The Security Network Track # 2, Panel #3 Presented by John C. Deal Erik Visnyak October 6, 2009...
-
Upload
colleen-miller -
Category
Documents
-
view
213 -
download
0
Transcript of The Security Network Track # 2, Panel #3 Presented by John C. Deal Erik Visnyak October 6, 2009...
The Security Network Track # 2, Panel #3Presented by John C. Deal
Erik VisnyakOctober 6, 2009
CyberSecurity for the GIG; a historical perspective
Almon Strowger - 1889 Cliff Stoll – 1987-1989 Compromise of the Greek Telephone System –
2004/2005 Cyber Attack on Estonia and the Republic of
Georgia – 2007/2008 Others
1st Perimeter - Stop Common Hackers &Vulnerabilities + “Trip-Wire”
A Classic Approach to Defense-In-Depth - 1999
Internet
3rd Perimeter - Internal Trip-Wire
Installation Firewall DMZ Public Servers
FWFW
External IDS
ACL
Internal IDS
2nd Perimeter – DMZ + Stop Attacks
4th Perimeter - Allow Only Verified Enclave Users & Applications Deny All Others
Final Defensive Perimeter - ServerTrip-Wire & Other Server Security Mechanisms
Intru
sion
Dete
ctio
n S
yste
m
Enclave Firewall ACLFWFW
Server Tools
1st Perimeter - Stop Common Hackers &Vulnerabilities + “Trip-Wire”
Defense in Depth is more than Technology; It is about Security Controls working thru Operations, People, and Technologies
DoD Publishes STIGs: a Security Technical Implementation Guide is a methodology for standardized secure installation and maintenance of computer software and hardware. a STIG describes what needs to be done for minimizing network-based attacks and also for stopping system access if a computer criminal is next to the device. Lastly, a STIG may also be used to describe the processes and lifecycles for maintenance (such as software updates and vulnerability patching).
Standard Implementation of IA Controls and STIGs to Protect, Detect and Harden Networked Information Systems - 2009
IA SW ComponentsWireless Security
IPSec Gateway Firewall Agent
Policy Management
Threat Management
IDPS Management
Vulnerability Scanner
Identity Management
Audit Management
Security Patch Management
Rogue System Detection
Management
Security Management Software
CDS Workstation Software - Access
Data at Rest Encryption
Application Guard Hardware
Application Guard Software - Transfer
IA Workstation Software
Application Guard
Functional Architecturefor Information Assurance
http://iase.disa.mil/stigs/index.htmlhttp://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlhttp://www.nsa.gov/ia/programs/h_a_p/releases/index.shtmlhttp://www.ucdmo.gov/
Component Description
Policy Management Defines the configuration policy that the system must adhere to and the Policy agent enforces.
IPsec Gateway Provides layer 3 data in transit encryption to network traffic.
Threat Management Obtain signature updates to push to various agents and monitors agent activities via virus scans.
Patch Management Collects IAVA updates and deploys them to the Patch Agent. Collects patch compliance information from the various systems.
IDPS Management Scans packets inbound/outbound within the operation system/network and raises alerts or makes automatic prevention decisions based on the severity level of the attack signature/anomaly.
Firewall Agent Filters ingress/egress traffic to/from the host systems. This is accomplished by port and protocol rule-based access control lists.
CDS Workstation Software
Utilizes a secure OS to enforce separation and mandatory access control between various VMs running on a single HW platform, allowing a specific user access to VM at different classification levels.
Data at Rest Encryption Encrypts the hard drive, volume partitions, directories, and files living on the mobile devices.
Application Guard Software
Application developed to handle specific protocol traffic and can conduct a deep inspection of the data against specific rules (dirty words) to determine if the traffic is allowed to move from one domain to another.
Application Guard Hardware
Accredited hardware platform that houses MLS guard software.
Rogue System Detection Management
Collects events from the sensor agents throughout the network and raises alerts to administrators if a sensor detects a Rogue System in the network.
Audit Management Collects and analyzes audit logs from various systems and network devices throughout the architecture. Can index the activity and raise alerts.
Vulnerability Scanner Scans the entire network for vulnerability and reports any findings to the administrators.
Identity Management Centralized repository for all user accounts that provides Role-based access controls to all the domain systems.
Wireless Security HW/SW
Detects wireless signals/traffic and correlates RF signals for intrusion detection/prevention and tracking. Provides Layer 2 Encryption and Authentication/Authorization/Auditing Services
Descriptions of IA and Security Controls
Trust is the Basic Security Issue Information Access and Info Sharing based
on role, clearance and need to know
Challenges to Cyber-trust
◦ Pervasive computing – pda, phones,
◦ Social networking
◦ Processing Speeds
Trust and Security Control mechanisms (establishing and maintaining trust)
Basic Defense in Depth – passwords, ACL, bio-metrics, encryption, etc
IA Controls and Security Hardening
Monitoring and Maintaining Cyber-trust Knowing where your trust relations are
vulnerable
Deterrents to trust-violations
◦ Hacking deterrents
◦ Snooping
◦ Cyber-attacks
Knowing when your trust has been violated
◦ IDPS and AND (Signature Based and Behavioral Based)
Host, Wireless and Network SensorsSystem Vision of the Target GIG
Version 1.0, June 2007