270 likes | 445 Views
Information Assurance Efforts at the Defense Information Systems Agency & in the DoD. Richard Hale Information Assurance Engineering Defense Information Systems Agency hale1r@ncr.disa.mil Critical Infrastructure Protection Day March 14, 2000.
E N D
Information Assurance Efforts at the Defense Information Systems Agency & in the DoD Richard HaleInformation Assurance EngineeringDefense Information Systems Agency hale1r@ncr.disa.mil Critical Infrastructure Protection Day March 14, 2000
Success in Combat Depends on Protecting Information & Information Systems DoD Information Assurance efforts are aimed at providing assurance that war fighters and those who support them can safely rely on the information and information infrastructures required to fulfill their missions.
National Plan forInformation Systems Protection • Prepare and Prevent • Detect and Respond • Build Strong Foundations
DoD TCP/IP Networks Classified networks are physically and cryptographically separated from the unclassified nets JWICS SIPRNET NIPRNET Internet
Some of DISA’s Missions • Designing, building, & operating DoD intranets • The NIPRNET (an unclassified network) • The SIPRNET (a classified intranet) • Designing and building core DoD command and control systems and software processes • Global Command and Control System (GCCS) • Global Combat Support System (GCSS) • Common Operating Environment (COE) • Designing and operating the DoD’s large processing facilities
One More DISA Mission • Designing and Operating the DoD Computer Emergency Response Team (DoD CERT) • As well as regional CERTs • Integrated with the management of the networks and information systems • Primary technical support to the DoD Computer Network Defense Joint Task Force
DoD Global Information GridDraft Information Assurance Policy “The DoD shall follow an enterprise-wide IA architecture that implements a defense-in-depth strategy which incorporates both technical and non-technical means…”
Defense-In-DepthLayered Security Strategy • Counter full range of attacks • Defense in multiple places • Defenses & detection against insiders and outsiders • Multiple complimentary roadblocks to certain attacks • Increases resistance • Allows increased use of COTS solutions • Contains some insiders • May buy time to detect, analyze, and react • Protect, Detect, React/Respond Paradigm • Detect is critical owing to imperfection of protections • Quality control via Certification and Accreditation
End System Defense-in-Depth:Defend the Computing Environment (End System Security) • Properly configured operating systems • DISA provides guidance documents • For Microsoft and various UNIX operating systems • Properly designed and configured application software • Common Operating Environment, Command and Control Software, Combat Support Software • Security services at the workstation • Anti-virus software, etc. • System administrator training/certification • Host incident monitoring/intrusion detection • Physical security and clearances 10
Enclave(Building, Base, Processing Center) End System • Inventory/Mapping of Enclave • Including all paths inand out • Proper defenses on each path • Firewalls, dial-in security • Placement of externally visible servers (e.g., web servers) • Enclave level incident monitoring, correlation, situation awareness • Hardening of infrastructure components • Routers, Domain Name System, etc. • DoD Policy on Allowed & Disallowed protocols in draft Defense-in-Depth:Defend the Enclave Boundary 11
Internet Enclave End System Defense-in-Depth:Defend the Networks & Infrastructure • Encrypted circuits for classified nets • Hardened infrastructure • Routers, switches, Domain Name System (DNS) servers • Including intra-component signaling • Infrastructure security services • Public Key Infrastructure, Directories • Firewalls for network control centers • Incident monitoring, correlation, response • Joint Task Force-Computer Network Defense (JTF-CND) • Regional and Global Operations & Security Centers • Connection approval processes • NIPRNET Redesign • Control of DoD connection to the Internet • Including stopping certain protocols DoD Networks 12
Internet DoD Networks Enclave(Building, Base, Processing center) End System DoD Defense-in-Depth Summary There is no magic bullet 13
Public Key Infrastructure (PKI) in DoD Currently two pieces to the DoD PKI 1. “Medium Assurance” or Class 3 • Essentially best commercial practice • Based on commercial technology • Many organizations issuing or preparing to issue certificates from this infrastructure 2. Fortezza • Being fielded as part of Defense Message System Enabling (some) Trust in the Digital World
Directory(Public Keys andRevocation Lists) CertificateAuthority RegistrationAuthority $$ to Bob Subscriber (Key Owner, e.g. Alice) What’s A Public Key Infrastructure? Relying Party(Bob) All the components, processes, and procedures required to issue and manage digital certificates
DoD Class 3PKI Components NSA • The System Is Operational and Issuing Identity Certificates • Initial Customers • Defense Travel System • Defense Security Service • DFAS • Army Chief of Staff • JEDMICS • Navy San Diego Region • DISA Certificate Server RootServer Directory At Two Defense Processing Centers Local RegistrationAuthority Registration Authority Users
How Good Are the Certificates?(or, how tight is the tie between the key and the name?) • A variety of dimensions of assurance • Strength of cryptography at end user & at Certificate Authority • Form and protection of private keys at end user & CA • Processes & controls employed in operation of the PKI • User registration, certificate issuance, auditing of various things, etc. • One selects a particular level of assurance by: • Considering overall security requirements for information being protected
PKI Assurance May Get Better in COTS Without Much Action on Our Part E.g., If smart cards become standard and interoperable, we may be able to move to hardware storage of the private key with relatively little pain Private KeyProtectedin Hardware Token,(e.g., Smart Card) Private KeyProtectedin Software AssuranceSupported byCOTS Now Then
Cyber Attack Accidental Outage DISA Maintains Global Operational Situational Awareness... • Monitor current and plannedmilitary operations andcontingencies • Information warfare events • Intelligence reports • Weather/natural disasters • Scheduled outages • Facility and equipment failures • System and application failures • IA sensor grid Physical Attack Component Failure . . . To determine if an operational capability is degraded by attack, outage, or both
GNOSC Global Network Operations & Security Center DOD CERT Computer Emergency Response Team • Intrusion Detection Systems Management • Global Management of the DII • Global Situational Awareness • Strategic Intrusion Analysis • Incident Handling andResponse • Information Assurance Vulnerability Alerts (IAVA) Reporting Analysis Sensor Grid Global Network Operations & the DoD CERT are an Integrated Team Event Correlation SUPPORTING the Joint TaskForce - Computer Network Defense Defense and Protection of the Global Information Grid
IAVA DB Getting the Word Out: Information Assurance Vulnerability Alert (IAVA) Response to Critical Vulnerabilities • Acknowledge Receipt • Apply Fixes • Acknowledge Compliance DOD DOD CERT IAVA Alert IAVB Bulletin • Global distribution to DoD System Administrators & Program Managers • Organizational accountability Technical Advisory Vulnerability Compliance Tracking System http://www.cert.mil/
# of Events # of Sensors How do we know Security is Improving?DISA IA Metrics Program 1. What to measure? • Objective not subjective • What is our current baseline, and how do we know if we’ve improved? 2. Analysis of the data “For example, is there a relationship between the number of events and the number of sensors?” 3. Aimed at answering questions like... • Are we spending our money wisely? • Where is more effort/resources required? • Are we more or less secure than N months ago? 4. Institutionalizing the Metrics Process • Collect the measurements • Analyze the measurements • Report the measurements and observations • Review metrics and modify process
One More Thing…Training • DISA develops IA training materials and classes for the DoD • Over 100 security classes provided annually • C100,000 IA training CDs and videos sent out government-wide http://its4dod.iiie.disa.mil