Secure network operation has the same attributes of really secure operations of any type: the operation must ensure the confidentiality, integrity, authentication, non-repudiation, and availability of the data. Applying encryption to a data link addresses some, but not all, of these requirements. Encryption is necessary but not sufficient. Encryption algorithms are now good enough that brute force attacks to guess the keys are no longer practical. The sophisticated adversary therefore attacks the platform instead to compromise the key. How then can you confidently protect valuable data under high levels of threat? Current directions in the high assurance community are based upon a well-designed layered approach.
A system can only be as robust as its foundation. The platform must guarantee data privacy and controlled information flow. The functional boxes and data flow arrows drawn by the system architect must be implemented with components that enforce the properties that the architect tacitly assumed: that data is always safely contained in its box, that data will only flow along the arrows that he drew, and that there are no other arrows, not even unintended. Significant work has been done to provide high assurance platforms that deliver these guarantees. The most promising among them is the Multiple Independent Levels of Security (MILS) architecture.
The next layer is to connect the system’s nodes in a secure manner. This is a significant problem because the standard communications infrastructures can't be trusted. Protocol stacks such as TCP/IP are too large and complex to be analyzed with a level of rigor that guarantees, under all conditions, that data is only ever delivered to its intended recipient.
These problems are not insurmountable if we apply the basic principle of MILS: Turn a large and complex problem into a number of smaller, more evaluatable problems, leveraging guarantees that the components can interact only in authorized ways. This minimalist approach is accomplished by isolating communications security enforcement into a single module that is small and simple enough to enable highly rigorous analysis. This module, the Partitioning Communications System (PCS), assumes that the applications transmitting or receiving the data and the network infrastructure itself are hostile. These entities have no useful security properties and therefore need not be analyzed. The PCS takes complete responsibility for communications security.
Applications can now use these system security services as implementation components. Just as a house is only as secure as its foundation, secure applications must have robust foundations () and trustworthy communications () to result in a truly secure distributed system.