Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Figure 32 shows how these threats are addressed <strong>in</strong> a defense-<strong>in</strong>-depth manner.<br />
Larger the network, the larger the number of<br />
threats—Indirect Internet connectivity means<br />
1B+ potential human users<br />
• VPN for network partition<strong>in</strong>g<br />
• Firewall for network perimeter defense<br />
• IPsec required for protocol security<br />
End users are now part of security framework • VPN for network partition<strong>in</strong>g<br />
• Packet filter keeps passengers from<br />
access<strong>in</strong>g <strong>in</strong>appropriate Items and <strong>LANs</strong><br />
Availability of Airborne LAN • Firewall and packet filter to control access<br />
• QoS policies ensure support for VPN<br />
traffic<br />
Integrity of computers, networks, applications,<br />
and data<br />
COTS device security questionable (e.g.,<br />
routers, PCs) and subject to compromise<br />
Complex <strong>in</strong>ternet protocol family security<br />
• VPN for network<strong>in</strong>g partition<strong>in</strong>g<br />
• Firewall and packet filter for LAN defense<br />
• IPsec for secure protocol <strong>in</strong>teractions<br />
• Secure software download and <strong>in</strong>tegrity<br />
checks<br />
• IATF defense-<strong>in</strong>-depth security controls<br />
• Increase CC assurance when relied upon<br />
• Only attached to VPN via HAG<br />
Use available IETF protocols’ security<br />
Alternatives and IPsec whenever possible<br />
SNMPv3 security issues • Always use IPsec with SNMPv3<br />
• Once improved SNMPv3 alternative (i.e.,<br />
ISMS) available, preferentially use it.<br />
Figure 32. How Design Addresses Network Threats<br />
Because all communications between aircraft and other aircraft or ground stations occur across<br />
AS boundaries (see section 5.3), aircraft networks form BGP relationships with their peer ASs<br />
on the ground or <strong>in</strong> the air. The aircraft’s ASBR is not shown <strong>in</strong> figure 30, but it is physically<br />
located between the airplane’s high-assurance LAN and the air-to-ground communications<br />
with<strong>in</strong> the figure. That ASBR l<strong>in</strong>ks the airplane’s network to other ASs (air- or ground-based).<br />
The follow<strong>in</strong>g sections each describe a specific security control that is identified with<strong>in</strong> figure<br />
30. Please note that the configurations described <strong>in</strong> these sections will produce the defense-<strong>in</strong>depth<br />
results shown <strong>in</strong> figure 32.<br />
8.3.1 The VPN Encapsulation Method.<br />
The VPN encapsulation is accomplished by us<strong>in</strong>g IPsec’s ESP <strong>in</strong> tunnel mode <strong>in</strong> accordance<br />
with reference 99. The encapsulat<strong>in</strong>g gateways that perform the tunnel mode service may<br />
theoretically be end-systems, routers, or middleboxes. However, because the items located<br />
with<strong>in</strong> the VPN needs to be managed by means of the agency of the encapsulat<strong>in</strong>g gateway (see<br />
section 8.4), this architecture presumes that the encapsulat<strong>in</strong>g gateways will preferentially be<br />
middleboxes. If they are middleboxes, then it is very important that they not decrement the time-<br />
108