News
NSA Extends Access Control to Network Storage
- By Joab Jackson
- 03/12/2008
The National Security Agency is leading an effort to extend its access control
work into the arena of network file storage. The effort involves integrating
NSA's Flask mandatory access control (MAC) architecture -- now the basis of
Security-Enhanced Linux (SELinux) -- into the Network File System (NFS) protocol
widely used for network-attached storage devices.
David Quigley of NSA's National Information Assurance Research Laboratory presented
the latest work on the project, called Labeled
NFS, at the 71st meeting of the Internet Engineering Task Force this week
in Philadelphia. IETF currently oversees the NFS protocol.
NSA initiated and led
the effort to develop SELinux, an implementation of NSA's Flask MAC architecture
for Linux. With MAC, programs and users are assigned attributes such as security
levels. Whenever a program spawns a process thread or calls a file, the attributes
are checked against the organization's authorization rules.
By deploying MAC, organizations can ensure that machine intruders don't hijack
programs to execute malicious tasks, and they can prevent employees from accessing
documents they don't have permission to view.
Labeled NFS extends those features across the network. By having NFS handle
MAC labels, someone using a trusted computer can read and write files and execute
programs that reside on NFS-based network storage. Today, the Flask architecture
requires that all programs and files be stored locally.
Labeled NFS can work in smart mode, which allows the file server to make access
control decisions, or dumb mode, which means it takes instructions from the
client machine.
James Morris, principal software engineer at Red Hat, published
the first recommendation for this approach, originally called Security Enhanced
NFS, last summer. The company incorporates SELinux into its Red Hat Enterprise
Linux operating system.
In addition to SELinux, Labeled NFS could also support Solaris Trusted Extensions,
TrustedBSD and Security Enhanced Darwin, a MAC-enhanced version of the Apple
operating system.
About the Author
Joab Jackson is the chief technology editor of Government Computing News (GCN.com).