The use of networks is growing continuously, constantly increasing the vulnerability of the computer systems that use them. So network security plays an important role in the security of the operating system. The problem of network security needs to be dealt with by extending the concepts used to build trusted computer systems and using cryptographic mechanisms. We propose and implement a network security architecture which builds on earlier efforts like the one used in DTOS. The implementation involves modifying the FreeBSD TCP/IP stack within the Flask secure operating system. The network security architecture consists of two major components: network access control and network cryptographic protection.
The network access control module deals with controlling access to the network related operations in a secure manner. Access control checks are implemented at different layers in the network stack and involve operations initiated by the local process and operations initiated by the remote process as well. It makes use of the security server provided by Flask for making the access control decisions. The network cryptographic protection module provides encryption and authentication on the network traffic. It uses the IPsec protocol for implementing the cryptographic operations and the ISAKMP protocol for key management. Covert storage channels caused by the use of shared resources such as the port number space will be eliminated by creating a virtualized port number space. To our knowledge there are no systems which support multi-level TCP/UDP port number spaces (or virtualized port spaces).