Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
the problems that occurred with the more ambitious PBN approaches. It has been used to create<br />
distributed firewall systems [70], <strong>in</strong>clud<strong>in</strong>g the construction of discrete security zones with<strong>in</strong> the<br />
network <strong>in</strong>frastructure (i.e., elements of a network deployment with heightened or specialized<br />
security requirements different than the rest of the deployment). This rema<strong>in</strong>s a promis<strong>in</strong>g<br />
approach for implement<strong>in</strong>g PBN systems.<br />
The IETF (e.g., its former IPSP work<strong>in</strong>g group) has assembled several tools that can be<br />
optionally leveraged to create PBN systems us<strong>in</strong>g IPsec.<br />
• RFC 3586 describes the problem space and solution requirements for develop<strong>in</strong>g an IPSP<br />
configuration and management framework.<br />
• RFC 2704 describes the KeyNote policy language that can optionally be used to<br />
construct PBN systems. The KeyNote implementation functions as a compliance eng<strong>in</strong>e<br />
and is based on role-based access control techniques as encoded with<strong>in</strong> PKI attribute<br />
certificates.<br />
• Use of IPsec’s ESP (see RFC 4305) <strong>in</strong> Transport Mode to provide confidentiality, data<br />
orig<strong>in</strong> authentication, antireplay attack protection, and data <strong>in</strong>tegrity services to enhance<br />
network security between communicat<strong>in</strong>g devices (e.g., hosts-to-hosts, routers-to-routers)<br />
at a specific <strong>in</strong>tegrity level.<br />
The Defense Agency Research Projects Agency (DARPA) Strong Man work orig<strong>in</strong>ally<br />
experimented with <strong>in</strong>tegrat<strong>in</strong>g KeyNote with IPsec’s Internet Key Exchange (see RFC 4306)<br />
protocol to create a very f<strong>in</strong>e-gra<strong>in</strong>ed authentication and access control <strong>in</strong>frastructure at the<br />
network layer [70]. These communications are secured by us<strong>in</strong>g IPsec <strong>in</strong> Transport Mode<br />
between communicat<strong>in</strong>g devices. A public implementation of this approach is freely available<br />
and is built <strong>in</strong>to the Open BSD 24 Unix OS. 25 This approach creates a tight knit PBN system that<br />
has not been widely deployed to date.<br />
However, IP deployments have been enhanc<strong>in</strong>g their network communication security by<br />
<strong>in</strong>creas<strong>in</strong>gly us<strong>in</strong>g native (unmodified) IPsec communications between their devices. DoD<br />
network systems (see section 5.2) and VPNs (see section 5.6) use IPsec’s ESP <strong>in</strong> Tunnel Mode<br />
to create secured multilevel network systems. This creates controlled and protected network<br />
enclaves that have significantly reduced user populations with<strong>in</strong> reduced networked-threat<br />
environments. Deployments are also <strong>in</strong>creas<strong>in</strong>gly us<strong>in</strong>g IPsec’s ESP <strong>in</strong> Transport Mode with<strong>in</strong> a<br />
common network enclave to create higher assurance communications with<strong>in</strong> that network.<br />
Through systematically us<strong>in</strong>g native (unmodified) IPsec capabilities, these deployments are<br />
creat<strong>in</strong>g network environments with significantly improved network security today.<br />
24<br />
25<br />
See http://www.OpenBSD.org<br />
Specifically, most of this functionality is built <strong>in</strong>to isakmpd (/usr/src/sb<strong>in</strong>/isakmpd) with<strong>in</strong> the OpenBSD<br />
operat<strong>in</strong>g system (see ftp://ftp.openbsd.org/pub/OpenBSD/src/sb<strong>in</strong>/isakmpd/).<br />
72