Partnerships for VoIP Security
VoIP Protection Profiles
David Smith
Co-Chair, DoD VoIP Information Assurance Working Group
NSA Information Assurance Directorate,
Information Assurance Solutions Group
(410) 854-7302
E-mail: drsmit5@missi.ncsc.mil
October 3, 2003
1
Agenda

DoD IA Policies
 Common Criteria
– Protection Profiles & Security Targets

Information Assurance Technical
Framework (IATF) and Forum
 VoIP IA Initiatives
– Protection Profile(s)
– IATF
October 3, 2003
2
DoD IA Policies
DoDI 8500.1 & 8500.2
 NSTISSP 11

By 1 July 2002, the acquisition of all COTS IA and IAenabled IT products shall be limited only to those which
have been evaluated and validated in accordance with
either:
•International Common Criteria
•NSA/NIST National Information Assurance Partnership
(NIAP) Evaluation and Validation Program
•NIST FIPS Validation Program
October 3, 2003
3
Common Criteria (CC)

Internationally Recognized Security
Criteria
 Security requirements specification
language
 Security functionality & assurance
 Provides basis for validating conformance
to specification (e.g. PP or ST) by
independent third party (e.g. NIAP lab)
October 3, 2003
4
Protection Profiles vs.
Security Target

Protection Profile - Customer
– Statement in CC language of security and
assurance requirements (“I need”)
– For DoD, NSA writes the protection profiles

Security Target - Vendor
– Vendor claim in CC language of security and
assurance requirements met (“I provide”)

Target of Evaluation
October 3, 2003
5
Robustness

Basic = Best Commercial Practice
 Medium = Better than most current
commercial
 High= Usually Government Developed
 Robustness is the combination of
appropriate security requirements and
assurance levels.
– Imperative that Evaluation Report be read to
understand the IA quality.

EAL doesn’t equate to Robustness level
October 3, 2003
6
National Information Assurance
Partnership (NIAP)

NSA/NIST Partnership
 US Focal Point for Common Criteria
 Manage & Maintain Process
– Common Criteria Evaluation and Validation
Scheme
– Protection Profile Registry
– Evaluated Products Registry
– List of Certified Commercial Evaluation Labs
http://niap.nist.gov/
October 3, 2003
7
UNCLASSIFIED
Information Assurance Technical
Framework (IATF)

A Technical Security Guidance
Document
– Unclassified
– Evolving
– Publicly available on IATF Web Site
http://www.iatf.net
October 3, 2003
8
UNCLASSIFIED
IATF Benefits
Helps U.S. Government users become
wiser consumers of implementing
security solutions
 Assists U.S. industry in understanding
the government’s needs and the nature
of the desired solutions to these needs
 Focuses investment resources on the
security technology gaps

October 3, 2003
9
UNCLASSIFIED
Information Assurance Technical
Framework Forum (IATFF)

NSA-sponsored forum to foster dialog
among U.S. Government agencies, U.S.
Industry, and U.S. Academia

Sessions approximately every 6 weeks

Held at the Johns Hopkins Applied
Physics Lab, Laurel, MD
October 3, 2003
10
UNCLASSIFIED
IATFF Benefits

Fosters IA Dialog
– U.S. Government-U.S. Industry-U.S.
Academia
Increases awareness of available
security solutions
 Establishes contacts between
individuals and organizations dealing
with similar problems

October 3, 2003
11
VoIP IA Initiatives

Leverage
– NIAP/CC
– IATF & IATFF
– Government/Industry Partnership

Communicate
– Government Needs & Industry Capabilities

VoIP Protection Profiles
 VoIP IATF Section
 VoIP IATFF Session
October 3, 2003
12
VoIP Protection Profile(s)
Beginning development
 Incorporate DoD Voice IA
Requirements
 Partnership with vendors, users

NIAP Evaluated VoIP Products
Meeting DoD IA Requirements
October 3, 2003
13
VoIP IATFF
Planning an IATFF session on VoIP
 Looking for session ideas

– Topics
– Presenters
• Users, Vendors, Network Managers
http://www.iatf.net
October 3, 2003
14
Wrap-Up

Need partnerships with
– Industry & Users
NIAP and IATF are good vehicles for
communication of IA requirements
 Getting the process started for VoIP
 Need Your Help!!

October 3, 2003
15