NSA extends access control to network storage

NSA extends access control to network storage
NSA extends access control to network storage

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Joab Jackson

PHILADELPHIA =E2=80=94 The National Security Agency is leading an effort to 
extend its access control work into the arena of network file storage. 
The effort involves integrating NSA's Flask mandatory access control 
(MAC) architecture =E2=80=94 now the basis of Security-Enhanced Linux (SELinux) 
=E2=80=94 into the Network File System (NFS) protocol widely used for 
network-attached storage devices.

David Quigley of NSA's National Information Assurance Research 
Laboratory presented the latest work on the project, called Labeled NFS 
at the 71st meeting of the Internet Engineering Task Force this week in 
Philadelphia. IETF currently oversees the NFS protocol.

NSA initiated and led the effort to develop SELinux, an implementation 
of NSA's Flask MAC architecture for Linux. With MAC, programs and users 
are assigned attributes such as security levels. Whenever a program 
spawns a process thread or calls a file, the attributes are checked 
against the organization=E2=80=99s authorization rules.

By deploying MAC, organizations can ensure that machine intruders don't 
hijack programs to execute malicious tasks, and they can prevent 
employees from accessing documents they don't have permission to view.

Labeled NFS extends those features across the network. By having NFS 
handle MAC labels, someone using a trusted computer can read and write 
files and execute programs that reside on NFS-based network storage. 
Today, the Flask architecture requires that all programs and files be 
stored locally.

Labeled NFS can work in smart mode, which allows the file server to make 
access control decisions, or dumb mode, which means it takes 
instructions from the client machine.

James Morris, principal software engineer at Red Hat, published the 
first recommendation for this approach, originally called Security 
Enhanced NFS, last summer. The company incorporates SELinux into its Red 
Hat Enterprise Linux operating system.

In addition to SELinux, Labeled NFS could also support Solaris Trusted 
Extensions, TrustedBSD and Security Enhanced Darwin, a MAC-enhanced 
version of the Apple operating system.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods