The Security Network Track # 2, Panel #3Presented by John C. Deal

Erik VisnyakOctober 6, 2009

CyberSecurity for the GIG; a historical perspective

Almon Strowger - 1889 Cliff Stoll – 1987-1989 Compromise of the Greek Telephone System –

2004/2005 Cyber Attack on Estonia and the Republic of

Georgia – 2007/2008 Others

1st Perimeter - Stop Common Hackers &Vulnerabilities + “Trip-Wire”

A Classic Approach to Defense-In-Depth - 1999

Internet

3rd Perimeter - Internal Trip-Wire

Installation Firewall DMZ Public Servers

FWFW

External IDS

ACL

Internal IDS

2nd Perimeter – DMZ + Stop Attacks

4th Perimeter - Allow Only Verified Enclave Users & Applications Deny All Others

Final Defensive Perimeter - ServerTrip-Wire & Other Server Security Mechanisms

Intru

sion

Dete

ctio

n S

yste

m

Enclave Firewall ACLFWFW

Server Tools

1st Perimeter - Stop Common Hackers &Vulnerabilities + “Trip-Wire”

Defense in Depth is more than Technology; It is about Security Controls working thru Operations, People, and Technologies

DoD Publishes STIGs: a Security Technical Implementation Guide is a methodology for standardized secure installation and maintenance of computer software and hardware. a STIG describes what needs to be done for minimizing network-based attacks and also for stopping system access if a computer criminal is next to the device. Lastly, a STIG may also be used to describe the processes and lifecycles for maintenance (such as software updates and vulnerability patching).

Standard Implementation of IA Controls and STIGs to Protect, Detect and Harden Networked Information Systems - 2009

IA SW ComponentsWireless Security

IPSec Gateway Firewall Agent

Policy Management

Threat Management

IDPS Management

Vulnerability Scanner

Identity Management

Audit Management

Security Patch Management

Rogue System Detection

Management

Security Management Software

CDS Workstation Software - Access

Data at Rest Encryption

Application Guard Hardware

Application Guard Software - Transfer

IA Workstation Software

Application Guard

Functional Architecturefor Information Assurance

http://iase.disa.mil/stigs/index.htmlhttp://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlhttp://www.nsa.gov/ia/programs/h_a_p/releases/index.shtmlhttp://www.ucdmo.gov/

Component Description

Policy Management Defines the configuration policy that the system must adhere to and the Policy agent enforces.

IPsec Gateway Provides layer 3 data in transit encryption to network traffic.

Threat Management Obtain signature updates to push to various agents and monitors agent activities via virus scans.

Patch Management Collects IAVA updates and deploys them to the Patch Agent. Collects patch compliance information from the various systems.

IDPS Management Scans packets inbound/outbound within the operation system/network and raises alerts or makes automatic prevention decisions based on the severity level of the attack signature/anomaly.

Firewall Agent Filters ingress/egress traffic to/from the host systems. This is accomplished by port and protocol rule-based access control lists.

CDS Workstation Software

Utilizes a secure OS to enforce separation and mandatory access control between various VMs running on a single HW platform, allowing a specific user access to VM at different classification levels.

Data at Rest Encryption Encrypts the hard drive, volume partitions, directories, and files living on the mobile devices.

Application Guard Software

Application developed to handle specific protocol traffic and can conduct a deep inspection of the data against specific rules (dirty words) to determine if the traffic is allowed to move from one domain to another.

Application Guard Hardware

Accredited hardware platform that houses MLS guard software.

Rogue System Detection Management

Collects events from the sensor agents throughout the network and raises alerts to administrators if a sensor detects a Rogue System in the network.

Audit Management Collects and analyzes audit logs from various systems and network devices throughout the architecture. Can index the activity and raise alerts.

Vulnerability Scanner Scans the entire network for vulnerability and reports any findings to the administrators.

Identity Management Centralized repository for all user accounts that provides Role-based access controls to all the domain systems.

Wireless Security HW/SW

Detects wireless signals/traffic and correlates RF signals for intrusion detection/prevention and tracking. Provides Layer 2 Encryption and Authentication/Authorization/Auditing Services

Descriptions of IA and Security Controls

Trust is the Basic Security Issue Information Access and Info Sharing based

on role, clearance and need to know

Challenges to Cyber-trust

◦ Pervasive computing – pda, phones,

◦ Social networking

◦ Processing Speeds

Trust and Security Control mechanisms (establishing and maintaining trust)

Basic Defense in Depth – passwords, ACL, bio-metrics, encryption, etc

IA Controls and Security Hardening

Monitoring and Maintaining Cyber-trust Knowing where your trust relations are

vulnerable

Deterrents to trust-violations

◦ Hacking deterrents

◦ Snooping

◦ Cyber-attacks

Knowing when your trust has been violated

◦ IDPS and AND (Signature Based and Behavioral Based)

Host, Wireless and Network SensorsSystem Vision of the Target GIG

Version 1.0, June 2007

Contact Information:E-Mail: john.deal@baesystems.com

Phone: 619-788-5200858-592-5626