Copyright (c) 2003-2004 John A. Sullivan III, Nexus Management. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
The Integrated Secure Communications System (ISCS) provides an integrated, GUI management console for a collection of related communications security tools such as firewalls and VPN gateways. It uses a Security Policy Manager (SPM) to create abstract, high-level policies for securing network communication, translate them into low-level rules needed by Security Policy Enforcement Points (PEPs, e.g., firewalls or VPN gateways) and automatically distribute these rules to the PEPs.
The SPM is not a centralized GUI rule configurator as other proprietary "policy enabled" network security tools are. It is a radically different approach to viewing network security. By both integrating the management of previously separate security tools and abstracting the rules and configurations into high-level policies, the SPM produces an approximate 90% reduction in the time needed to administer complex secure communications environments. This is not a speculated reduction. Nexus Management, the original sponsor fo the ISCS project, has done exactly this in the real world with proprietary tools and now wishes to achieve the same results with entirely original Open Source tools.
The current development version uses iptables, *swan, OpenCA, Linux Advanced Routing, OpenSSH, the ISC DHCP server and the Strongsec DHCP relay. The design is extensible to support other products as the ISCS community writes those modules. The SPM will eventually include QoS/CoS, Intrusion Detection, Content Filtering and Virus Scanning and should manage devices from most major security hardware manufacturers.
As previously mentioned, the SPM is different from existing firewall GUI's. It is a completely different way of looking at network security. The most obvious distinction is the integration of many technologies into one management console but the most efficient and important distinction is the abstraction.
We answer the simple security question of WHO has ACCESS to WHAT. Unlike traditional firewalls that attempt that in a single rule, the SPM divides it into three - separate rule processing for evaluating WHO, ACCESS and WHAT. That sounds like more complexity rather than less but the result of such modularity is the opposite. We can create a series of definitions for WHO and a series of definitions for WHAT. We can then freely mix and match them in a building block fashion. The reusability leads to the need to define far fewer WHO's and WHAT's than are required by a traditional firewall.
Besides reusability, we also implement hierarchy and inheritance. We place Accessors (typically users) into Access Groups and arrange those groups in a hierarchical tree with inheritance, i.e., if a right is granted at one level, that right flows down or, in other words, is inherited, by all the levels below that level. We place Resources (a combination of a server and a service as a unique object - a slight but critical departure from typical firewall use) in Resource Groups and arrange those groups in a hierarchical tree with inheritance, i.e., if a right is granted at one point in the Resource Group tree, the Access Group also has rights to all levels below it. Policies are created by establishing relationships between the two trees. Thus we not only reduce the number of WHO's and WHAT's but by a judicious use of inheritance reduce even the number of policies that must be created. Hundreds, even thousands of rules can be described in just one policy which then automatically creates those hundreds or thousands of rules and distributes them to the enforcement points. This is one of the most important ways, although not the only way, in which we achieve such astonishing efficiency.
We use this powerful access control paradigm and combine it with robust user authentication (dynamic iptables rules are now created based upon IP address and X.509 certificate DN values and soon by LDAP, Active Directory, e-Directory, RADIUS and SecureID) to control access into and out of the tunnel. We add the VPN with automated creation of SA's to facilitate the creation of full meshes and secure the traffic during transmission. We also provide an out-of-band means of automatically communicating routing changes to ease deployments, mergers and acquisition and system reconfigurations.
The need for this efficient security administration is driven by four major changes to the current computing environment:
New forms of security exploits such as phishing, spam planted trojans and malicious spyware which give the attacker an internal rather than an external attack posture.
Mobile, hand held, embedded and wireless computing - now neither the network media nor the computing devices themselves are in a physically secure environment. Our organizations are directly exposed to the world at thousands of points and our computing devices are regularly exposed to theft. Worse yet, the stolen device can connect to our internal networks.
Increased connectivity of small offices and home workers via VPN.
The growth of collaborative computing between separate organizations.
Consider the dramatic impact of VPN technology on traditional security paradigms - particularly the use of VPN as a WAN replacement. In the traditional firewall paradigm, an organization might have 200 offices and 3 Internet access points in hub offices. These were complex, difficult to administer devices but that was acceptable because of their static configuration. Changes were rare.
VPN's turn the world of firewalls upside down. Now instead of 200 offices with 3 Internet access points, there are 200 offices with 200 Internet access points. That allows the great advantage of permitting direct Internet access in each office and not having to haul Internet traffic across the private WAN just to be screened by the corporate firewall. This also makes possible the implementation of inter-office security. If we have firewalls in each office, we can protect an office from malicious intrusion from another office. That allows us to finally begin to address the issue that 70% of security breaches are internal.
In fact, inter-office security is not only made possible by putting a VPN/firewall in each office but the presence of the VPN makes the need for inter-office security greater. Now we have 200 potential points of intrusion instead of 3. If we do not implement inter-office security, a breach in any one of those offices opens the door to the entire WAN.
Worse yet, the low cost of VPN WAN's frequently imply that smaller offices that could never afford to be on the WAN can now join the WAN. It is likely that physical security is not as good in some of those small offices. If some intruder calls on that small office in the middle of nowhere disguised as the telephone repairman, walks into the kitchen and plugs his laptop into the hub under the kitchen sink, they have full access to corporate headquarters across the VPN!
So, we have this great opportunity to create direct Internet access in every office and keep local web browsing off the hub office network. We have the great chance to finally implement inter-office security. We have got 200 hundred offices with 200 VPN/firewall gateways. How are we going to manage the configuration of 200 firewalls?
Not only do we have to manage a far greater number of security devices but the number of configuration changes is vastly greater. In the past, we typically let all Internet traffic out (or at least the most commonly used ports) and only let Internet traffic in to our public devices. Changes to the firewall rules were rare. With inter-office security, every time a new server or new service comes on line, we need to make changes. Every time a new office comes on line, we need to make changes. Every time there is a merger or acquisition, we need to make major changes. Suddenly, we are not putting through a few changes per quarter but perhaps several per day - on 200 devices! We have got to find a way to make managing and distributing all those changes easier.
The situation is further compounded when we add external partners, e-commerce and service providers. In a multi-client environment, any security breach from one client to another is intolerable. Managing that kind of complex security can be a nightmare fraught with the opportunity for human error unless we integrate the management of the disparate components that make up that security and automate the security rule creation process by abstracting the minute rule creation into abstract, high-level policies that automatically translate themselves into the minute rules and distribute themselves to the enforcement points.
We also need to do something about SA creation and topology changes. VPN WANs give us the ability to implement fully meshed networks without the per circuit charges of traditional WAN technologies. This is perfect as work flow changes from central and hierarchical to distributed and flattened. Best-of-breed applications may now be housed outside of "headquarters". Peer-to-peer applications from instant messaging to VOIP to desktop video-conferencing are completely disruptive to the traditional hub-and-spoke WAN. But the hidden cost of managing SA creation for a meshed VPN is astounding. The example 200 office network we have been using requires 19,900 SA's to fully mesh! Manually creating that is sheer torment and subject to much human error. The SPM automatically creates and distributes the SAs needed to fully mesh the VPN WAN.
The SPM also coordinates all topology changes and automatically distributes these topology changes to all PEPs. This is certainly helpful when one adds a network to an existing office - all PEPs automatically know about the new network rather than having to manually change the VPN routes on 200 devices. It becomes indispensable during the migration from a traditional leased-line WAN to a VPN WAN or when combining large numbers of networks as in a merger or acquisition.
We have used the number of 200 offices for illustrative purposes. The SPM is designed to be highly scalable in both directions. It can handle thousands of gateways but is also useful for installations of only a few offices.
GNU Free Documentation License
GNU Free Documentation License
Version 1.1, March 2000
Copyright (C) 2000 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
0. PREAMBLE
The purpose of this License is to make a manual, textbook, or other written
document "free" in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the
author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others.
This License is a kind of "copyleft", which means that derivative works of
the document must themselves be free in the same sense. It complements the
GNU General Public License, which is a copyleft license designed for free
software.
We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program
should come with manuals providing the same freedoms that the software does.
But this License is not limited to software manuals; it can be used for any
textual work, regardless of subject matter or whether it is published as a
printed book. We recommend this License principally for works whose purpose
is instruction or reference.
1. APPLICABILITY AND DEFINITIONS
This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms
of this License. The "Document", below, refers to any such manual or work.
Any member of the public is a licensee, and is addressed as "you".
A "Modified Version" of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
translated into another language.
A "Secondary Section" is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics,
a Secondary Section may not explain any mathematics.) The relationship could
be a matter of historical connection with the subject or with related
matters, or of legal, commercial, philosophical, ethical or political
position regarding them.
The "Invariant Sections" are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says
that the Document is released under this License.
The "Cover Texts" are certain short passages of text that are listed, as
Front-Cover Texts or Back-Cover Texts, in the notice that says that the
Document is released under this License.
A "Transparent" copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the general
public, whose contents can be viewed and edited directly and
straightforwardly with generic text editors or (for images composed of
pixels) generic paint programs or (for drawings) some widely available
drawing editor, and that is suitable for input to text formatters or for
automatic translation to a variety of formats suitable for input to text
formatters. A copy made in an otherwise Transparent file format whose markup
has been designed to thwart or discourage subsequent modification by readers
is not Transparent. A copy that is not "Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using
a publicly available DTD, and standard-conforming simple HTML designed for
human modification. Opaque formats include PostScript, PDF, proprietary
for
mats that can be read and edited only by proprietary word processors,
SGML or XML for which the DTD and/or processing tools are not generally
available, and the machine-generated HTML produced by some word processors
for output purposes only.
The "Title Page" means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have
any title page as such, "Title Page" means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the
text.
2. VERBATIM COPYING
You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and
the license notice saying this License applies to the Document are
reproduced in all copies, and that you add no other conditions whatsoever to
those of this License. You may not use technical measures to obstruct or
control the reading or further copying of the copies you make or distribute.
However, you may accept compensation in exchange for copies. If you
distribute a large enough number of copies you must also follow the
conditions in section 3.
You may also lend copies, under the same conditions stated above, and you
may publicly display copies.
3. COPYING IN QUANTITY
If you publish printed copies of the Document numbering more than 100, and
the Document's license notice requires Cover Texts, you must enclose the
copies in covers that carry, clearly and legibly, all these Cover Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
cover. Both covers must also clearly and legibly identify you as the
publisher of these copies. The front cover must present the full title with
all words of the title equally prominent and visible. You may add other
material on the covers in addition. Copying with changes limited to the
covers, as long as they preserve the title of the Document and satisfy these
conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly,
you should put the first ones listed (as many as fit reasonably) on the
actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along
with each Opaque copy, or state in or with each Opaque copy a
publicly-accessible computer-network location containing a complete
Transparent copy of the Document, free of added material, which the general
network-using public has access to download anonymously at no charge using
public-standard network protocols. If you use the latter option, you must
take reasonably prudent steps, when you begin distribution of Opaque copies
in quantity, to ensure that this Transparent copy will remain thus
accessible at the stated location until at least one year after the last
time you distribute an Opaque copy (directly or through your agents or
retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them
a chance to provide you with an updated version of the Document.
4. MODIFICATIONS
You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the
role of the Document, thus licensing distribution and modification of the
Modified Version to whoever possesses a copy of it. In addition, you must do
these things in the Modified Version:
* A. Use in the Title Page (and on the covers, if any) a title distinct
from that of the Document, and from those of previous versions (which
should, if there were any, be listed in the History section of the
Document). You may use the same title as a previous version if the
original publisher of that version gives permission.
* B. List on the Title Page, as authors, one or more persons or entities
responsible for authorship of the modifications in the Modified
Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has less than five).
* C. State on the Title page the name of the publisher of the Modified
Version, as the publisher.
* D. Preserve all the copyright notices of the Document.
* E. Add an appropriate copyright notice for your modifications adjacent
to the other copyright notices.
* F. Include, immediately after the copyright notices, a license notice
giving the public permission to use the Modified Version under the
terms of this License, in the form shown in the Addendum below.
* G. Preserve in that license notice the full lists of Invariant Sections
and required Cover Texts given in the Document's license notice.
* H. Include an unaltered copy of this License.
* I. Preserve the section entitled "History", and its title, and add to
it an item stating at least the title, year, new authors, and publisher
of the Modified Version as given on the Title Page. If there is no
section entitled "History" in the Document, create one stating the
title, year, authors, and publisher of the Document as given on its
Title Page, then add an item describing the Modified Version as stated
in the previous sentence.
* J. Preserve the network location, if any, given in the Document for
public access to a Transparent copy of the Document, and likewise the
network locations given in the Document for previous versions it was
based on. These may be placed in the "History" section. You may omit a
network location for a work that was published at least four years
before the Document itself, or if the original publisher of the version
it refers to gives permission.
* K. In any section entitled "Acknowledgements" or "Dedications",
preserve the section's title, and preserve in the section all the
substance and tone of each of the contributor acknowledgements and/or
dedications given therein.
* L. Preserve all the Invariant Sections of the Document, unaltered in
their text and in their titles. Section numbers or the equivalent are
not considered part of the section titles.
* M. Delete any section entitled "Endorsements". Such a section may not
be included in the Modified Version.
* N. Do not retitle any existing section as "Endorsements" or to conflict
in title with any Invariant Section.
If the Modified Version includes new front-matter sections or appendices
that qualify as Secondary Sections and contain no material copied from the
Document, you may at your option designate some or all of these sections as
invariant. To do this, add their titles to the list of Invariant Sections in
the Modified Version's license notice. These titles must be distinct from
any other section titles.
You may add a section entitled "Endorsements", provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an
organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of
Cover Texts in the Modified Version. Only one passage of Front-Cover Text
and one of Back-Cover Text may be added by (or through arrangements made by)
any one entity. If the Document already includes a cover text for the same
cover, previously added by you or by arrangement made by the same entity you
are acting on behalf of, you may not add another; but you may replace the
old one, on explicit permission from the previous publisher that added the
old one.
The author(s) and publisher(s) of the Document do not by this License give
permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version.
5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions,
provided that you include in the combination all of the Invariant Sections
of all of the original documents, unmodified, and list them all as Invariant
Sections of your combined work in its license notice.
The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there
are multiple Invariant Sections with the same name but different contents,
make the title of each such section unique by adding at the end of it, in
parentheses, the name of the original author or publisher of that section if
known, or else a unique number. Make the same adjustment to the section
titles in the list of Invariant Sections in the license notice of the
combined work.
In the combination, you must combine any sections entitled "History" in the
various original documents, forming one section entitled "History"; likewise
combine any sections entitled "Acknowledgements", and any sections entitled
"Dedications". You must delete all sections entitled "Endorsements."
6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this
License in the various documents with a single copy that is included in the
collection, provided that you follow the rules of this License for verbatim
copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License
into the extracted document, and follow this License in all other respects
regarding verbatim copying of that document.
7. AGGREGATION WITH INDEPENDENT WORKS
A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or
distribution medium, does not as a whole count as a Modified Version of the
Document, provided no compilation copyright is claimed for the compilation.
Such a compilation is called an "aggregate", and this License does not apply
to the other self-contained works thus compiled with the Document, on
account of their being thus compiled, if they are not themselves derivative
works of the Document. If the Cover Text requirement of section 3 is
applicable to these copies of the Document, then if the Document is less
than one quarter of the entire aggregate, the Document's Cover Texts may be
placed on covers that surround only the Document within the aggregate.
Otherwise they must appear on covers around the whole aggregate.
8. TRANSLATION
Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing
Invariant Sections with translations requires special permission from their
copyright holders, but you may include translations of some or all Invariant
Sections in addition to the original versions of these Invariant Sections.
You may include a translation of this License provided that you also include
the original English version of this License. In case of a disagreement
between the translation and the original English version of this License,
the original English version will prevail.
9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy,
modify, sublicense or distribute the Document is void, and will
automatically terminate your rights under this License. However, parties who
have received copies, or rights, from you under this License will not have
their licenses terminated so long as such parties remain in full compliance.
10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be
similar in spirit to the present version, but may differ in detail to
address new problems or concerns. See http://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License "or
any later version" applies to it, you have the option of following the terms
and conditions either of that specified version or of any later version that
has been published (not as a draft) by the Free Software Foundation. If the
Document does not specify a version number of this License, you may choose
any version ever published (not as a draft) by the Free Software Foundation.
How to use this License for your documents
To use this License in a document you have written, include a copy of the
License in the document and put the following copyright and license notices
just after the title page:
Copyright (c) YEAR YOUR NAME.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.1
or any later version published by the Free Software Foundation;
with the Invariant Sections being LIST THEIR TITLES, with the
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
A copy of the license is included in the section entitled "GNU
Free Documentation License".
If you have no Invariant Sections, write "with no Invariant Sections"
instead of saying which ones are invariant. If you have no Front-Cover
Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being
LIST"; likewise for Back-Cover Texts.
If your document contains nontrivial examples of program code, we recommend
releasing these examples in parallel under your choice of free software
license, such as the GNU General Public License, to permit their use in free
software.