[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: US Air Force IPSEC Requirements
Maybe the Air Force should hire a consultant instead of CSC.
On Wed, 26 Nov 1997, Robert Hettinga wrote:
>
> --- begin forwarded text
>
>
> From: "Boyter, Brian A." <[email protected]>
> To: "'[email protected]'" <[email protected]>
> Subject: US Air Force IPSEC Requirements
> Date: Tue, 25 Nov 1997 17:03:03 -0600
> MIME-Version: 1.0
> Sender: [email protected]
> Precedence: bulk
>
> First, I would like to introduce myself...
> My name is Brian Boyter, I'm a Senior Consulting
> Engineer with the Computer Sciences Corp, and I
> am under contract to the US Air Force Information
> Warfare Center in San Antonio, Texas, working on
> USAF computer security...
>
> The USAF is evaluating the use of IPSEC products
> to help secure its unclassified networks... These unclas
> networks are used to communicate with contractors, and to
> process financial, logistic, personnel, and medical data...
> The IPSEC would be used to protect the data from
> unauthorized viewing and to protect the networks and
> computers from hackers... Our goal is to eventually IPSEC
> encrypt all unclassified computer communications end-to-end...
>
> The USAF recently completed a hasty evaluation of several
> IPSEC products... Most products would work fine for a
> small organization, but do not scale to an enterprise the size
> of the USAF (500,000 computers)...
>
> Here is a short list of basic USAF requirements which we found
> lacking in the current IPSEC products:
> 1. The Department of Defense will soon deploy a Public
> Key Infrastructure (PKI)... The IPSEC products need to
> use this existing PKI (not require a separate keying product)...
> 2. The USAF uses HP OpenView as its standard SNMP
> management product... Error logging and other IPSEC status
> information needs to interoperate with OpenView...
> 3. The USAF needs to be able to manage the IPSEC security
> policy sanely... An example of a USAF IPSEC security policy
> might be: "all USAF computers can talk to all other USAF
> computers using DES, all other computers it talks in-the-clear"...
> It will not be possible to manage 500,000 different rule sets...
> The security policy must be made simple... We need the X.500
> equivalent
> of *.mil, *.af.mil, *.lackland.af.mil, and *.hospital.*.af.mil so
> that
> we can generate rule sets using these wild cards... I don't think
> rules based on IP addresses will work either...
>
> I'm not including interoperability in the above list because the ANX
> has done a good job of making that requirement visible....
>
> What I'm trying to point out is two things:
> 1. The IPSEC products need to re-use as much of our existing
> infrastructure as possible (for example PKI, SNMP, etc)...
> If the USAF were a small company that didn't have a large
> infrastructure
> investment already, it wouldn't be an issue... But if each IPSEC
> product
> requires a management console at each air force base, then that can
> add up to millions of dollars, thousands of man hours, training costs,
> etc...
> 2. I'm also trying to point out that there is no standard (that I can
> find) for
> representing, storing, or disseminating the security policy....
>
> Although these are Air Force requirements, I'm sure the same
> requirements will exist for any large enterprise contemplating the
> use
> of IPSEC products...
>
> I plan to be at the IETF meeting in December and will be glad to
> speak to anyone about these issues... Perhaps an IPSEC security
> policy BOF could even be arranged???
>
> Thanks,
> Brian Boyter
> [email protected]
> (210)977-3113
>
> --- end forwarded text
>
>
>
> -----------------
> Robert Hettinga ([email protected]), Philodox
> e$, 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> The e$ Home Page: http://www.shipwright.com/
> Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>
>
>
>