Technology Sectors

Market Sectors

Data security: TRANSEC-compliant, IP-based VSAT network secures critical communications

Wed, 2011-12-14 05:13 PM
By: Karl Fuchs

Karl Fuchs

Protecting data is critical to government agencies and, most important, for the military. Incorporating Transmission Security (TRANSEC) for Time Division Multiple Access (TDMA)-based Communications on the Move (COTM) satellite systems is a necessity because, in combat situations, even a small spike in traffic can be a critical piece of intelligence for an adversary or foreign government.

The need to mask any government communications activity becomes readily apparent.  Fortunately, TRANSEC for TDMA very small aperture terminal (VSAT) networks were developed to address these issues.

There exists some confusion about the differences between Communications Security (COMSEC) and TRANSEC for secure data. They are quite different in their data security characteristics.

TRANSEC has additional security components, including the ability to obfuscate any traffic volume or remote terminal activity information that could allow an adversary to infer useful information based on activity levels. Although the encryption of actual data traffic is viable with COMSEC, TRANSEC’s ability to obfuscate any data flow and traffic engineering information provides advanced data security, masking data that could be exploited by an adversary. These include voice, video and data traffic, as an adversary can potentially tell the difference between voice and data by the size of the packet or by the type of service field in a High Assurance IP Encryptor (HAIPE) encrypted tunnel.

TRANSEC, for example, provides for a free slot allocation in the TDMA bandwidth distribution algorithm. With free slot allocation, an adversary determining satellite transponder energies will see a constant “wall of data,” regardless of traffic profiles. Free slot allocation keeps the in-routes active, regardless of actual traffic flows, and preserves the efficiencies of a TDMA system while obfuscating actual traffic volumes. This negates the risk of using transmission activity as an intelligence-gathering mechanism.

TRANSEC is contrasted with COMSEC where the actual communications -- voice, video or data stream -- are encrypted, but certain header information is sent in the clear with COMSEC. An example of COMSEC encryption in an IP network includes any HAIPE. While the encryption of a HAIPE device is virtually impenetrable, the information in the IP header -- including the source address, destination address and most importantly the type of service (ToS) field -- are visible. With the IP header of a HAIPE encrypted packet in the clear, an adversary can determine how much of the traffic stream is voice, video or data. More significantly, an adversary could determine when high-priority flash-override traffic has been initiated and from which location.

As the more secure communications transmission solution, TRANSEC offers relatively straightforward compliance for TDMA VSAT networks. The National Security Agency (NSA) has outlined the vulnerabilities inherent in an IP-based TDMA transmission that must be addressed in order to provide true TRANSEC. These include:

  • Channel Activity – The ability to secure transmission energy to conceal traffic volumes;
  • Control Channel Information – Disguise traffic volumes to secure traffic source and destination;
  • Remote Acquisition Activity  – Disguise the number of remotes acquiring into and dropping out of the network;
  •  Hub and Remote Unit Validation  – Ensure remote terminals connected to the network are authorized users;
  • Anti-Jam and Low Probability of Intercept  – While a consideration, this is not a mandate by the NSA or any other organization.

Addressing these vulnerabilities by building a TRANSEC-compliant IP-based VSAT network is critical for secure voice, video and data communications. TRANSEC allows inserting dummy bursts from remotes already in the network and intentionally skipping acquisition bursts at times of high activity, ensuring an adversary sees only a random distribution of acquisition activity.

Another challenge that TRANSEC can solve is that of traffic volume and priority information that is gleaned by examining the in-band or out-of-band control information within a HAIPE-encrypted TDMA network. A TRANSEC solution can encrypt all Layer 2 information and control information disseminated to the remotes, keeping enemies from seeing any patterns.

A robust TRANSEC network requires the use of at least two network wide keys for security. Automatic over-the-air key generation for TRANSEC makes it more secure, simpler and more convenient for the warfighter by removing the human from key distribution. Another advantage of automatic key generation and distribution is that it seamlessly enables a global COTM TRANSEC network.

Hub and remote unit validation is critical to TRANSEC. In TDMA networks, remotes are routinely coming into and dropping out of the network, and this is especially true of networks with COTM terminals where vehicles are traveling under bridges and behind buildings. This type of dynamic environment gives an adversary a greater opportunity to obtain a VSAT remote through licit or illicit channels, spoof the device ID and insert a rogue remote into a secure network. Equally feasible is an adversary acquiring a VSAT hub terminal and coaxing a blue force remote into the adversary’s network.

Tags:
 
  • Share/Save
  • Email this page
  • Printer-friendly version
 

Recent Webinars

Powerful Cyber Intelligence: Deep Analytics and Big IT Data
Thu, 04/26/2012 - 2:00pm - 3:00pm

Extracting real-time intelligence from Big Data with deep analytics is valuable but dif

Upcoming Events

Event Details Dates of Event
SANS Security West 2012 May 10 - 18
SANS Toronto 2012 May 14 - 19
SANS Secure Indonesia 2012 May 14 - 19
SANS at iTWeb Security Summit 2012 May 17 - 18
New Fire & Emergency Communications Codes Educational Seminar May 18 - 18
Managing Your Physical Security Program: Collaborate and Manage Smarter May 21 - 24
SANS Brisbane 2012 May 21 - 26
CEIC 2012 (Computer and Enterprise Investigations Conference) May 21 - 24
NERC CIP Compliance Training May 24 - 24
Symantec NetBackup User Group May 24 - 24
NESCO Town Hall: Security Risk Management Practices for Electric Utilities May 30 - 31
Advanced Hands-On CAMEO Training Jun 4 - 6
Security Program Design: A Critical Infrastructure Protection Model Jun 4 - 5
Facility Security Design Jun 4 - 6
SANS Rocky Mountain 2012 Jun 4 - 9
F5 Government Technology Symposium Jun 6 - 6
SEL Modern Solutions Power Systems Conference Jun 6 - 8
Second Annual Citizen Engagement Seminar Jun 12 - 12
ASIS Assets Protection Course: Functional Management (APC III) Jun 18 - 21
SANS Malaysia 2012 Jun 18 - 23
Data Center Brainstorm 2012 Jun 19 - 19
SANS Forensics and Incident Response Summit 2012 Jun 21 - 27
Vanguard Security & Compliance 2012 Jun 25 - 28
SANS Canberra 2012 Jul 2 - 10
SANSFIRE 2012 Jul 7 - 15
Executive Protection Jul 9 - 10
Military Vehicles Exhibition & Conference Jul 10 - 13
NERC CIP Compliance Training Jul 12 - 12
Security Force Management Jul 16 - 17
Physical and Logical Security: Advanced Applications and Economics Jul 16 - 19
Investigative Interviewing Methods Jul 18 - 19
SANS Thailand 2012 Jul 23 - Aug 4
SANS San Francisco 2012 Jul 30 - Aug 6
College & University Police & Investigators Conference Jul 31 - Aug 3
SANS Boston 2012 Aug 6 - 13
Radiological Emergency Planning: Terrorism, Security, and Communication Aug 20 - 24

Full 2012 Calendar