Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
their own classification level nor can they write <strong>in</strong>formation to a lower classification level,<br />
except via the controlled <strong>in</strong>tervention by a trusted subject (e.g., HAG).<br />
The Bell-LaPadula framework is realized with<strong>in</strong> military communications by creat<strong>in</strong>g networks,<br />
each operat<strong>in</strong>g at a specific classification level. These networks can operate as MSLS (see<br />
section 5.2) systems 28 or as DoD networks operat<strong>in</strong>g at system high, where the network is<br />
classified at the highest classification level of the data it conveys. For example, a system-high<br />
secret network could transmit secret <strong>in</strong>formation as well as <strong>in</strong>formation classified below the<br />
secret level (e.g., SBU <strong>in</strong>formation and unclassified <strong>in</strong>formation), but not <strong>in</strong>formation at a higher<br />
classification level than secret.<br />
DoD networks operat<strong>in</strong>g at different classification levels are orthogonal to each other. For<br />
example, they are addressed, by def<strong>in</strong>ition, from address and nam<strong>in</strong>g spaces that perta<strong>in</strong> to their<br />
classification level. This results <strong>in</strong>to network systems hav<strong>in</strong>g dist<strong>in</strong>ct (i.e., unrelated) IP<br />
addresses and nam<strong>in</strong>g spaces than networks operat<strong>in</strong>g at other classification levels <strong>in</strong> general.<br />
“The Bell-LaPadula model is built on the state mach<strong>in</strong>e concept. This concept<br />
def<strong>in</strong>es a set of allowable states (A i ) <strong>in</strong> a system. The transition from one state to<br />
another upon receipt of an <strong>in</strong>put(s) (X j ) is def<strong>in</strong>ed by transition functions (f k ).<br />
The objective of this model is to ensure that the <strong>in</strong>itial state is secure and that the<br />
transitions always result <strong>in</strong> a secure state.<br />
The Bell-LaPadula Confidentiality Model def<strong>in</strong>es a secure state through three<br />
multilevel properties. The first two properties implement mandatory access<br />
control, and the third one permits discretionary access control. These properties<br />
are def<strong>in</strong>ed as follows:<br />
1. The Simple Security Property (ss Property). States that read<strong>in</strong>g of<br />
<strong>in</strong>formation by a subject at a lower sensitivity level from an object at a higher<br />
sensitivity level is not permitted (no read up).<br />
2. The * (star) Security Property, also known as the conf<strong>in</strong>ement property.<br />
States that writ<strong>in</strong>g <strong>in</strong>formation by a subject at a higher level of sensitivity to<br />
an object at a lower level of sensitivity is not permitted (no write down).<br />
3. The Discretionary Security Property. Uses an access matrix to specify<br />
discretionary access control.” (Quoted from page 202 of reference 85.)<br />
The Bell-LaPadula Confidentiality Model, therefore, creates access control protections between<br />
entities at different sensitivity levels. These sensitivity levels are the DoD classification levels<br />
(see section 6.3). A weakness of the Bell-LaPadula Confidentiality Model is that it only deals<br />
with confidentiality of classified material. It does not address <strong>in</strong>tegrity or availability—the key<br />
28<br />
Other possibilities also exist, <strong>in</strong>clud<strong>in</strong>g multiple levels of security and multiple <strong>in</strong>dependent levels of security.<br />
However, the goal of this paragraph is to contrast MSLS with system high because that contrast is relevant to<br />
subsequent airborne network policy issues discussed <strong>in</strong> section 8.2.<br />
81