6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Securing the Networked Device
By Dan Mender
Director, Business Development, Green Hills Software, Inc.

Dan Mender
Green Hills Software, Inc.

In the near future, most devices you touch will be networked together in some fashion. With the advent and worldwide proliferation of IPv6 and the availability of 340 undecillion IPv6 addresses, even our automobiles will be talking with each other in the near future. IPv6 is the catalyst for successful delivery of next generation networking services like IPTV and VoIP to the home, office, and future portable media devices, opening important revenue streams to the telcos and cable companies. The IPTV market alone is estimated to reach US $30B by 2010.

Becoming a "Connected World" sounds great, but there is a glaring problem. As many more devices get connected, such devices (and hence more and more of the world's critical information and assets) are susceptible to being hacked.

For the growing number of hackers worldwide, it's all fun and games until the victim starts losing money. Let's take, for example, a recent VoIP service compromise that saw 10,000,000 lost VoIP minutes and seven-figure lost revenues. The recent story by Bogdan Materna, "VoIP Security Hack Highlights Need for Proactive Solutions", brought to light how a hired hacker and an "entrepreneur" defrauded 15 VoIP service providers out of the aforementioned revenue.

Hacks of this nature have a broad-reaching impact. Service providers lose revenue, which in turn causes them to increase rates to retain profitability. The consumer pays these higher rates and also pays for the prosecution and jailing of these hackers. The government must hire more specialists to guard against and uncover such schemes. And so on.

As services like VoIP and IPTV become commonplace, the threat of lost revenue is a concern that network service providers must address by demanding that equipment be hardened against both internal and external attacks.

A two-fold approach is required to address security concerns in network equipment.

  1. Support security protocols for transmission of data.
  2. Secure the network device itself.

Many industry standard security protocols, such as SSH, SSL, IPSec, IKE, RADIUS, and a complete set of cryptographic algorithms, do a good job of authenticating network connections and protecting content flowing through these connections. But even with the greater level of security designed into IPv6 (IPSec support is required in the standard), network devices are still susceptible to compromise if not designed with security in mind. For example, if a hacker can penetrate to the lowest layers of an endpoint device, cryptographic keys can be compromised, rendering these security protocols useless. What's worse, a stolen key allows a hacker program to masquerade as the intended destination entity. Now, the hacker has a fully authenticated, protected, and trusted channel by which to obtain information illicitly. Network service providers must architect their systems in such a way as to ensure full protection of information from end to end.

Security is not something that can be effectively bolted on to an existing system not designed initially for security. Nothing has made this more evident than the continual uncovering of flaws in PC software that was simply not designed to be resistant to sophisticated, determined hackers. Security must be designed in from the beginning, starting with the operating system. Any device managed by an insecure operating system is itself inherently insecure.

Today, there are operating systems available that were designed from the ground up to support the most stringent security requirements. For example, some operating systems being used to guard national secrets on communications devices and networks (in the US, such devices must be approved by the National Security Agency) employ the Multiple Independent Levels of Security (MILS) architecture, a technique for composing secure computing systems from high-assurance components. The key concepts of MILS include:

  • Protected execution of applications
  • Protected system services
  • Strict hardware access controls
  • Brick wall partitioning
  • Guaranteed resource allocation
  • Information flow control between applications
  • Damage containment and limitation

The kernel that makes up the foundation of a MILS system is called a separation kernel, and there is a process available today for evaluating and approving the security of such a kernel. With a kernel evaluated to a sufficiently high level of assurance, it is possible for network systems developers to build systems that, literally, cannot be compromised by hackers. These MILS kernels can support common application environments, such as POSIX, Linux, and even Windows, providing designers with support for legacy software while providing a clear upgrade path to improved security.

While separation kernel technology is required as the foundation for building secure network devices, it also has benefits related to high availability. The same fundamental principles that apply to preventing, isolating, and containing malicious code in a system can protect the networked device from inadvertent programming errors.

Green Hills is one company offering a mature separation kernel operating system, named INTEGRITY, which is now undergoing penetration testing by the US National Security Agency as part of an evaluation of the highest security assurance level ever attempted for an operating system.

As we move forward into the era of IPv6 and an increasingly network-connected world, it is critical that service providers architect next-generation networks by taking advantage of recent cybersecurity industry advancements in secure communications and operating system technologies, in order to enable ultra-high-reliability security — for both the myriad of new IP-enabled devices and the information flowing through them.