Information Assurance Efforts at the Defense Information Systems Agency - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Information Assurance Efforts at the Defense Information Systems Agency

Description:

Form and protection of private keys at end user & CA ... 'For example, is there a relationship between the. number of events and the number of sensors? ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 27
Provided by: davidb230
Category:

less

Transcript and Presenter's Notes

Title: Information Assurance Efforts at the Defense Information Systems Agency


1
Information Assurance Efforts at the Defense
Information Systems Agency in the DoD
Richard HaleInformation Assurance
EngineeringDefense Information Systems
Agency hale1r_at_ncr.disa.mil Critical
Infrastructure Protection Day March 14, 2000
2
Success in Combat Depends on Protecting
Information Information Systems
  • DoD Information Assurance efforts are aimed at
    providing assurance that war fighters and those
    who support them can safely rely on the
    information and information infrastructures
    required to fulfill their missions.

3
National Plan forInformation Systems Protection
  • Prepare and Prevent
  • Detect and Respond
  • Build Strong Foundations

4
Context The World is Attached to the Same
Unclassified Network that DoD Uses
  • Internet Map Courtesy of Bill Cheswick
  • Lucent Technologies

Legend Black .mil
5
DoD TCP/IP Networks
JWICS
SIPRNET
NIPRNET
Internet
  • Classified networks are physically and
    cryptographically separated from the unclassified
    nets

6
Some of DISAs Missions
  • Designing, building, operating DoD intranets
  • The NIPRNET (an unclassified network)
  • The SIPRNET (a classified intranet)
  • Designing and building core DoD command and
    control systems and software processes
  • Global Command and Control System (GCCS)
  • Global Combat Support System (GCSS)
  • Common Operating Environment (COE)
  • Designing and operating the DoDs large
    processing facilities

7
One More DISA Mission
  • Designing and Operating the DoD Computer
    Emergency Response Team (DoD CERT)
  • As well as regional CERTs
  • Integrated with the management of the networks
    and information systems
  • Primary technical support to the DoD Computer
    Network Defense Joint Task Force

8
Prepare and Prevent
9
DoD Global Information GridDraft Information
Assurance Policy
  • The DoD shall follow an enterprise-wide IA
    architecture that implements a defense-in-depth
    strategy which incorporates both technical and
    non-technical means

10
Defense-In-DepthLayered Security Strategy
  • Counter full range of attacks
  • Defense in multiple places
  • Defenses detection against insiders and
    outsiders
  • Multiple complimentary roadblocks to certain
    attacks
  • Increases resistance
  • Allows increased use of COTS solutions
  • Contains some insiders
  • May buy time to detect, analyze, and react
  • Protect, Detect, React/Respond Paradigm
  • Detect is critical owing to imperfection of
    protections
  • Quality control via Certification and
    Accreditation

11
Defense-in-Depth Defend the Computing
Environment (End System Security)
  • Properly configured operating systems
  • DISA provides guidance documents
  • For Microsoft and various UNIX operating systems
  • Properly designed and configured application
    software
  • Common Operating Environment, Command and Control
    Software, Combat Support Software
  • Security services at the workstation
  • Anti-virus software, etc.
  • System administrator training/certification
  • Host incident monitoring/intrusion detection
  • Physical security and clearances

11
12
Defense-in-Depth Defend the Enclave Boundary
  • Inventory/Mapping of Enclave
  • Including all paths inand out
  • Proper defenses on each path
  • Firewalls, dial-in security
  • Placement of externally visible servers (e.g.,
    web servers)
  • Enclave level incident monitoring, correlation,
    situation awareness
  • Hardening of infrastructure components
  • Routers, Domain Name System, etc.
  • DoD Policy on Allowed Disallowed protocols in
    draft

12
13
Defense-in-DepthDefend the Networks
Infrastructure
  • Encrypted circuits for classified nets
  • Hardened infrastructure
  • Routers, switches, Domain Name System (DNS)
    servers
  • Including intra-component signaling
  • Infrastructure security services
  • Public Key Infrastructure, Directories
  • Firewalls for network control centers
  • Incident monitoring, correlation, response
  • Joint Task Force-Computer Network Defense
    (JTF-CND)
  • Regional and Global Operations Security Centers
  • Connection approval processes
  • NIPRNET Redesign
  • Control of DoD connection to the Internet
  • Including stopping certain protocols

DoD Networks
13
14
DoD Defense-in-Depth Summary
There is no magic bullet
14
15
Public Key Infrastructure (PKI) in DoD
Enabling (some) Trust in the Digital World
  • Currently two pieces to the DoD PKI
  • 1. Medium Assurance or Class 3
  • Essentially best commercial practice
  • Based on commercial technology
  • Many organizations issuing or preparing to issue
    certificates from this infrastructure
  • 2. Fortezza
  • Being fielded as part of Defense Message System

16
Whats A Public Key Infrastructure?
Relying Party(Bob)
All the components, processes, and procedures
required to issue and manage digital certificates
17
DoD Class 3PKI Components
NSA
  • The System Is Operational and Issuing Identity
    Certificates
  • Initial Customers
  • Defense Travel System
  • Defense Security Service
  • DFAS
  • Army Chief of Staff
  • JEDMICS
  • Navy San Diego Region
  • DISA

Certificate Server
RootServer
Directory
At Two Defense Processing Centers
Local RegistrationAuthority
Registration Authority
Users
18
How Good Are the Certificates?(or, how tight is
the tie between the key and the name?)
  • A variety of dimensions of assurance
  • Strength of cryptography at end user at
    Certificate Authority
  • Form and protection of private keys at end user
    CA
  • Processes controls employed in operation of the
    PKI
  • User registration, certificate issuance, auditing
    of various things, etc.
  • One selects a particular level of assurance by
  • Considering overall security requirements for
    information being protected

19
PKI Assurance May Get Better in COTS Without Much
Action on Our Part
  • E.g., If smart cards become standard and
    interoperable, we may be able to move to hardware
    storage of the private key with relatively little
    pain

Private KeyProtectedin Hardware Token,(e.g.,
Smart Card)
Private KeyProtectedin Software
AssuranceSupported byCOTS
Now
Then
20
Detect and Respond
21
DISA Maintains Global Operational Situational
Awareness...
  • Monitor current and plannedmilitary operations
    andcontingencies
  • Information warfare events
  • Intelligence reports
  • Weather/natural disasters
  • Scheduled outages
  • Facility and equipment failures
  • System and application failures
  • IA sensor grid

Physical Attack
Component Failure
. . . To determine if an operational capability
is degraded by attack, outage, or both
22
Global Network Operations the DoD CERT are an
Integrated Team
Event Correlation
SUPPORTING the Joint TaskForce
- Computer Network Defense
Defense and Protection of the Global Information
Grid
23
Getting the Word Out Information Assurance
Vulnerability Alert (IAVA)
Response to Critical Vulnerabilities
  • Acknowledge Receipt
  • Apply Fixes
  • Acknowledge Compliance

DOD
DOD CERT
IAVA
Alert
IAVB
Bulletin
  • Global distribution to DoD System Administrators
    Program Managers
  • Organizational accountability

Technical Advisory
Vulnerability Compliance Tracking System
http//www.cert.mil/
24
Build Strong Foundations
25
How do we know Security is Improving?DISA IA
Metrics Program
1. What to measure?
  • Objective not subjective
  • What is our current baseline, and how do we know
    if weve improved?

2. Analysis of the data
For example, is there a relationship between the
number of events and the number of sensors?
3. Aimed at answering questions like...
  • Are we spending our money wisely?
  • Where is more effort/resources required?
  • Are we more or less secure than N months ago?

4. Institutionalizing the Metrics Process
  • Collect the measurements
  • Analyze the measurements
  • Report the measurements and observations
  • Review metrics and modify process

26
One More ThingTraining
  • DISA develops IA training materials and classes
    for the DoD
  • Over 100 security classes provided annually
  • C100,000 IA training CDs and videos sent out
    government-wide

http//its4dod.iiie.disa.mil
Write a Comment
User Comments (0)
About PowerShow.com