Gemini Computers, Incorporated
GTNP Version 1.01
|6 September 1994|
The Gemini Trusted Network Processor (GTNP) provides a Mandatory Network Trusted Computing Base (M-NTCB) for network components that implement a Mandatory Access Control (MAC) policy. In addition to providing multilevel security, the GTNP provides Data Encryption Standard (DES) encryption and concurrent processing. The GTNP is designed to support integration with other technologies and products to build a variety of secure network interconnection and secure data-sharing components for multilevel secure (MLS) and/or multiple security level (MSL) heterogeneous distributed information systems. In these systems, the GTNP provides the trusted underlying foundation upon which applications and protocols are built. Taking an open-architecture approach, users of the GTNP are not restricted to a single application or suite of protocols; rather, applications and protocols may be developed to run on top of the structured base provided by the GTNP to support the specific network requirements or network component composition, without affecting the M-NTCB.
The GTNP is based on the Gemini Multiprocessing Secure Operating System (GEMSOS) Security Kernel (Kernel). The Kernel is a mandatory security reference monitor that enforces a lattice-based MAC policy for both secrecy (confidentiality) based on the Bell-LaPadula model, and integrity based on the Biba model. Support is provided for up to 16 secrecy levels, 64 secrecy categories, 16 integrity levels, and 32 integrity categories. The Kernel implements real time, priority-based scheduling to provide multiprogramming and multiprocessing to support concurrent computing including parallel and pipeline processing.
The GTNP uses DES encryption and cryptographic checksum mechanisms, together with a trusted key management algorithm and other controls to implement trusted distribution. It insures that critical software and hardware are controlled with a high level of assurance throughout their life-cycle.
The GTNP hardware includes a tightly coupled multiprocessing architecture that supports up to eight Intel 80x86 processor boards (a mixture of i486, i386, and 80286 processors), memory boards, and device interface boards on the IEEE standard 796 system bus, Multibus I. The PC bus supports single processor GTNP configurations. All evaluated configurations utilize the Gemini System Controller board, which provides the hardware DES encryption device and bus-arbitration circuitry.
The GTNP supports network interfaces for local area networks using Ethernet and RS-232, and X.25 wide area networks using High-Level Data Link Control (HDLC) protocol; a preallocated address interface (Multibus I); and a virtual machine monitor interface. GTNP Version 1.01 is designed to support single-level network protocols outside the TCB without affecting the evaluation rating of the GTNP.
The GTNP software architecture is implemented on the 80x86 multi-state machine consisting of four hierarchical hardware enforced privilege levels. The Kernel is in the highest privileged level (PL0). The GTNP uses the remaining three privilege levels (PL1, PL2, PL3) to implement eight hierarchical rings that can be used to separate processes into different domains. The hierarchical architecture can be used to implement other Network Trusted Computing Base (NTCB) components defined in the TNI, enforcing different security and supporting policies.
Trusted GTNP software is implemented within the lower 5 (more privileged) rings and the Kernel. Applications software is implemented in the higher 3 (less privileged) rings to facilitate effective evaluation of new applications and minimize re-evaluation of the GTNP.
The GTNP supports two types of composite structures: the first is based on the NTCB paradigm of the TNI; the second is based on the TCB Subset paradigm of the TDI. Using these composite structures, enforcement of the overall network security policy may be allocated to the various NTCB components or TCB subsets, with the MAC policy enforcement allocated to the GTNP (and, if necessary, other M-components). Other policies can then be enforced by proper integration of other products with the GTNP.
Within the NTCB paradigm, a secure distributed system with a coherent Network Security Architecture and Design would be composed of multi-vendor network components which can be evaluated in one of two views: the Interconnected Accredited AIS view or the single Trusted System view. The GTNP has been used as the Mandatory Component together with NTCB components provided by other products for trusted security guards, firewalls, access controllers and key distribution centers applications.
Within the TCB Subset paradigm, the overall system TCB would be composed of a number of separately evaluated TCB subsets. The GTNP's hierarchical ring abstraction would be used to provide a layered foundation in which the system TCB is composed of separate trusted software components with distinct domains, i.e, each TCB subset occupies a different ring.
The GEMSOS Security Kernel has been shipped as a commercial product since 1985.
The security protection provided by the Gemini Trusted Network Processor, configured according to the most secure manner described in the Trusted Facility Manual, has been evaluated by the National Computer Security Center (NCSC) against the requirements specified by the Department of Defense Trusted Computer System Evaluation Criteria [DOD 5200.28-STD] dated December 1985, as interpreted by the Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria [NCSC-TG-005, Version-1], dated 31 July 1987. The GTNP has been evaluated against Appendix A of the Trusted Network Interpretation.
The National Security Agency (NSA) evaluation team has determined that the highest class at which the Gemini Trusted Network Processor satisfies all of the specified requirements of the Criteria as interpreted by the Network Interpretation is as an A1 Mandatory-Only Network Component. As a result, the GTNP can potentially be incorporated into a network system that can meet the Trusted Network Interpretation (of the Trusted Computer System Evaluation Criteria) (TNI) part I requirements for class A1 and several of the TNI part II requirements.
A system that has been rated as being an A division system is characterized by the use of formal security verification methods to assure that the controls provided by the system can effectively protect classified or other sensitive information stored or processed by the system. The system architecture is that of a minimized security reference monitor. Extensive documentation is required to demonstrate that the Trusted Computing Base (TCB)* meets the security requirements in all aspects of design, development, and implementation.
M-Components are components that provide network support of the Mandatory Access Control (MAC) Policy as specified in the TNI. M-Components do not include the mechanisms necessary to completely support any of the other network policies (Discretionary Access Control, Identification and Authentication, and Audit) as defined in the interpretation.
Gemini Computers, Incorporated is participating in the Ratings Maintenance Phase (RAMP) Program for the Gemini Trusted Network Processor. Future changes to the evaluated system will continue to be reviewed via RAMP so as to maintain the rating of the system.
For a complete description of how the Gemini Trusted Network Processor satisfies each requirement of the Criteria, see Final Evaluation Report, Gemini Trusted Network Processor (Report No. CSC-EPL-94/008). The report should also be consulted for an exact list of the evaluated hardware components.
*: In the case of network component evaluations, this demonstration is for the Network TCB (NTCB) component partition.