The Trusted Network Evaluation Criteria

The Trusted Network Evaluation Criteria

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

The Trusted Network Evaluation Criteria (TNEC) [TNEC85] was written the U.S. Department of Defense (DoD) Computer Security Center (CsC) to classify computer networks and their constituent components into four hierarchical levels of enhanced security protection. The first draft of this document was completed for review on July 29, 1985 and remains in a preliminary form. It was based upon the DoD's Trusted Computer System Evaluation Criteria (TCSEC) and shares both terminology and evaluation criteria with the older document [Klein83] .

The TNEC has three objectives; to provide network users with a metric with which to assess the degree of trust which can be placed in networks for secure transmission of classified or other sensitive information; to provide guidance to manufacturers as to what to build into their new, widely available, trusted commercial products in order to satisfy trust requirements for sensitive communications; and to provide a basis for specifying security requirements in acquisition specifications. The TNEC document is divided into 3 parts. Part 1 deals with the network as a whole, Part 2 deals with individual network components, and Part 3 (scheduled for later release) provides rationale and guidelines. The document also contains appendices describing the relationship between the TNEC and the TCSEC and a description of dictated interconnection rules.

The TNEC defines a 'trusted network base' (TNB) as the totality of all protection mechanisms within a network and a 'trusted network component base' (TNCB) as the totality of protection mechanisms within a network component. A protection mechanism can be any hardware or software tool used to protect information within a network.

Like the TCSEC, the TNEC is used to classify systems into four hierarchical levels according to their degree of information protection. These are, in order of increasing protection, ND, NC, NB, and NA. Unlike the TCSEC, these are independently applied to three different issues; data compromise, erroneous communications, and denial of service. It is entirely possible that a network receiving an NA rating for data compromise may receive only a NB, NC, or ND rating for erroneous communications or denial of service. For a network to receive a given rating, the Part 1 criteria must be satisfied for the network as a whole, and the Part 2 criteria must be satisfied for each trusted component of the network.

Within each of the four levels, the basic issues of data compromise, erroneous communications, and denial of service are evaluated against each of the four major sets of criteria from the TCSEC; security policy, accountability, assurance, and documentation.

Data compromise protection consists of the implementation of a set of rules used to determine whether a given subject is permitted to access a given object. Erroneous communication protection is a set of mechanisms used to ensure that information is accurately transmitted from source to destination. Denial of service protection is a set of mechanisms used to ensure some continuing level of performance. The TNEC claims that erroneous communications and denial of service are only problems in networks and were therefore not addressed in the TCSEC, but clearly both are possible in any system. This claim may stem from the fact that both were left out of the TCSEC, which was also written by the DoD CsC.

The TNEC also claims that the state-of-the-art has not progressed to the point where one can precisely define mathematical models for either erroneous communications or denial of service conditions. This implies that an NA division rating can only be presently achieved for data compromise. This claim is also highly dubious. Information theory has been addressing the problem of communications errors for many years, and integrity protection in operating systems has been studied simultaneously with secrecy. Denial of services has been studied extensively for many years, and relatively comprehensive theories of availability are widely applied in the area of fault tolerant computing.

The lowest security level is division ND. It is termed 'minimal protection' and in fact contains no security features which are trusted to protect against the three primary issues. The only qualification required to met this level is that the network be evaluated.

Division NC is referred to as 'controlled access protection'. This level provides minimal protection for data compromise, erroneous communications, and denial of service, but the network is not required to make decisions based on the classification of subjects and objects. This means that labels are not required, and if they are present the TNB need not use them for access control. The decisions pertaining to classification of information are only made administratively. This gives the network administrator absolute control over the ways in which subjects access objects.

The next highest level of security is Division NB, and is know as 'mandatory protection'. This level adds requirements to NC in that the TNB is based on a clearly defined and documented security policy model that requires mandatory access control enforcement over all network subjects and objects. Labels are supported at this level to indicate the security level of network subjects and objects, and all accesses must be checked by the TNB to protect against data compromise. Covert channels are addressed at this level along with configuration management controls. It is expected that at this level the TNB will be divided into protection and non-protection critical parts and the design and implementation will make it possible for more thorough testing and review. Finally, this level calls for trusted system management which is implemented through the use of network administrator and operator functions.

The highest hierarchical level of enhanced security protection, division NA, is known as 'verified design'. As the name suggests, this level augments the NB requirements by requiring verification that a TNB's design is correct. Some of the NA requirements include; the TNB must mediate all accesses of subjects to objects, it must be tamper proof, it must be easily testable, it must contain only protection relavent code, and it must be designed to be simple.