Docstoc

dmuchowski

Document Sample
dmuchowski Powered By Docstoc
					    ARMY INFORMATION
       ASSURANCE


   Chief Information Officer/G-6


    Army Information Division

  COL Thaddeus (Ted) Dmuchowski
      703-604-7587 (DSN 664)
Thaddeus.dmuchowski@hqda.army.mil
Army Information Assurance Program




                                     2
             THE ROAD AHEAD


“At some future time, the United States
will be attacked, not by hackers, but by a
sophisticated adversary using an effective
array of information warfare tools and
techniques. Two choices are available:
adapt before the attack or afterward”

Defense Science Board (2001)
                                 Policy Development and Oversight


                                          TLA
                                         Current
                      Top                                 Top
                     Layer                               Layer
                                           PKI                          IAVA
                  Architecture                        Architecture
                                         SIPRNet                     Management
                    Layer 1                             Layer 2
  Hackers

                     Army               MACOM IA                       KMI Audit
                                          rqmts         P/C/S
                    Security                                             and
                                                        Router
                     Router                                           Compliance
                                          IA Tools
   State                                 •Firewalls
                                         •Scanners                     Web Risk
                     Switch                              Switch
                                            •IDS                      Assessment


                                        Homeland
                                                                       KMI Audit
                      Firewall           Security         Firewall
                                                                         and
Virus/Malicious                                                       Compliance
 Mobile code
                                          Training
                     Switch                              Switch
                                                                      IA Compliance
                                                                       Assessment
                                          Reverse
                                           Proxy            IDS
  Terrorists               IDS            Servers



                                         Defense in Depth
Computer Network Defense
              Computer Network Defense
             DISA
                                                                 HQDA
          GNOSC/               JTF-CND
         DoD CERT               (TACON)


                                             ARFOR
                       ASC
                      Army           LIWA       CI/CID Liaison
                      NOSC          ACERT




              RCERT     RCERT        RCERT    RCERT
Co-located
             CONUS    Europe      Hawaii      Korea
             TNOSC    TNOSC       TNOSC      TNOSC
             Army Information Assurance Top
                    Layer Architecture
                             External Network


256 NETWORK CIRCUITS                        Security Router
   WITH IDS ENGINES    IDS                  * Packet Filtering
                                            * Some SNMP Trapping
                                  Ether     * Basic Anti-Spoofing
                                 Switch
    PUBLIC DMZ
                                                      RESTRICTED DMZ
     Public Web
       Server                                                 DNS
                                                             Server




                                             Interior Router

                                  Private
              Users


                                             Web     FTP   Org DNS
                                              FOUO

                             Incidents and Intrusions

              Total Incidents                                   Total Intrusions
                                  14, 641                                       98
16000                                                100
14000
12000                                                80                    64
                                                                      58
10000                                                60
                                            6514                 47
 8000                        5,516
 6000                                                40    27                         30
                     3,087
 4000                                                20
        234    957
 2000
    0                                                 0
        FY    FY     FY      FY      FY     FY             FY FY FY FY FY FY
        97    98     99      00      01     02             97 98 99 00 01 02

   Source: Army Computer Emergency            FOUO
   Response Team (ACERT)                                        As of 12 March 2002
             Top Layer Architecture – Redesign
                                  INTERNET

                                Army Security Router

                                       Switch

                           Firewall               Firewall

   Army DMZ –                         L4 Switch                        IDS
Reverse Proxy Server                                                 IDS
                                                                  IDS
                                  ADRP -Router                   IDS
Army DMZ – Protected
Domain Name Servers               Load Balancing

                            Firewall            Firewall

                                                              Army Level – Layer 1
                  Private DMZ
                                   Load Balancing
                                                             Installation Level – Layer 2
      Top Layer Architecture – Redesign – Layer 1
                       Allows the Army to
                       block Cyber attacks    Routers are outdated
Army Security Router   from the INTERNET      too small to handle the
                       and provides some      Amount of traffic
                       basic protections

                         Allows the Army       Currently the Army
     Firewall                                  can only block and
      Firewall           to prevent attacks
                                               detect cyber attacks.

         IDS           Allows the Army to
       IDS             Detect cyber attacks    Currently one IDS
    IDS                that infiltrated the    cannot review all
   IDS
                       Router and firewall     the traffic

                                               Hardware must be
                         Will require          updated – firewalls
                         additional people     and number of IDS
                                               -- new
Army Information Assurance
 Vulnerability Alert Process
             Army Information Assurance
              Vulnerability Alert Process

          Army Senior                                      MACOM
                                                         IA Program
          Leadership
                                                          Managers
                                                           (IAPMs)
      COMPLIANCE INFO




DoD CERT                      Army CERT
IAVA Alert                    Tailors Alert            Subordinate
 Message                        to Army               Commanders
                                                      IA Managers
                                                         (IAMs)


     IAVA Dissemination (ACTION)

     IAVA Information
                                              Systems Administrators
     IAVA Acknowledgement and                 at all levels of Command
     Compliance Reporting
        Information Assurance Vulnerability Alert
          (IAVA) Compliance Verification Team
                         (CVT)


                •39 inspections conducted

                •54,251 servers/workstations checked
IAVA
 list           •1,800 instances of IAVA non-compliance

                •3.3 % of non-compliance
Reverse Proxy Server Initiative
Army Protected Domain Name service (DNS)
               Architecture
                Army Protected Domain Name service (DNS)
                               Architecture


 Tier 0                  Responds to DNS queries that come from
 3 servers               outside the Army.                           Centrally
                                                                   monitored and
                                                                    configured
                         Management of the “electronic phone book”
 Tier 1
 17 servers
                         answers tier 0 queries.
                                                                    200
                                                                   servers
                                                                  projected
 Tier 2                  Regional resolution and redundancy.
 57 servers


                                                              185
                                                           Legacy
Tier 3                                                     Servers
111 servers              Local extension of tier 2
123 projected                                             eliminated
                         Total DNS Queries

700M

       601M
600M


500M
                                     442M
                411M                          392M
400M


300M

200M
                             133M                      149M

100M
       SEP 01   OCT 01      NOV 01   DEC 01   JAN 02   FEB 02
              Total DNS Queries Denied

6M


5M


4M

3M

                                         1.8M
2M
      1.4M                      1.3M
              860K     831K
1M
                                                  509K

0M
     SEP 01   OCT 01   NOV 01   DEC 01   JAN 02   FEB 02
      DNS Queries and Zone Transfers Denied - Foreign
      116K

70K

70K


60K

                                                         50K
50K

                                              57K
40K
                34K

30K
                          19K        12K
20K


10K
      SEP 01   OCT 01    NOV 01     DEC 01    JAN 02    FEB 02
Computer Crime Investigation Unit
         Computer Crime Investigation Unit
 Force Multiplier for the commander


 Provides Proactive Deterrence and Information Assurance
Enforcement

 Enforces Laws that Protect and Enable the Army Information
Assurance Program

 CCIU Investigates Intrusions into Army Computer Systems
     58% solve rate in FY01; 44% solve rate in FY00
     USMA investigation disclosed over 8000 DoD and civilian systems
    compromised (FY00-01)


 CCIU Conducts Vulnerability Assessments to Deter Threats
   Transformed IAVA compliance inspections with interactive CD-ROM
   report to Commanders that includes network map and repair patches for
   all vulnerabilities discovered in IAVA scans
Army Web Risk Assessment Cell
       Army Web Risk Assessment Cell

Army is developed a cell that is using automated tools
To determine if the web content follows OPSEC guidelines.

Will ensure that Army web sites are compliant with DoD Web
Policy.
Information Assurance Tools
Information Assurance Tools

One tool box - unlimited use

COTS tool use guidance

Information Assurance (IA)
Blanket Purchase Agreement (BPA)

NSA standards -- Firewalls/HAGs

NIST Encryption standards
Army Information Assurance
    Training Program
                              Training Program
           NOTE: Figures are approximate numbers of personnel trained annually


                      Resident/ “School House” Instruction
                      Military, DA Civilians & Contractors
                 System Administrators/Network Managers: 2760

                     Technical IDS & Firewall Training: 450
                                                                                               800 + Computer Based
                                                                                               Training Courses
                                                                       Mannheim, GE


                                                                                 Congressionally Sponsored
                                                                                  University IA Programs



Ft Shafter, HI                                                                                IA Officer
                                                         Army Signal School
                 Ft Huachuca, AZ                         Ft. Gordon, GA and                 Mobile Training
                                                        10 other CONUS sites                    Teams
                                                                                             World-wide
                                                                                                 900
   Quarterly Workshops                                                    Taegu, S. Korea
      World-Wide                   VCSA Directed
           1000                     Training and                   Support Army General Officer
                                   Retention Study                    Digitization Workshops
      Training Classrooms
       Location                       # of seats   IOC
Army Signal Center - Ft. Gordon, GA     240        APR 98

Army Signal Center - Ft. Gordon, GA     240        MAR 99   2,760
                                                            SEATS
USARC - Ft. McCoy, WI                   240        NOV 99

Korea - Taegu and Seoul, S. Korea       240        APR 00

NGB (Prof Ed Ctr) - Little Rock, AR     240        AUG 00

FORSCOM - (ASC) Ft Huachuca, AZ         120        JAN 00

FORSCOM - Ft. Hood, TX                  240        APR 00

FORSCOM - Ft. Bragg, NC                 240        AUG 00

FORSCOM - Ft. Lewis, WA                 240        OCT 00

USAREUR - Germany                       240        MAR 00

SMDC - Huntsville, AL                   240        AUG 00

USARPAC - Ft. Shafter, HI               240        APR 01
Army Communications Security Program
     Communications Security Equipment


•Collect and validate all Army COMSEC equipment
requirements
•Represents requirements to the Equipment PEG
•Disseminates equipment based on G-3 guidance
Army Accreditation and Certification
             Accreditation and Certification




     Certification             Army representative and voting
   and Accreditation            member of Defense Security
For Army level systems               and Accreditation
  And assistance to              Working Group (DSAWG)
   Army MACOMs



                   High Assurance Guards
                   Certification and Accreditations
Electronic Key Management (EKMS)
       Army Public Key
Infrastructure (PKI) Program
      Army Public Key Foundation




              Digital Signature
                 Algorithm
                  (@(*)




Army will comply with DoD PKI policy

Army will use DoD PKIs only




              Encryption Algorithm
                     (+-)
                                  Common Access Card

                                                    Personnel Identification
                      Army
                    Active Duty
                                                    Replaces the “ID” Card
Parker IV,
Christopher J   .
      Pay Grade
      O5




                                  Building Access



                                                      Systems & Network Access
                                                      with PKI Application Provides:
                                                              - Digital Signature
                                                              - Data Encryption


                                                                   Medical, Logistics,
    Other functional Applications                                  Personnel, Travel,
                                                                    Acquisition, etc.
           SIPRNet PKI

              Policy



                           Certification
                         and Accreditation

 SIPRNet
ENCLAVE



                                 Nodes
Army Audit and Compliance for
      PKI and COMSEC
       Audit and Compliance


                 Policy


                                Certification
                              and Accreditation




                          Unclass/Class PKI
COMSEC
Accounts
         Army Tactical
Information Assurance Program
          FDD SECURITY ARCHITECTURE

NATO Analog Interface
DISN (MMT 1500)
                            JWICS                                JTF                        SIPRNET                     NIPRNET

                         INE
 TAPP                                                                                                                             IDS
 Transportable                              IDS                      IDS
 Assemblage                                                                                            INE
 Perimeter
                                                                           FIREWALL/HAG                          FIREWALL
 Protection                                   FIREWALL


 Tactical Network                       RACM                                                                           RACM
 NCS
 LEN                      IDS                                                                              IDS                IDS
                                                               IDS           RACM
 SEN                 RACM
           IDS
                                                                                              RACM                                      RACM
                                IDS
                                                   RACM                             IDS
                                      IDS

 TOC              INE
                                                    FIREWALL
                                                                                                                 INE
                                                   CAMPS                                        ACL/RACM



                     Intelligence Systems                        SECRET                                                            SBU
                                                                                      INE

                                                                                                   CAMPS         INE     Inline Network Encryptor

                                                                                                                         Router
                                                                                            RACM
                                                                                            Router Access Control           Intrusion Detection
                 Wireless LAN                            INE                                Mechanism           IDS
                                                                                                                            System

                                                                                            Firewall
                                                                                            HAG-High Assurance Guard
                         Theoretical Vulnerability

             In theory a hacker may
                gain control of the
                                                                  CONUS         SIPRNET
                weapons platform
                                                                                NIPRNET
                                         DIV TOC

                         Div                 NCS
                                                   TAPP         STEP             JWICS
                                     HCLOS



                               NCS

            Bde                 NTDR


            BDE TOC      SEN                              Fire Control             FBCB2
                                                                 CPU                      CPU
        BN TOC

Bn                        BN TOC
                                                                         RPCs
Co               EPLRS


Plt   SIP
 Army Policy Development,
Coordination and Promulgation
                Army Policy
                     AR 25 – 1
              Information Management




                   INFORMATION
                    ASSURANCE




                                         ARMY
  ARMY                                 REGULATION
PAM 25 - IA                               25 -IA
  Conclusion




FULL DIMENSIONAL PROTECTION

				
DOCUMENT INFO