Multiple Single-Level

From Wikipedia, the free encyclopedia

Multiple Single-Level (MSL) is a method of separating different levels of data by using separate PCs or virtual machines for each level. It aims to give some of the benefits of Multilevel security without needing special changes to the OS or applications, but at the cost of requiring extra hardware.

The drive to develop MLS operating systems was severely hampered by the dramatic fall in data processing costs in the early 1990s. Before the advent of desktop computing, users with classified processing requirements had to either spend a lot of money for a dedicated computer or use one that hosted an MLS operating system. Throughout the 1990s, however, many offices in the defense and intelligence communities took advantage of falling computing costs to deploy desktop systems classified to operate only at the highest classification level used in their organization. These desktop computers operated in System High mode and were connected with LANs that carried traffic at the same level as the computers.

MSL implementations such as these neatly avoided the complexities of MLS but traded off technical simplicity for inefficient use of space. Because most users in classified environments also needed unclassified systems, users often had at least two computers and sometimes more (one for unclassified processing and one for each classification level processed). In addition, each computer was connected to its own LAN at the appropriate classification level, meaning that multiple dedicated cabling plants were incorporated (at considerable cost in terms of both installation and maintenance).

[edit] Advances in MSL

The cost and complexity involved in maintaining distinct networks for each level of classification led the National Security Agency (NSA) to begin research into ways in which the MSL concept of dedicated system high systems could be preserved while reducing the physical investment demanded by multiple networks and computers. Periods processing was the first advance in this area, establishing protocols by which agencies could connect a computer to a network at one classification, process information, sanitize the system, and connect it to a different network with another classification. The periods processing model offered the promise of a single computer but did nothing to reduce multiple cabling plants and proved enormously inconvenient to users; accordingly, its adoption was limited.

In the 1990s, the rise of virtualization technology changed the playing field for MSL systems. Suddenly, it was possible to create virtual machines (VMs) that behaved as independent computers but ran on a common hardware platform. With virtualization, NSA saw a way to preserve periods processing on a virtual level, no longer requiring the physical system to be sanitized by performing all processing within dedicated, system-high VMs. To make MSL work in a virtual environment, however, it was necessary to find a way to securely control the virtual session manager and ensure that no compromising activity directed at one VM could compromise another.

[edit] MSL Solutions

NSA pursued multiple programs aimed at creating viable, secure MSL technologies leveraging virtualization. To date, two major solutions have materialized.

• "NetTop", developed by NSA in partnership with VMWare, Inc., uses security-enhanced Linux (SELinux) as the base operating system for its technology. The SELinux OS securely holds the virtual session manager, which in turn creates virtual machines to perform processing and support functions.

• The "Trusted Multi-Net", a commercial off-the-shelf (COTS) system based on a thin client model, was developed jointly by an industry coalition including Microsoft Corporation, Citrix Systems, NYTOR Technologies, VMWare, Inc., and MITRE Corporation to offer users access to classified and unclassified networks. Its architecture eliminates the need for multiple cabling plants, leveraging encryption to transmit all traffic over a cable approved for the highest level accessed.

Both the NetTop and Trusted Multi-Net solutions have been approved for use. In addition, Trusted Computer Solutions is developing a thin-client based version of the NetTop technology through a licensing agreement with NSA, under the name NetTop2 and based on their own Trusted Linux operating system.

In addition, there have been advances in the development of non-virtualization MSL systems through the use of specialized hardware, resulting in at least one viable solution:

• The Starlight Technology (now marketed as the Interactive Link System), developed by the Australian Defence Science Technology Organisation (DSTO) and Tenix Pty Ltd, uses specialized hardware to allow users to interact with a "Low" network from a "High" network session within a window, without any data flowing from the "High" to the "Low" network.

[edit] Cross-Domain Solutions

MSL systems, whether virtual or physical in nature, are designed to preserve isolation between different classification levels. Consequently (unlike MLS systems), an MSL environment has no innate capabilities to move data from one level to another.

To permit data sharing between computers working at different classification levels, such sites deploy cross-domain solutions (CDS), which are commonly referred to as gatekeepers or guards. Guards, which often leverage MLS technologies themselves, filter traffic flowing between networks; unlike a commercial Internet firewall, however, a guard is built to much more stringent assurance requirements and its filtering is carefully designed to try to prevent any improper leakage of classified information between LANs operating at different security levels.

Data Diode technologies are used extensively where data flows are required to be restricted to one direction between levels, with a high level of assurance that data will not flow in the opposite direction.

As of late 2005, numerous high-assurance platforms and guard applications have been approved for use in classified environments. In general, these are subject to the same restrictions that have imposed challenges on other MLS solutions: strict security assessment and the need to provide an electronic equivalent of stated policy for moving information between classifications. (Moving information down in classification level is particularly challenging and typically requires approval from several different people.)