Community of Interest Information Sharing Network Architecture Network Architecture for

Community of Interest Information Sharing Network Architecture: Network Architecture for Secure Consolidation and Collaboration CHALLENGE Today’s dynamic operational environments rely on close collaboration among communities of interest—with goals as diverse as peacekeeping, humanitarian response, and commerce—and close collaboration requires information sharing. U.S. Representative Tom Davis, chairman of the House Committee on Government Reform, said it best: “The reality is, we are incapable of storing, moving, and accessing information. No government does these things well, especially big governments. We spend $150 billion a year on information technology. You’d think we could share information by now. But we are still an analog government in a digital economy and culture.” The frustration is that government’s existing policies and technology prevent the efficiencies and improved effectiveness that come from sharing information and infrastructure. Until now, security constraints and traditional IT practices led each agency to build and maintain its own separate, complex, and highly customized infrastructure. This resulted in duplicate networks, servers, and storage devices, with multiplied equipment and operational costs. Often, operational effectiveness fell short for the simple reason that collaborating agencies could not grant each other selective access to applications and data on their networks. To share data, one had to resort to the method known as “sneaker netting”—physically transporting a CD, tape, or other media to the recipient—hardly a recipe for responsive operations. Imagine if communities of interest (COI) could build secure collaboration architectures. In such a scenario, each partner’s information would be kept separate. When the need arose, however, individuals could instantly share specific classified information—from simple memos to multiterabyte geospatial databases—with selected partners, according to individual authorization levels. Quite simply, a secure COI Information Sharing Network enables new types of collaboration. COI information is protected and available only on a need-to-know basis, but it can be dynamically shared when the need arises. To meet the COI information sharing challenge, partners must implement a robust, flexible network architecture that provides trust based on defense in depth. This trust must extend across the entire data path, including desktops, servers, networks, and multitier storage environments. The following security components are essential to the task: Access control—to restrict access at the network edge • User, port, and machine authentication, as well as verification and remediation for wireless and wired networks • Network admission and rights based on host security state and user authorization Path isolation—to separate data as it traverses the shared network architecture • Network and system resource allocation based on policies • End-to-end network segmentation and encryption of data in flight • Storage virtualization • Host virtualization Data privacy—to protect data from unauthorized viewing • Stored data encryption • Secure key management Policy enforcement—to dynamically manage security based on operating policy • Tamper-evident monitoring of user and administrative actions • Centralized services and policies management • Continual posture assessment Cisco Systems®, Micrsoft®, and Decru®, a NetApp Company, together have developed a commercial off the shelf (COTS)-based architecture for secure consolidation and information sharing that meets the needs outlined above. The Community of Interest (COI) Information Sharing architecture addresses a wide range of operational challenges, while keeping down costs in today’s fragmented IT infrastructure. Cisco®, Microsoft, and Decru designed the architecture to support the stringent requirements of dynamic, multinational information-sharing environments found in today’s military environments. Today, this same architecture is available to help civilian governments with information sharing challenges ranging from Homeland Security to improving citizens. Now, communities of interest can securely share infrastructure and data, increasing their operational efficiency, at a fraction of the cost of current approaches. The COI Information Sharing architecture creates a single, secure foundation that allows members of established and ad hoc coalitions to share information rapidly, while not only protecting stored data and in-transit data but also enforcing policies and privileges. Partners can add additional network security measures and applications to strengthen security for e-mail, IP voice communications, and other applications. Best of all, organizations can capitalize on existing investments in servers, networks, applications, storage, and skills because the COI Information Sharing architecture builds on their existing infrastructure investment. This will help organizations to achieve the potential offered by a secure collaboration architecture, without the high costs. THE COI INFORMATION SHARING ARCHITECTURE Working together, industry leaders Cisco, Microsoft, and Decru have provided a comprehensive approach that enables interagency information sharing and consolidation through a secure end-toend architecture. The architecture uses COTS products to provide defense-in-depth with multiple, overlapping layers of automated security based on flexible policy management. It also applies native security features and defense-in-depth principles to provide information assurance at four fundamental layers: • Access control—to manage and control access of client and server endpoints • Path isolation—to segment and isolate information as it traverses a shared network infrastructure • Data privacy—to secure stored data from external and internal threats, and to provide cryptographic segmentation of multiple groups in shared storage • Policy enforcement—to support dynamic changes in mission and structure of organizations Access Control The Cisco Security Agent provides strong intrusion prevention and security features for servers and desktop machines, with support for major operating systems, including Microsoft Windows®, Linux, and Solaris. The Cisco Security Agent software resides between the applications and the kernel, enabling maximum application visibility with minimal impact to the stability and performance of the underlying operating system. The software’s unique architecture intercepts all operating system calls to file, network, and registry sources, as well as to dynamic run-time resources such as memory pages, shared library modules, and Component Object Model (COM) objects. The agent applies unique intelligence to correlate the behaviors of these system calls, based on rules that define inappropriate or unacceptable behavior for a specific application or for all applications. This correlation and subsequent understanding of an application’s behavior allows the software, as directed by the security staff, to prevent new intrusions. When an application attempts an operation, the Cisco Security Agent checks the operation against the application’s security policy, making a real-time allow or deny decision on its continuation and determining if it is appropriate to log the request. Security features of the Cisco Security Agent software include: • Host intrusion prevention • Spyware/adware protection • Protection against buffer overflow attacks • Distributed firewall capabilities • Malicious mobile code protection • Operating system integrity assurance • Application inventory • Audit log-consolidation For user authentication, Cisco Secure Access Control Server (ACS) is a highly scalable, high-performance access control server that operates as a centralized RADIUS and TACACS+ device. It controls authentication, authorization, and accounting (AAA) for users who access data resources through the network. The Cisco Secure ACS authorizes types of network services for individual users or groups, and it keeps an account of all actions. Managers can also use the AAA framework with TACACS+ to manage the administrative roles and groups, and to control how they change, access, and configure the network internally. Microsoft’s Active Directory® acts as the central authority for managing authentication of user identity and controlling access to network resources. The directory supports the various login authentication mechanisms within the COI Information Sharing Network, including Kerberos and x.509 certificates. In addition, Active Directory supports a fully integrated public key infrastructure and Internet secure protocols such as LDAP over Secure Sockets Layer (SSL). Network Admission Control (NAC) technology uses network infrastructure devices and Cisco Security Agents embedded at the network’s endpoints to make sure every device adheres to established policies before it is allowed to connect to the network. The Cisco Security Agent serves as a trust agent or middleware component that allows the endpoint to interact with multivendor security software residing on the endpoint and elsewhere on the network. If the endpoint machine is out of compliance with configuration or other postures, the security software either denies entry to the machine or places it in a quarantine area for further attention. The quarantine zone may include a remediation server that can install the appropriate software on the endpoint and purge it of malicious or unauthorized software. Cisco NAC verifies access at the port authentication level. Cisco networking devices support the IEEE 802.1 standards for authenticating devices attached to LAN ports. Using 802.1X port security, the device can grant access to a port based on information supplied by the endpoint. This approach supplements the granting of network access based on a user’s IP address, MAC address, or subnetwork. The TACACS+ capability in the Cisco Secure ACS handles this authentication. Path Isolation With the COI Information Sharing Network, managers gain a rich set of capabilities for securing network storage. The Cisco MDS 9000 family of multilayer directors and fabric switches for storage area networks (SANs) works closely with Decru DataFort™ storage security appliances to provide secure SAN consolidation and data privacy. These devices can securely consolidate multiple SAN “islands,” while maintaining data separation and minimizing performance degradation. This shared infrastructure approach results in significant savings in the cost of hardware and administration, while it increases the security of data at rest. The Cisco MDS 9000 family delivers a full array of security features. These include RADIUS authentication, Simple Network Management Protocol Version 3 (SNMPv3), role-based access control, Secure Shell Protocol, Secure File Transfer Protocol, Fibre Channel Security Protocol, virtual storage area networks (VSANs), hardware-enforced zoning, logical unit number (LUN) zoning, read-only zones, access control lists, port security, and VSAN-based access control. Port, fabric, and VSAN security ensures separation between groups. To validate these security features, Cisco has invested in security evaluations from the National Institute of Standards and Technology (NIST) and others for the entire MDS 9000 family. See: http://niap.nist.gov/ccscheme/in_evaluation. html#c access, and all intrusion attempts are reported to the SAN administrator. After authentication through fabric security, unmapped port pair entries are not allowed to join the fabric unless explicitly permitted. The Fibre Channel fabric achieves a high level of security, stability and performance with virtual SAN (VSAN) capabilities. By employing VSANs, the network can segregate storage traffic on a community of interest basis as the information flows through the switch. Instead of isolating data by creating physically separated SAN islands, the network uses a single switch or series of switches to house multiple communities of interest. Once established, VSANs also allow for policy-based quality of service (QoS) and security. As an example, a given application or coalition partner may require more bandwidth than others. Configuring a higher VSAN QoS policy will ensure that, as the SAN traffic transverses the network, that application or partner receives priority over all others. Data Privacy All Cisco MDS 9000 switching devices impose fabric-wide authentication among themselves and at the endpoints. Authentication is performed locally or remotely in each fabric. To prevent misconnection of switches when storage islands are consolidated, all devices seeking to join the SAN are challenged during port login. This security measure prevents accidental access and such attacks as World Wide Name spoofing, in which an unauthorized server is substituted for an existing server to gain access to privileged information. Nontrusted or unsupported Cisco MDS 9000 ports are isolated and denied access to resources. As a result, data center personnel cannot connect switches or endpoints to the SAN or link two SANs in one fabric. This precaution also prevents rogue devices from snooping the network. Typically, any Fibre Channel device in a SAN can attach to any SAN switch port and access SAN services based on zone membership. With LUN zoning provided by the Cisco MDS 9000 units, administrators can restrict access to specific logical unit numbers associated with a storage device. Cisco MDS 9000 port security features also prevent unauthorized As part of the COI Information Sharing Network, Decru DataFort™ storage security appliances work seamlessly with the Cisco MDS 9000 family to secure data in shared storage environments. Deployed in the SAN, DataFort FCSeries appliances transparently protect stored data with wire-speed encryption, strong access controls, and secure auditing. Decru Cryptainer™ vaults provide cryptographic compartmentalization of data at rest, allowing secure consolidation of multiple groups in a single shared storage environment. Because the solution encrypts data before it enters the storage environment, all primary and replicated copies are protected, which helps ensure need-to-know control over stored data. Decru DataFort has received Federal Information Processing Standards 140-2 Level 3 certification, NIST certification for Advanced Encryption Standard and Secure Hash Algorithm encryption, and Department of Defense 5015.2 certification. National Information Assurance Partnership/Common Criteria EAL-4+ certification is pending. Decru adds another layer of port security to the hardwarebased port security that the Cisco MDS 9000 family provides, enforcing those access controls with encryption of stored data. This combination of products creates interlocking layers of defense around stored data—fabric security, access controls, authentication, storage encryption for disk or tape, and secure, cryptographically signed logging—without compromising ease of use or performance. Data is secured from unauthorized users and administrators, as well as from electronic or physical compromise. Access to data can be quickly provided or revoked. This helps ensure protection for the entire data path, including hosts, Fibre Channel networks, and data in storage. For network-attached storage (NAS) environments, Decru DataFort E-Series appliances support file protocols, including common Internet file system, network file server, and FTP, as well as optional hardware-accelerated IP Security (IPSec) and SSL. DataFort E-Series supports directory servers including Active Directory, Network Information System, and LDAP, and can be configured to provide layered security for sensitive directory changes. The solution also supports Small Computer System Interface over IP (iSCSI) block-based access for applications. Protocol (UDP). A flow is a Layer 7 concept consisting of a session setup, data transfer, and session teardown. NetFlow provides data used for statistical profiling to pinpoint Day Zero attacks, such as worm outbreaks. Because multiple flows are packed into one UDP packet, NetFlow can be very efficient for monitoring high volumes of flows, compared to traditional mechanisms such as Syslog or SNMP. NetFlow provides the following data: • Network usage—top users, ports, and so on, via queries and reports, by bytes and sessions • Traffic anomaly detection—as when a user sends or receives (statistically) unusually large numbers of flows on a port (hard-coded); excessive Internet Relay Chat connections, Internet Control Message Protocol traffic, or Simple Mail Transfer Protocol traffic from the same source Cisco Security MARS accurately detects anomalies by using two dynamically generated watermarks that compare the previous data against current data on the NetFlow data collected. When the data breaches the first watermark, Cisco Security MARS starts to save that data. When the data rises above the second watermark, Cisco Security MARS creates an incident. The Decru Lifetime Key Management™ system offers a unified, enterprisewide key management infrastructure for storage security. Keys are encrypted at all times, and sensitive key recovery and key sharing operations require a quorum of recovery smartcards. The Decru platform supports SAN, iSCSI, NAS, and tape environments. It also provides the industry’s first integrated platform for securing stored data in heterogeneous storage and encryption environments. Decru CryptoShred™ features enable no-touch deletion of distributed data copies, allowing the reuse of hardware and mitigating remediation efforts for data spillage. DataFort also offers role-based access controls for administrators, enabling role separation and delegation of tasks. Administrator access rules are enforced by two-factor authentication using smartcards. For more on requirements for cryptographic modules, go to Policy Enforcement The Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) appliances combine network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities. With these capabilities, managers can accurately identify, manage, and eliminate network attacks while they maintain compliance with policies. Cisco Security MARS helps track a broad array of security measures by monitoring operations and managing security information. The appliance centrally aggregates logs and events from a variety of devices, including routers and switches, security devices and applications, hosts, and network traffic. It captures thousands of events, isolates real threats from false alarms, and can automatically issue commands to mitigate the impact of an attack. Bundled with Cisco Security MARS, NetFlow is a Cisco technology that monitors network traffic. NetFlow periodically reports on flows seen by the router via User Datagram the NIST Cryptographic Module Validation Program site at http//csrc.nist.giv/cryptval. All products on this site are either certified or currently undergoing evaluation. Operational Example Command Center Operations To illustrate how the COI Information Sharing Network security measures operate, consider a Command Center (CAOC) scenario. When a user sits down at a Command Center workstation linked to the network, the station displays a standard login screen that utilizes Microsoft Active Directory to access the user’s profile. The server offering the port connection validates the client using a predetermined identity policy based on the IEEE 802.1x standard for access control and authentication. If authentication is successful, traffic can pass through the server port according to policies that can be enforced by other security layers. serial ports, and USB devices—may be restricted by policies implemented through the Cisco Security Agents. If the user needs to access stored data, the Cisco MDS 9000 directors and fabric switches (along with the Decru DataFort appliances and existing storage management utilities) impose access controls and authentication controls that are transparent to the user. Data is encrypted while it is in storage and secured while in transit. All access to SAN, NAS, DAS, iSCSI, and tape backup devices is routed through secure hardware. BENEFITS The COI Information Sharing Network supports security by Network Admission Control provides an additional level of security at the client level. In this case, the workstation would be allowed to connect only if it conforms to policies stored in policy servers. A Cisco Security Agent scans the workstation’s configuration for the presence of behavior blocking, personal firewall, antivirus, and patch software. The agent delivers this information by means of a router, switch, or VPN concentrator to one or more Cisco Secure Access Control Servers, which determine whether or not the configuration and postures are consistent with current policies. An AAA policy server informs the Cisco Secure ACS about policies and authorization parameters. If the workstation is out of compliance, the Cisco Secure ACS has the associated router prevent the connection. Unauthorized devices—such as a rogue laptop—would automatically be excluded. These operations take place almost instantaneously, so the user experiences no appreciable delays. Based on the user’s login credentials and security posture, the Command Center can designate which parts of the network the user may access. After the user is authenticated, authorized, and assigned to the appropriate VLAN, the Cisco Security Agent protects the workstation by using behaviorbased defenses to detect abnormal activity and block that activity before it can cause damage. The user can now access the familiar suite of Microsoft and other agency applications and share files for which that user has been authorized. Access to specific resources—such as CD-ROMs, write capability for CD-RW and CD-R disks, providing: • A tiered approach that delivers multiple layers of automated security • Economical COTS infrastructure, which takes advantage of current investments and skill sets • Familiar user interfaces, which minimize the need for training • Authentication at the user, machine, and port levels • Network admission control that applies policy-based admission criteria to each endpoint before allowing connection • Data encryption for stored and in-transit data streams • Cryptographic segmentation of stored data for significant consolidation cost savings • Access to stored data based on permissions set in the Microsoft Active Directory • Digital rights management of e-mail and attachments • VSANs for consolidated storage and centralized data management • Automated security tools and internal threat defense, including crypto-signed audit logs • Emergency network lockdowns and policy change capabilities based on security conditions • Security monitoring and reporting tools that provide pertinent, actionable information for managers WHY CISCO AND DECRU Cisco has broad experience focusing on the security needs of government and commercial organizations. The company offers a far-reaching set of products and services aimed at protecting infrastructure, responding to network threats, complying with data-handling regulations, and improving productivity. The secure COI Information Sharing Network initiative combines Cisco’s expertise with that of security industry leader Decru to provide an interlocking security ecology designed for ever-changing operational environments. Cisco is the worldwide leader in networking technologies, with a 20-year history supporting customers of all sizes around the globe. Cisco service and support rank among the best in the networking industry, reaching from the United States to remote regions of the world, including network support to armed forces deployed around the world. By working with the established industry leader, defense agencies benefit from: • Proven performance, reliability, and security • A broad range of technical experts and engineers who understand the unique requirements of defense agencies • Interoperability with a broad array of standards-based devices and existing network infrastructures • Sustained value with upgradeable, standards-based COTS products • Best practices based on showcase network deployments Decru, Inc., a NetApp company, develops storage security solutions to address critical business requirements, including privacy, regulatory compliance, intellectual property protection, and internal controls. Founded in 2001, Decru provides security solutions to many of the world’s largest enterprises and government/military organizations.