Transcript Information Assurance Efforts (DoD)

Information Assurance Efforts at the Defense
Information Systems Agency & in the DoD
Richard Hale
Information Assurance Engineering
Defense Information Systems Agency
[email protected]
Critical Infrastructure Protection Day
March 14, 2000
Success in Combat Depends on Protecting
Information & Information Systems
DoD Information Assurance
efforts are aimed at
providing assurance that war
fighters and those who
support them can safely rely
on the information and
information infrastructures
required to fulfill their
missions.
2
National Plan for
Information Systems Protection
• Prepare and Prevent
• Detect and Respond
• Build Strong Foundations
3
DoD TCP/IP Networks
JWICS
SIPRNET
NIPRNET
Internet
Classified networks are physically and cryptographically
separated from the unclassified nets
4
Some of DISA’s Missions
• Designing, building, & operating DoD intranets
– The NIPRNET (an unclassified network)
– The SIPRNET (a classified intranet)
• Designing and building core DoD command and
control systems and software processes
– Global Command and Control System (GCCS)
– Global Combat Support System (GCSS)
– Common Operating Environment (COE)
• Designing and operating the DoD’s large
processing facilities
5
One More DISA Mission
• Designing and Operating the DoD Computer
Emergency Response Team (DoD CERT)
– As well as regional CERTs
– Integrated with the management of the networks and
information systems
– Primary technical support to the DoD Computer Network
Defense Joint Task Force
6
Prepare and Prevent
7
DoD Global Information Grid
Draft Information Assurance Policy
“The DoD shall follow an enterprisewide IA architecture that implements a
defense-in-depth strategy which
incorporates both technical and nontechnical means…”
8
Defense-In-Depth
Layered Security Strategy
• Counter full range of attacks
– Defense in multiple places
– Defenses & detection against insiders and outsiders
• Multiple complimentary roadblocks to certain
attacks
–
–
–
–
Increases resistance
Allows increased use of COTS solutions
Contains some insiders
May buy time to detect, analyze, and react
• Protect, Detect, React/Respond Paradigm
– Detect is critical owing to imperfection of protections
• Quality control via Certification and Accreditation
9
Defend the Computing
Environment (End System Security)
Defense-in-Depth:
• Properly configured operating systems
• DISA provides guidance documents
• For Microsoft and various UNIX operating systems
• Properly designed and configured application software
• Common Operating Environment, Command and Control
Software, Combat Support Software
• Security services at the workstation
• Anti-virus software, etc.
• System administrator training/certification
• Host incident monitoring/intrusion detection
• Physical security and clearances
End System
10
• Inventory/Mapping of Enclave
Defense-in-Depth:
• Including all paths in
and out
Defend the Enclave Boundary
• Proper defenses on each path
• Firewalls, dial-in security
• Placement of externally visible servers (e.g., web servers)
• Enclave level incident monitoring, correlation, situation awareness
• Hardening of infrastructure components
• Routers, Domain Name System, etc.
• DoD Policy on Allowed & Disallowed protocols in draft
Enclave
(Building, Base,
Processing
Center)
End System
11
Defense-in-Depth:
Internet
Defend the Networks &
Infrastructure
• Encrypted circuits for classified nets
• Hardened infrastructure
DoD
Networks
• Routers, switches, Domain Name
System (DNS) servers
• Including intra-component signaling
• Infrastructure security services
• Public Key Infrastructure, Directories
• Firewalls for network control centers
• Incident monitoring, correlation,
response
Enclave
End System
• Joint Task Force-Computer Network
Defense (JTF-CND)
• Regional and Global Operations &
Security Centers
• Connection approval processes
• NIPRNET Redesign
• Control of DoD connection to the
Internet
• Including stopping certain protocols12
Internet
DoD Defense-in-Depth
Summary
DoD
Networks
Enclave
(Building, Base,
Processing
center)
End System
There is no magic bullet
13
Public Key Infrastructure (PKI)
in
DoD
Enabling (some) Trust in the
Digital World
Currently two pieces to the DoD PKI
1. “Medium Assurance” or Class 3
• Essentially best commercial practice
• Based on commercial technology
• Many organizations issuing or preparing to issue
certificates from this infrastructure
2. Fortezza
• Being fielded as part of Defense Message System
14
What’s A Public Key Infrastructure?
Certificate
Authority
Directory
(Public Keys and
Revocation Lists)
Registration
Authority
$$
to Bob
Subscriber
(Key Owner, e.g. Alice)
Relying Party
(Bob)
All the components, processes, and procedures required to issue and manage digital certificates
15
DoD Class 3
PKI Components
• The System Is
Operational and
Issuing Identity
Certificates
• Initial Customers
– Defense Travel System
– Defense Security Service
– DFAS
– Army Chief of Staff
– JEDMICS
– Navy San Diego Region
– DISA
NSA
Root
Server
Certificate
Server
Directory
At Two Defense
Processing Centers
Local Registration
Authority
Registration
Authority
Users
16
How Good Are the Certificates?
(or, how tight is the tie between the key and the name?)
• A variety of dimensions of assurance
– Strength of cryptography at end user & at Certificate
Authority
– Form and protection of private keys at end user & CA
– Processes & controls employed in operation of the PKI
• User registration, certificate issuance, auditing of various
things, etc.
• One selects a particular level of assurance by:
– Considering overall security requirements for
information being protected
17
PKI Assurance May Get Better in COTS
Without Much Action on Our Part
Assurance
Supported by
COTS
E.g., If smart cards become standard and interoperable, we may
be able to move to hardware storage of the private key with
relatively little pain
Private Key
Protected
in Hardware Token,
(e.g., Smart Card)
Private Key
Protected
in Software
Now
Then
18
Detect and Respond
19
DISA Maintains Global
Operational Situational Awareness...
Physical
Attack
Cyber
Attack
Accidental
Outage
Component
Failure
– Monitor current and planned
military operations and
contingencies
– Information warfare events
– Intelligence reports
– Weather/natural disasters
– Scheduled outages
– Facility and equipment failures
– System and application failures
– IA sensor grid
. . . To determine if an operational capability
is degraded by attack, outage, or both
20
Global Network Operations & the DoD
CERT are an Integrated Team
Event Correlation
GNOSC
DOD CERT
Global Network
Operations
& Security Center
• Intrusion Detection
Systems Management
• Global Management
of the DII
• Global Situational
Awareness
Sensor Grid
Computer Emergency
Response Team
SUPPORTING
the Joint Task
Force Computer
Network Defense
Reporting
• Strategic Intrusion
Analysis
• Incident Handling and
Response
• Information Assurance
Vulnerability Alerts
(IAVA)
Analysis
Defense and Protection of the Global Information Grid
21
Getting the Word Out: Information
Assurance Vulnerability Alert (IAVA)
Response to Critical
Vulnerabilities
DOD CERT
DOD
IAVA
Alert
• Acknowledge
Receipt
• Apply Fixes
• Acknowledge
Compliance
IAVB
Bulletin
Technical
Advisory
IAVA DB
•Global distribution to DoD
System Administrators &
Program Managers
•Organizational accountability
Vulnerability
Compliance
Tracking System
http://www.cert.mil/
22
Build Strong Foundations
23
How do we know Security is Improving?
DISA IA Metrics Program
1. What to measure?
2. Analysis of the data
“For example, is there a relationship between the
number of events and the number of sensors?”
3. Aimed at answering questions like...
# of Events
• Objective not subjective
• What is our current baseline, and how do we know if we’ve improved?
# of Sensors
• Are we spending our money wisely?
• Where is more effort/resources required?
• Are we more or less secure than N months ago?
4. Institutionalizing the Metrics Process
• Collect the measurements
• Analyze the measurements
• Report the measurements and observations
• Review metrics and modify process
24
One More Thing…Training
• DISA develops IA training materials and classes
for the DoD
• Over 100 security classes provided annually
• C100,000 IA training CDs and videos sent out
government-wide
http://its4dod.iiie.disa.mil
25