Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Interceptor™ Optical Network Security System Design Guide
Document related concepts
Deep packet inspection wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer security wikipedia , lookup
Transcript
Interceptor Optical Network Security System ™ Design Guide } Chapter 2: Physical Security Classifications Copyright © 2010 Network Integrity Systems, Inc. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Network Integrity Systems, Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document. Trademarks Network Integrity Systems, Inc., the Network Integrity Systems, Inc. logo, and Interceptor are trademarks of Network Integrity Systems, Inc. Other brands and product names are trademarks or registered trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, Network Integrity Systems, Inc. reserves the right to make changes to the products described in this document without notice. Network Integrity Systems, Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. INTERCEPTOR Design Guide ™ Chapter 2 | Physical Security Classifications It is common for customers and end users to be concerned with whether it is necessary to install a PDS. According to the requirements specified by NSTISSI 7003 and the Information Assurance guidance issued by the various DOD services and government agencies, a PDS must be installed for every instance of a network carrying classified information that passes through or terminates in an area that either has no access control to limit personnel access to the network or PDS, or is a sensitive compartmented information facility (SCIF) or controlled access area (CAA) but has a lower classification level than the network traffic. Therefore, understanding the security classifications of an area where the network is being installed is absolutely critical. However, it is even more important to consider the future changes that may take place both in the classification level of traffic being carried by the network cables that are installed and also in the organization or facility itself, especially from a total cost of ownership perspective. These changes could impact not only the extent of your PDS deployment, but also the type of PDS. When determining whether you need a PDS, you should consider both immediate and long-term requirements and the potential impact of organization changes. The INTERCEPTOR Alarmed Carrier System (ACS) is approved up to SCI (Sensitive Compartmented Information) level data, and therefore can be kept in place as your classification level increases. Figure 1 provides a basic understanding of the different security classifications currently in use. Restricted Access Area (RAA) with dual Workstation (WS) and printer Secure Room with Workstation and Printer Unclassified Workstation and Printer Equipment Room Secure Room Controlled Access Area (CAA) without window Remote Access Area (RAA) Corridor Limited Access Area (LAA) Corridor Controlled access Area (CAA) with windows and Workstation and printer Pull Box Protected Distribution System (PDS) Printer in Lock Box Non-PDS cable run Figure 1: Building layout showing UCA, LCA, CAA © 201 0 Network Int e g r i t y S y s t e m s , I n c . – A l l R i g h t s R e s e r v e d – I s s u e D G . 8 . 2 0 1 0 7 INTERCEPTOR Design Guide ™ Chapter 2 | Physical Security Classifications Controlled Access Areas (CAAs), also known as Restricted Access Areas (RAAs), which are similar to *SCIFs, are areas where the entire building or workcenter is under direct physical control; only pre-screened, authorized personnel are allowed access to these areas. All unauthorized personnel are denied unrestricted access and are required to be escorted by authorized personnel at all times while present. Each CAA or RAA is accredited at a specific classification level, such as SECRET or Top Secret. Authorized personnel must possess security clearances at or above the level of classification of the CAA or RAA. A PDS may be required in a CAA or RAA if one of the following conditions exist: 1. The classification of the network traffic exceeds the classification of the CAA or RAA (e.g., a JWICS network is installed through a CAA classified at the SECRET level); or 2. Foreign nationals are authorized to work in the CAA or RAA and have unrestricted access to the network or PDS. Limited Control Access Areas (LCAs) are areas outside of CAAs or RAAs where there are some physical controls that limit general public access to the areas. Examples of LCAs include military installations or agency campuses that employ identification checks at the entrance gates, office buildings with card swipe locks or other forms of access control, and in general use areas such as hallways, maintenance rooms, break rooms, and restrooms. A PDS is always required for any unencrypted classified network deployments in or through an LCA. Many agencies have recently retracted previous PDS waivers for SIPRNet network deployments that traverse a hallway or breakroom. The systems must utilize a PDS. Uncontrolled access areas (UCAs) are any areas where there are no physical access controls, allowing free and unrestricted access to the immediate population or to the general public. A PDS is always required for any unencrypted classified network deployments in or through a UCA. Frequently, an organization deploys a PDS system in one facility only to relocate to another facility or to consolidate with another organization. These changes can have a significant effect on the security classifications that impact network security and the need for PDS systems. Forecasting changes such as these is critical when evaluating which type of PDS to deploy. While flexibility and scalability are important, they should never compromise the security of the network. * A Sensitive Compartmented Information Facility (SCIF) is an enclosed area within a building that is used to process Sensitive Compartmented Information (SCI) level classified information. SCI is classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of Central Intelligence (DCI). Some entire buildings are SCIFs where all but the front foyer is secure. Access to SCIFs is limited, and all of the activity and conversation inside is presumed restricted from public disclosure. A SCIF can also be located in a mobile configuration and can be deployed using air, ground or maritime resources. © 2010 Network Int e g r i t y S y s t e m s , I n c . – A l l R i g h t s R e s e r v e d – I s s u e D G . 8 . 2 0 1 0 8
