| Project Objectives: |
Tango Interactive (TI) has made great progress recently
throughout the PET program. This includes both the basic
capability and robustness of the system and also its use and
acceptance within the PET community. So far this acceptance
has primarily been in the area of education and training,
consistent with a staged roll-out of the system from more
controlled environments to less. We propose to provide the
basic support necessary for continued and expanded used of
Tango for education and training as well as focus on
increasing collaborative use of the system.
Computer-based collaboration systems potentially pose a
serious security risk. Since the basic functionality of
collaboration systems is information sharing, there is
inherent risk of exposing classified information to
collaboration participants without sufficient clearances.
Current implementations of most collaboration systems treat
security issues as secondary in importance. Desktop
collaboration systems are yet to be accepted by DoD
communities. Imposing strict access rules on systems with
relatively weak following in user community is almost
certain to discourage users from accessing the system in the
first place. This conundrum can only be solved by
integrating collaboration systems with existing security
infrastructure, allowing seamless access. Hence, we must
assume that runtime of a secure collaborative system must be
able to access infrastructure and data of a secure site.
This can only be allowed if the collaboration system itself
can be trusted.
This analysis, if correct, implies that the implementation
of a secure collaboration system must proceed in two phases.
In phase one, the collaborative backbone itself must be
secured so that it cannot be easily attacked to divulge
sensitive information. In phase two, such a secure
infrastructure must be integrated with basic security
infrastructure, such as Kerberos framework.
Following tasks are necessary to turn collaborative backbone
of Tango Interactive into a secure system.
· Adding support for SOCKS protocol to Tango client to
enable seamless use of the system across firewalls.
This will cover situations where users of a restricted-
access site are placed behind a firewall, and they wish to
collaborate with either Internet users or with partners on
another secure site. In either case, TI messages must
traverse a firewall or two. SOCKS proxy servers provide
tunneling on arbitrary protocols, and they quickly become a
part of the pervasive security infrastructure. Using such a
server it is possible to let the firewall permit only TI-
specific traffic among trusted users (see below).
· Adding SOCKS support to BuenaVista videoconferencing
agent for the same purpose.
Additional effort is needed to support secure UDP
transmission used by BuenaVista for media transport.
The two items above, combined with the usual proxying of the
HTTP servers would ensure easy deployment of TI tools across
standard firewalls.
· Transition to SSL (secure socket layer) to provide
encryption for all communications between TANGO Interactive
server and the clients, and digital certificate support.
One of the popular system break-in strategies is to install
a software module impersonating the legitimate agent. This
is quite easily done if the protocol used to exchange
information is widely known. TI framework does not expose
the protocol, providing instead an API , but this solution,
a little more secure, does not preclude implementation of
rogue software agents. The standard remedy for this type of
attack is to provide all software agents in the distributed
systems with digital signatures that can attest to their
true identity. This technology is now used as a standard in
e-commerce, not only securing transaction but also providing
means to exclude transaction deniability.
We propose to enhance both TI server and client agents so
that they will be able to accept digital certificates and
present them to each other upon system startup, so that any
potential rogue agents are automatically excluded. This will
also enable use of secure socket layer to, for all practical
purpose, eliminate attacks via subnet sniffing. With these
two measures implemented, secure site administrator will be
able to ensure integrity of the entire distributed
collaborative system.
· User authentication and access control: this is an
obvious measure. Collaborative backbone must be able to
determine user?s eligibility to access session manager. TI
v. 2.0 supports this capability. A significant enhancement
to the authentication and access control is support for the
so-called ?roles?. According to this concept, every user
accessing the system my have one or more ?roles? that, in
context of the Session manager itself as well as in the
application context, can provide a more granular control of
the access to different types of information. TI v.2
supports basic version of the ?roles?, but additional work
is needed to create standard information services and their
interpretation for application modules? developers so that
they can flexibly implement various information access
policies in collaborative systems.
Assuming implementation of the phase 1 of the project,
we can now design and implement phase 2: a seamless
integration with the existing security infrastructure.
DoD accepted Kerberos as the infrastructure supporting
system-wide user identification. The goal of the phase
2 of the project would be to use Kerberos tickets to
authenticate and admit users to the collaborative
backbone. This mechanism should be added to the menu
of existing authentication methods as a user-
selectable alternative, to take benefit from the user
information available on secure networks. This effort
requires design and implementation of tools to access
Kerberos repositories from the collaboratory backbone
as well as the methods of verifying Kerberos tickets
by the system. Proposed work is in step with the
methodology being designed by the Gateway project to
provide secure access to distributed computational
resources located on secure networks with restricted
access, and hence can be leveraged.
|