Title: Information Assurance Efforts at the Defense Information Systems Agency
1Information Assurance Efforts at the Defense
Information Systems Agency in the DoD
Richard HaleInformation Assurance
EngineeringDefense Information Systems
Agency hale1r_at_ncr.disa.mil Critical
Infrastructure Protection Day March 14, 2000
2Success in Combat Depends on Protecting
Information Information Systems
- DoD Information Assurance efforts are aimed at
providing assurance that war fighters and those
who support them can safely rely on the
information and information infrastructures
required to fulfill their missions.
3National Plan forInformation Systems Protection
- Prepare and Prevent
- Detect and Respond
- Build Strong Foundations
4Context The World is Attached to the Same
Unclassified Network that DoD Uses
- Internet Map Courtesy of Bill Cheswick
- Lucent Technologies
Legend Black .mil
5DoD TCP/IP Networks
JWICS
SIPRNET
NIPRNET
Internet
- Classified networks are physically and
cryptographically separated from the unclassified
nets
6Some of DISAs Missions
- Designing, building, operating DoD intranets
- The NIPRNET (an unclassified network)
- The SIPRNET (a classified intranet)
- Designing and building core DoD command and
control systems and software processes - Global Command and Control System (GCCS)
- Global Combat Support System (GCSS)
- Common Operating Environment (COE)
- Designing and operating the DoDs large
processing facilities
7One More DISA Mission
- Designing and Operating the DoD Computer
Emergency Response Team (DoD CERT) - As well as regional CERTs
- Integrated with the management of the networks
and information systems - Primary technical support to the DoD Computer
Network Defense Joint Task Force
8Prepare and Prevent
9DoD Global Information GridDraft Information
Assurance Policy
- The DoD shall follow an enterprise-wide IA
architecture that implements a defense-in-depth
strategy which incorporates both technical and
non-technical means
10Defense-In-DepthLayered Security Strategy
- Counter full range of attacks
- Defense in multiple places
- Defenses detection against insiders and
outsiders - Multiple complimentary roadblocks to certain
attacks - Increases resistance
- Allows increased use of COTS solutions
- Contains some insiders
- May buy time to detect, analyze, and react
- Protect, Detect, React/Respond Paradigm
- Detect is critical owing to imperfection of
protections - Quality control via Certification and
Accreditation
11Defense-in-Depth Defend the Computing
Environment (End System Security)
- Properly configured operating systems
- DISA provides guidance documents
- For Microsoft and various UNIX operating systems
- Properly designed and configured application
software - Common Operating Environment, Command and Control
Software, Combat Support Software - Security services at the workstation
- Anti-virus software, etc.
- System administrator training/certification
- Host incident monitoring/intrusion detection
- Physical security and clearances
11
12Defense-in-Depth Defend the Enclave Boundary
- Inventory/Mapping of Enclave
- Including all paths inand out
- Proper defenses on each path
- Firewalls, dial-in security
- Placement of externally visible servers (e.g.,
web servers) - Enclave level incident monitoring, correlation,
situation awareness - Hardening of infrastructure components
- Routers, Domain Name System, etc.
- DoD Policy on Allowed Disallowed protocols in
draft
12
13Defense-in-DepthDefend the Networks
Infrastructure
- Encrypted circuits for classified nets
- Hardened infrastructure
- Routers, switches, Domain Name System (DNS)
servers - Including intra-component signaling
- Infrastructure security services
- Public Key Infrastructure, Directories
- Firewalls for network control centers
- Incident monitoring, correlation, response
- Joint Task Force-Computer Network Defense
(JTF-CND) - Regional and Global Operations Security Centers
- Connection approval processes
- NIPRNET Redesign
- Control of DoD connection to the Internet
- Including stopping certain protocols
DoD Networks
13
14DoD Defense-in-Depth Summary
There is no magic bullet
14
15Public Key Infrastructure (PKI) in DoD
Enabling (some) Trust in the Digital World
- Currently two pieces to the DoD PKI
- 1. Medium Assurance or Class 3
- Essentially best commercial practice
- Based on commercial technology
- Many organizations issuing or preparing to issue
certificates from this infrastructure - 2. Fortezza
- Being fielded as part of Defense Message System
16Whats A Public Key Infrastructure?
Relying Party(Bob)
All the components, processes, and procedures
required to issue and manage digital certificates
17DoD Class 3PKI Components
NSA
- The System Is Operational and Issuing Identity
Certificates - Initial Customers
- Defense Travel System
- Defense Security Service
- DFAS
- Army Chief of Staff
- JEDMICS
- Navy San Diego Region
- DISA
Certificate Server
RootServer
Directory
At Two Defense Processing Centers
Local RegistrationAuthority
Registration Authority
Users
18How Good Are the Certificates?(or, how tight is
the tie between the key and the name?)
- A variety of dimensions of assurance
- Strength of cryptography at end user at
Certificate Authority - Form and protection of private keys at end user
CA - Processes controls employed in operation of the
PKI - User registration, certificate issuance, auditing
of various things, etc. - One selects a particular level of assurance by
- Considering overall security requirements for
information being protected
19PKI Assurance May Get Better in COTS Without Much
Action on Our Part
- E.g., If smart cards become standard and
interoperable, we may be able to move to hardware
storage of the private key with relatively little
pain
Private KeyProtectedin Hardware Token,(e.g.,
Smart Card)
Private KeyProtectedin Software
AssuranceSupported byCOTS
Now
Then
20Detect and Respond
21 DISA Maintains Global Operational Situational
Awareness...
- Monitor current and plannedmilitary operations
andcontingencies - Information warfare events
- Intelligence reports
- Weather/natural disasters
- Scheduled outages
- Facility and equipment failures
- System and application failures
- IA sensor grid
Physical Attack
Component Failure
. . . To determine if an operational capability
is degraded by attack, outage, or both
22Global Network Operations the DoD CERT are an
Integrated Team
Event Correlation
SUPPORTING the Joint TaskForce
- Computer Network Defense
Defense and Protection of the Global Information
Grid
23Getting the Word Out Information Assurance
Vulnerability Alert (IAVA)
Response to Critical Vulnerabilities
- Acknowledge Receipt
- Apply Fixes
- Acknowledge Compliance
DOD
DOD CERT
IAVA
Alert
IAVB
Bulletin
- Global distribution to DoD System Administrators
Program Managers - Organizational accountability
Technical Advisory
Vulnerability Compliance Tracking System
http//www.cert.mil/
24Build Strong Foundations
25How do we know Security is Improving?DISA IA
Metrics Program
1. What to measure?
- Objective not subjective
- What is our current baseline, and how do we know
if weve improved?
2. Analysis of the data
For example, is there a relationship between the
number of events and the number of sensors?
3. Aimed at answering questions like...
- Are we spending our money wisely?
- Where is more effort/resources required?
- Are we more or less secure than N months ago?
4. Institutionalizing the Metrics Process
- Collect the measurements
- Analyze the measurements
- Report the measurements and observations
- Review metrics and modify process
26One More ThingTraining
- DISA develops IA training materials and classes
for the DoD - Over 100 security classes provided annually
- C100,000 IA training CDs and videos sent out
government-wide
http//its4dod.iiie.disa.mil