[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: US Air Force IPSEC Requirements

To: Robert Hettinga <[email protected]>
Subject: Re: US Air Force IPSEC Requirements
From: Rabid Wombat <[email protected]>
Date: Fri, 28 Nov 1997 23:35:20 -0500 (EST)
cc: [email protected]
In-Reply-To: <v04002726b0a22d3263f4@[139.167.130.248]>
Sender: [email protected]



Maybe the Air Force should hire a consultant instead of CSC.

On Wed, 26 Nov 1997, Robert Hettinga wrote:

> 
> --- begin forwarded text
> 
> 
> From: "Boyter, Brian A." <[email protected]>
> To: "'[email protected]'" <[email protected]>
> Subject: US Air Force IPSEC Requirements
> Date: Tue, 25 Nov 1997 17:03:03 -0600
> MIME-Version: 1.0
> Sender: [email protected]
> Precedence: bulk
> 
> First, I would like to introduce myself...
> My name is Brian Boyter, I'm a Senior Consulting
> Engineer with the Computer Sciences Corp, and I
> am under contract to the US Air Force Information
> Warfare Center in San Antonio, Texas, working on
> USAF computer security...
> 
> The USAF is evaluating the use of IPSEC products
> to help secure its unclassified networks...   These unclas
> networks are used to communicate with contractors, and to
> process financial, logistic, personnel, and medical data...
> The IPSEC would be used to protect the data from
> unauthorized viewing and to protect the networks and
> computers from hackers...   Our goal is to eventually IPSEC
> encrypt all unclassified computer communications end-to-end...
> 
> The USAF recently completed a hasty evaluation of several
> IPSEC products...   Most products would work fine for a
> small organization, but do not scale to an enterprise the size
> of the USAF (500,000 computers)...
> 
> Here is a short list of basic USAF requirements which we found
> lacking in the current IPSEC products:
> 1. 	The Department of Defense will soon deploy a Public
> Key Infrastructure (PKI)...   The IPSEC products need to
> use this existing PKI (not require a separate keying product)...
> 2. 	The USAF uses HP OpenView as its standard SNMP
> management product...   Error logging and other IPSEC status
> information needs to interoperate with OpenView...
> 3. 	The USAF needs to be able to manage the IPSEC security
> policy sanely...   An example of a USAF IPSEC security policy
> might be:  "all USAF computers can talk to all other USAF
> computers using DES, all other computers it talks in-the-clear"...
> It will not be possible to manage 500,000 different rule sets...
> The security policy must be made simple...    We need the X.500
> equivalent
> of *.mil,  *.af.mil,  *.lackland.af.mil,  and *.hospital.*.af.mil so
> that
> we can generate rule sets using these wild cards...   I don't think
> rules based on IP addresses will work either...
> 
> I'm not including interoperability in the above list because the ANX
> has done a good job of making that requirement visible....
> 
> What I'm trying to point out is two things:
> 1. The IPSEC products need to re-use as much of our existing
> infrastructure as possible (for example PKI, SNMP, etc)...
> If the USAF were a small company that didn't have a large
> infrastructure
> investment already, it wouldn't be an issue...   But if each IPSEC
> product
> requires a management console at each air force base, then that can
> add up to millions of dollars, thousands of man hours, training costs,
> etc...
> 2. I'm also trying to point out that there is no standard (that I can
> find) for
> representing, storing, or disseminating the security policy....
> 
> Although these are Air Force requirements, I'm sure the same
> requirements will exist for any large enterprise contemplating the
> use
> of IPSEC products...
> 
> I plan to be at the IETF meeting in December and will be glad to
> speak to anyone about these issues...    Perhaps an IPSEC security
> policy BOF could even be arranged???
> 
> Thanks,
> Brian Boyter
> [email protected]
> (210)977-3113
> 
> --- end forwarded text
> 
> 
> 
> -----------------
> Robert Hettinga ([email protected]), Philodox
> e$, 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> The e$ Home Page: http://www.shipwright.com/
> Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>
> 
> 
>

References:
- US Air Force IPSEC Requirements
  - From: Robert Hettinga <[email protected]>

Prev by Date: Re: [RePol] Denizen
Next by Date: PGP / Outlook Express Plugin Problem
Prev by thread: US Air Force IPSEC Requirements
Next by thread: -Years End Holiday Special -
Index(es):
- Date
- Thread