL 4+ LSPP, RBAC, & CAPP certification. But, unfortunately, we cannot comment on the details.
Chuck Talk: Given that Trusted Computer Solutions is a developer of the SE Linux technologies, what is it that really sets you apart from the other Linux distributors in the marketplace? How is your version of SE Linux any different than what Red Hat or Novell/SUSE ® Linux might provide?
Chad Hanson: I believe what we have, and what we bring to the table, is an experienced team in developing Trusted Operating Systems and also a complete MLS solution set. We are the only company that has brought the full LSPP, RBAC PP and CAPP profiles of SE Linux into an OS offering, and we have a long history of providing solutions for sensitive and classified networks.
At the end of the day though, we aren't really a Linux distributor. We build secure solutions for our clients, and that is where we focus our energies. We aren't out to be a Red Hat or Novell. We are in the business to provide the best secure solutions for our clients, whether they are government or commercial industry. We do expect that commercial industry, such as finance and banking, would be interested in our trusted Linux solutions, and that it would be ideal for anywhere that security is not merely an afterthought, but a necessity.
Chuck Talk: Chad, I want to thank you for your time. I really do appreciate it, and I want to say thank you to Marie for arranging this meeting. I hope that I will get to meet you in the future, perhaps at next year's SE Linux conference in Washington, D.C.
Before we sign off though, I always like to give you a chance to add anything that you would like to tell my readers, that perhaps I forgot to ask about, or that you think they might be interested in. Is there anything else you would like to add?
Chad Hanson: Thank you very much for taking the time to speak with me. I would just like to briefly emphasize that Trusted Operating Systems are a vital component to a security architecture. Mandatory Access Controls provide a framework for confidentiality and integrity. SELinux provides a flexible framework to provide these protections. Without these components, it is impossible to "trust" applications running on the operating system.