Annex C: Network and Communications Security
Overview
The primary purpose of the Network and Communications Security (NCS) Enterprise Security Focus Areas (ESFA) is to enable secure and available communications between endpoints. Endpoints include client devices that consume services and server systems that provide services. Endpoints may be directly connected to GC network resources or they may connect indirectly via publicly accessible wired and wireless networks. In the case of publicly accessible networks, confidentiality of GC data, unauthorized access to GC resources, and leakage of GC data are key concerns that must be addressed by the NCS ESFA. The NCS ESFA covers protection of Secret, Protected, and Unclassified information. Endpoints are characterised as follows:
- Client Endpoint (workstation, desktop, tablet, smartphone, etc.)
- Server Endpoint (application server, database server, file server, etc.)
- Network Endpoint (switch, router, network security appliance, etc.)
- Network-Attached Peripheral Endpoint (printer, scanner, etc.)
- Hybrid Endpoint that relays network traffic but also provides application functionality (application proxy, email relay/server, etc.)
For more information on endpoint characteristics, following sections which can be expanded by clicking on 'Expand' on the far right.
Components
The components that comprise the NCS ESFA are shown in the image below and summarized in a table in the ESADD Annex C: Network and Communication Security (NCS) document. The list of example technologies for each component contains examples of the types of technical solutions that embody the functions of that component.
Context
The image below shows the context of NCS within the architecture of the GC enterprise. The NCS ESFA interacts with most of the ESFAs as well as several of the external entities. Refer to the ESADD Main Body for descriptions of the various GC Enterprise External Entities (i.e. commercial communications providers, external networks, etc.)
Internal endpoints exclusively host NCS capabilities. External endpoints host non-NCS capabilities and are divided into two categories:
- Infrastructure Endpoints: Endpoints that provide services to the NCS ESFA to enable secure and efficient operation of the network. These consist of server endpoints and hybrid network/server endpoints, which are generally housed in a secure environment under the same administration control as the network. They do not pose a significant threat to the network of GC enterprise, although they can provide an avenue of attack for malicious insiders.
- Mission Endpoints: Endpoints that obtain services from the NCS ESFA to enable mission/business functions. These consist of client and server endpoints, which may access the network via an external network or commercial communications provider and may be under different administrative control. They pose a potentially significant threat to the network and GC enterprise.
The context diagram also shows humans who directly interact with NCS ESFA components. Most humans indirectly interact with NCS ESFA components via other ESFA components or via an external network/communications provider. The Black Hat actor represents a malicious insider with direct access to networking components.
Note that the END and CSS ESFAs may leverage other ESFAs identified as Infrastructure Elements. As the NCS ESFA does not rely on or directly interact with them in this capacity, they are not shown as Endpoint Elements.
For more information about the nature of each interface and the security considerations associated with each interfacing element and NCS, please read the ESADD Annex C: Network and Communication Security (NCS) document.
Perspectives
This section describes different aspects of the NCS architecture and capabilities in more depth.
For more information about this, please read the following sections which can be expanded by clicking on 'Expand' on the far right.
Network and Communications Security (NCS) Target Security Architecture
The target architecture consists of a fully collapsed unclassified core network as shown in the image on the right. Please read the GC ESA Description Document Main Body for detailed descriptions of the components depicted in the image on the right.
All client endpoints are connected to the GC Core Network and access application services available via the GC Private Cloud and Public Cloud networks. The image uses icons for endpoints defined in the ESADD for the Compute and Storage Service (CSS) ESFA, a desktop PC for a client endpoint, and a laptop PC for a device owned by a Canadian citizen accessing government services. The same icons with an embedded padlock symbol represent client and server endpoints that are able to interact with Information Rights Management service ("IRM-enabled"). Note that Cloud Services for Storage do not need to be IRM-enabled if they only store previously encrypted self-describing data objects that do not need to be decrypted. This is assumed to be the case for public cloud services.
As client and server endpoints are connected to unclassified networks, they must be fully self-protecting and ensure that all transmitted data is properly protected using information-centric techniques in accordance with its sensitivity or classification level.
The primary objective of the network is to provide delivery of traffic to its destination that meets Quality of Service (QoS) requirements and the required level of availability. Each perimeter provides a transparent firewall capability that blocks unauthorized traffic to prevent Denial of Service (DoS) attacks. A perimeter may also include transparent IDS/IPS and DLP capabilities that operate at line-rate. To ensure seamless connectivity that does not rely on Network Address Translation (NAT) or application proxy techniques, the network should support Internet Protocol version6 (IPv6) due to its larger address space as compared to IPv4.
The image also shows connectivity to a partner network (e.g. belonging to a corporation or foreign government) that does not support information-centric techniques. The example network is shown as being sensitive. The perimeter converts between information-centric and network-centric protocols, and performs content analysis on data received from the partner network (e.g. to check for malicious content). The Partner Network likely implements its own perimeter, but this is not shown, as it is not a GC responsibility. An interface to a classified network follows the same pattern, but the perimeter will contain more robust components, including a Cross-Domain Guard (CDG).
White this is the desired target architecture, technology and policy limitations may make it difficult to achieve in the short- to medium-term. In practice, the transition architecture described in Section 4.2.5 of the ESADD Annex C: Network and Communication Security (NCS) document is likely to persist for a significant period of time.
ESADD Annex C: Network and Communications Security (NCS) Pattern Diagrams
For the Pattern Diagrams for Network and Communications Security (NCS) from the ESADD Annex C: Network and Communication Security (NCS) document, please visit the ESA Pattern Diagram Repository.
List of ESADD Annex C Pattern Diagrams
- Pattern PN-NCS-001 High-level Description of Various Data Flows Mediated by Perimeter Configurations
- Pattern PN-NCS-002 High-level Description of the Actions Taken by the Network to Perform Network Access Control (NAC)
- Pattern PN-NCS-003 In-Depth Description of Cross-Domain Transfer and Access in a Network-Centric Environment
