Crypto explore the necessary stages and structure for reliable and comprehensive secu...
Information Security in C4ISTAR Infrastructures
Category: C2/C41 Systems | 22/10/2008 - 09:56:50
C4ISTAR systems are generally installed on a stage-by-stage basis, not on a large scale. The principle: existing systems are integrated and gradually networked with newer technologies. Compromises are frequent – but not feasible in all areas, above all not in the area of information security where an integrated approach is required.
To protect C4ISTAR infrastructure, tried-and-tested digital encryption systems are in existence which are also compatible across networks, depending on the technology. In the longer term, however, IP-based networking platforms will become the norm – these would represent the most elegant solutions in terms of information security as they are universal.
Secure Network Communication
Information and communication security of a network platform has to be continuous and totally reliable. This is because, in a consistently networked infrastructure (e.g. on IP basis) every risk is omnipresent. If data of highly differing sensibilities is circulating on exactly the same network level of users with highly differing authorisation levels, a totally reliable security structure must be applied over and above the networking structure. Management of the two areas ‘network’ and ‘security’ must, of course, be technologically compatible, but there are fundamental differences in terms of function. Planning a safe C4ISTAR infrastructure platform can therefore only be an eminently ‘strategic’ matter as it is a matter of implementing the security policies of the various networked organisations without making compromises.
Crucial Technical Issues
At the technical level, it is a question of analysing precisely the individual interfaces of the networks to be networked (‘network of networks’) as crucial points in terms of compatibility and performance. For example, how can one integrate high-tech digital data networks into a network together with older analogue applications such as PSTN, fax or analogue radio? Contrary to frequently heard opinions, gateways are not a panacea for every situation.
Often the protocols and standards are not specified for all situations or there are special requirements in terms of parts of the infrastructure. In the ‘networks of networks’, integration inevitably leads to large accumulations of software. Compatibility must be guaranteed alongside the networking, up to and including end-user network areas – and in terms of communication security as well. Complex Common Operation Environments (COE) therefore do not only represent a challenge in terms of information technology but also in terms of security.
End-to-End or Network Encryption
In organisations with high security requirements, existing partial networks and applications to be integrated are usually protected by encryption. In the case of data networks such as WAN or MAN, network encryption systems (OSI layer 3 and deeper, OSI model = Open System Interconnections Reference Model) are used. The technology is no longer even used uniformly by defence organisations: whereas defence ministries used to use predominantly their own ‘lines’ and transmission protocols, public networks are now being added which are shared with other users. Multipoint applications – for example in SDH / PDH, line-of-sight or gigabyte Ethernet networks – are customary, as the bandwidth can be used flexibly and cost-efficiently. These virtual networks can be protected by tried-and-tested link encryption units in terms of confidentiality and authenticity.
Crypto AG has efficient and easy-to-use encryption systems in its range for all widely used types of network, including versions which are very suitable for tough conditions of service (military environments). Where networks are linked by means of gateways, encryption is always a practice-related task which requires a good deal of experience with the appropriate information technology. Ultimately, the IP protocol is the best solution, also in terms of the desired continuous information security, as it makes it possible to integrate any desired applications which are uniformly secure. In the case of stage-by-stage installation, IP VPN security solutions which are already in operation, such as Secure Messaging, can be linked to new IP applications right from the start.
‘IP Packaged’ Applications
However, existing communication technologies will remain in use for many years. On the other hand, it is difficult to imagine any long-term solution other than IP for really continuous and robust C4ISTAR platforms. The transition will not, however, take place as rapidly as many people expect.
At the infrastructure level, it is possible to accelerate integration by incorporating applications on Network Layer 3 into the IP protocol. As IP is ‘triple play enabled’ – i.e. can transport all desired applications (voice, data, messaging, video) – the pure transportation function can be consigned to OSI layers located at a lower level (3 and deeper) in the network hierarchy (using technologies such as PDH / SDH, Internet). If the necessary bandwidth is available, ‘everything really is possible’ de facto. In the case of certain technologies such as short-wave or PMR, certain physical limitations of transportation cannot be exceeded, but, with suitable compression procedures, IP solutions for mobile / portable applications can already be realised up to and including the farthest branches of the C4ISTAR structure (particularly voice / IP radio and messaging).
Secure Separation Cannot be Guaranteed Before Encryption
Platform planning must, on the one hand, be implemented with continuity / uniformity in mind – on the other hand, separation cannot be resolved solely with elements of network technology, as only encryption can achieve this in an adequately reliable and secure fashion. Both cooperation and separation are managed very flexibly by means of a suitable multi-algorithm basis. This allows an independent hierarchy of users and permitted relationships to be determined within each of the participating organisations – cooperation procedures can still be determined separately.
However, it is essential for the encryption solution as a whole to accommodate the vastly differing requirements for this. Above all, it must be possible for all organisations using the platform to have their own security management with which they can implement their individual security policy autonomously.
For further information on encryption solutions from Crypto AG, visit www.crypto.ch, and read our other articles on this platform.