An industry perspective from Curtiss-Wright Controls Defense Solutions
The growth of IP communications drives advances in embedded military data security
The increasing volume of IP-based data sent over standard interfaces, such as situational awareness video and remote sensor data, is driving the embedded military market to recognize the need for advanced data network security. Increasing Ethernet connectivity between systems needs to be protected with advanced IP security techniques such as firewalls, Virtual Private Networks (VPNs), sophisticated cryptography, anti-spam, anti-malware, and anti-virus to ensure the integrity, confidentiality, and availability of individual systems. The challenge is how to best leverage COTS Ethernet security protocols and ease of connectivity while addressing the rigorous security needs of military applications.
Traditionally, military communications involved dedicated radio-based connectivity, such as Communications Security (COMSEC) and Transmission Security (TRANSEC). These dedicated systems – using proprietary military-specific systems – were generally considered more secure than traditional Ethernet networks, which with all of their advantages have also introduced Internet-based hacker tricks to the military space. The use of relatively low-end software to capture Unmanned Aerial Vehicle (UAV) video feeds in Iraq, widely reported in December 2009, is one example. However, network devices are providing a higher level of security as compared to software-based security.
Looking to COTS Internet security
While appreciative of the benefits that COTS Internet security offers, systems integrators and their end customers see potential risks. The good news is that some standard and sophisticated encryption algorithms and techniques proven in high-end commercial and financial Internet networks can be applied to embedded applications via software or with dedicated hardware.
Commercial Ethernet security technologies provide low-cost, fairly high-bandwidth communications, including Gigabit and 10 Gigabit interfaces. More importantly, they can be made transparent to the application, such that streaming video is “unaware” that video data is being encrypted or decrypted. Locating network security in the lower layers of the seven-layer Open Systems Interconnection (OSI) protocol model frees the upper layers, which are focused on the application rather than the communications, from security concerns while enabling the lower layers of network communications to handle security performance. Making applications security agnostic enables security methods to be added and changed independent of the application. Decoupling security from the application also enables multiple independent methods of security to be layered for added protection.
Multiple threats demand security techniques
No single security method can address all the types of vulnerabilities. For example, data encryption will not stop an attempt to access and scan the computer or a Denial of Service (DoS) attack. True protection requires multiple types of network security. Techniques beyond data encryption include Access Control Lists (ACLs) and firewalls, Network Address Translation (NAT), and deep packet inspection for anti-virus and anti-malware. Previously, the functions of communications and security were handled independently with data from a network switch or router being sent to a separate encryption box. Integrating these functions significantly reduces SWaP while increasing throughput and efficiency.
Simply processing an Ethernet stack presents a computational burden. Adding security processing contributes to that burden. With Ethernet, every single data packet must be inspected as a potential viral or spam threat. A single malicious packet breaching a firewall can be catastrophic. In 2003, the Sapphire worm infected 75,000 host computers in 10 minutes. Sapphire proliferated amazingly quickly, reaching a peak of more than 55 million malicious network scans per minute. Yet it was contained in a single 376-byte packet.
The good news is that network devices can deliver greater network security performance than software-based security. In addition, they support application transparency. The downside of software-based security is that these systems can usually only handle a single stream or single application’s network bandwidth at one time, while a hardware-based network switch with dedicated encryption capability can handle many applications and many gigabits of data traffic concurrently. Dedicated network hardware that combines network switching/routing with advanced security offloads the host processor while providing additional significant advantages. A dedicated network device can support hardware accelerated cryptography and provide dedicated pattern recognition engines for malware, Trojans, and viruses.
An example of a network device designed for military network security is Curtiss-Wright Controls Embedded Computing’s (CWCEC’s) VPX3-685 3U OpenVPX module. In addition to its switch and router functionality, the card provides a hardware accelerated Intrusion Detection System (IDS), secure firewalls and ACL, an IP security engine with hardware-accelerated crypto engine supporting multiple encryption algorithms, and a route and policy-based VPN. Each of the security functions on this 3U card addresses a specific network vulnerability. In a corporate network environment, each function might typically be deployed in a stand-alone box in a 19-inch rack.
Protecting networks via Internet security tech
In 2009, there were more than 40,000 known and published network vulnerabilities. The challenge of keeping up with malicious network threats will only continue to grow. To secure critical military systems, embedded system designers must be able to adapt, leveraging the state of the art in today’s commercial and financial Internet security technologies. The threat will not diminish; it will only grow in complexity.