Slashdot Mirror

Mod parent up!

All the guy is looking for is the official howto. DISA maintains them all.

Here it is again: http://iase.disa.mil/

All these posts and only one AC hits it :>

They have very detailed step-by-step guidelines for securing all kinds of boxes and OSs (including all of the administrative procedures).

Even other sites link in to their work:
http://csrc.nist.gov/pcig/cig.html

There's lots of stuff about certification and acreditation, etc., at the defense information systems agency's information assurance support environment web site.

http://iase.disa.mil/

Generally good advice.

First, foremost, and always - consult your facilities security officer (FSO), read your SSAA (Site Security A.. A.. ?).

Before you fire anything up or - heaven forefend - put any classified data on.. GET YOUR FSO TO INSPECT AND TEST.

Configuration - ensure that you follow the CERT/NSA (http://www.cert.mil/) configuration guidelines (STIGs, http://iase.disa.mil/stigs/index.html), and employ, to whatever extent possible, the SRR (Security Readiness Review??) scripts.

On a practical level, build your hardware, build your operating systems, harden everything down, validate with STIGs and SRRs, THEN install your applications, loosening security configs as required (WRITE DOWN YOUR VARIANCES), then go back and plug your variances to the extent you can and still have your apps work. Revalidate your STIGs and SRRs, then document remaining variances, check 'em with your FSO, and put 'em in the SSAA binder. Rinse and repeat until your FSO is happy ;)

The extent to which you'll be able to network things together or have fixed hard drives depends on your facility SSAA - generally if you've got a SCIF environment, you'll be able to have a closed LAN (or maybe a SIPR connection), and be allowed to have fixed drive computers. If you don't actually have a full SCIF, then you'll probably have to have removable drives that can be secured overnight.

THINGS THAT ARE RIGHT OUT:
- wireless anything
- dynamic USB devices (esp. storage), though fixed devices (keybd, mouse, certified CAC reader, &c.) are generally OK (don't worry, your config for hardening should take out all the dynamically loadable drivers...)
- MANY SORTS OF PRINTERS - laser printers generally have too long a memory (on the drum) for the security folks - hard drives are right out (unless removed and secured), etc. CONSULT YOUR FSO
- bootable media - never count on being able to boot your secure WS from fixed media - your hardening config should disable this capability (in BIOS)

umm.... talk to other local admins. a lot.

I'm not a certified security officer, but I play one at DISA

A lot of the guidelines are already published. You can find recommendations to software that can be installed to government encryption algorithms. Try this: http://iase.disa.mil/policy.html and http://www.nist.gov/

Take a look at this "very readable" document: http://www.dss.mil/isec/nispom.htm Also look at: http://iase.disa.mil/stigs/stig/ Get some help! The DSS is the approving authority if I am reading your needs right (a computer used by a civilian contractor). If you didn't know about the DSS, you really need to find someone who knows the processes. Talk to your facility security officer -- they should be able to point you to the right folks in your company.

Are these ones like the one you saw?

http://iase.disa.mil/iaposters/

btw, some of the print-quality files are enormous, so keep browsing limited to the pdf versions to avoid (rapid) slashdotting. Maybe a kind soul can post a torrent of all of them if too many people hit it?

How about applying MIL-STD-2525B, Common Warfighting Symbology in this case?

You could also follow The DOD protocol. Just a thought. I always thought they baked the platters, but i guess other methods are preffered.

http://www.oreillynet.com/cs/user/view/cs_msg/4637 0
http://dodpki.c3pki.chamb.disa.mil/rootca.html

There's your DOD root CA info. As some other people have already posted, the DOD runs its own PKI and it's not automatically included in any browsers. More recently they're issuing contractors certs on a Verisign-rooted CA rather than the full DOD one. If you want to automatically install all the DOD certs use this: https://infosec.navy.mil/InstallRoot2_9.zip
Unfortunately that doesn't do anything for people not using IE on windows. You can export the certs from Windows in PKCS7 format and then decode the p7 file using openssl to break it up into individual certs you can import into mozilla/firefox/etc.

Wikipedia article on SIPRNET

The government's page on it

http://ges.dod.mil

• DREN is an R&D network. You won't find anything sensitive here, and it's considered the least secure of the primary DoD networks.
• NIPRnet is where you find the DoD's mail servers, primarily. This is where your mistake is - NIPRnet is considered at maximum SBU "sensitive but unclassified". The network isn't secure in the sense that Secret systems would be. All DoD systems are required to be 'secure', moreso than most or all commercial machines, but no special effort is expended to secure down NIPRnet systems. It's an analogue to the office network in a commercial environment. If you only used the Secret networks, you could never communicate outside of DoD, mostly.
• SIPRnet - You need a Secret clearance to be here. SIPRnet is for sensitive stuff. It isn't directly connected to anything else. This is what you were thinking about when you were talking about 'secure systems'. However, even stuff on the NIPRnet or DREN has to be secure.

Please note I used completely public sources. There is more to know, but not more that I can say.

In direct answer to your question, we get a decent amount of spam, mostly worm related stuff though. Most spammers seem to be afraid to send Viagra ads to .mil addresses. I dunno why. Maybe they're afraid they'll get a Hummer.

That is quite incorrect. The software wasn't Common Criteria certified up to that point, but you could run it.

The ability to run/not run software in a DoD environment is controlled mostly by mission - there are very few applications you 'can't' run. There is a person in every military organization called a DAA "Designated Accrediting Authority" who can issue an ATO "Authority to Operate" for anything he/she feels like doing. This person is usually the commander of an installation or organization, and will usually be of 0-6 or higher rank.

If you run something in the DoD without getting a DAA signoff, you are screwed. If the software is insecure, the DAA and the IA "Information Assurance" staff are the ones who are screwed.

The ultimate expression of the DAA's ATO is the DITSCAP. The DITSCAP is basically a huge document showing you did due diligence in security testing your software. You are supposed to list all threats in there, and make value judgements as to whether they are deal breakers or acceptable, and what steps you are taking to mitigate.

The DAA signature on ATO means that that commander read the DITSCAP, accepts the risks, and will run the software/system in question. No courts martial. No UCMJ at all.

As to your other assertion about Microsoft giving software away to the Army, realize that we (meaning Army installations) pay a tax each year out of our budgets to finance the Microsoft ELA with the Army, which is costing the Army precisely $151.00 each bundled desktop, which includes Office and the OS, plus a server CAL. Either way, that's a long way from $10.

There is a Powerpoint on the topic (opens up fine in OOO) located here. You can also go to the Army Small Computer Program site if you want to see how the ELA is implemented in real life.

Please stop lying to these people. Thank you.

Meanwhile, while linux tries to infilitrate the government, the DoD is tyrying to infilitrate the linux. The DoD Defense Information Infrastructure Common Operating Environment is/was an initiative to to define a common software stack to run across multiple platforms that includes software installation, user management, and printing tools. When you talked about putting Linux on the DoD desktop, that used to mean having a DII COE stack for linux. This year DISA released a beta Linux COE kernel and then released the source code for it which can get from anonymous CVS. DISA has paired up with the OpenGroup to define a testable/brandable definition of COE. And there is a project to develop a platform independent COE stack from scratch.

Relevent URLs:

http://www.disa.mil/coe/kpc/linuxpc.html

http://gforge.freestandards.org/projects/qp-coe

http://www.opengroup.org/openbrand/coe

http://opencoe.sourceforge.net

The reasoning used was that, since the system as a whole had not started (or even considered) using CSS, the web administrators didn't want to (claim to not be able to) ensure it was compliant. The very use of CSS does not make a page compliant with Section 508, but it sure does make it easier to debug. I would have been thrilled to have a site-wide CSS implementation to base my pages on, since the site has a billion different looks and feels through the various subprojects.

Basically, since the main web admins didn't understand CSS well enough to implement it, nobody else was allowed to either.

This is the site I worked on. I was once in charge of DCGS pages. They are no longer mine, so don't blame me. :-)

See ANSI T1.413-1998.

Has he looked at Iridium satellite phones? The hardware is reasonably priced ($1500), per minute charge isn't bad for international usage ($1.50 or so). From the Iridium website: "...a commercially available user terminal will support secure communications by adding a removable National Security Agency (NSA) approved Type I Communications Security (COMSEC) sleeve which fits onto the commercial user terminal."

The product is an "Iridium Secure Module". Read about it here: http://www.disa.mil/ca/buyguide/contracts/emss.htm l. Buy it here.

While that doesn't take care of people bugging the voice side BEFORE it gets encryped, it should help your conversation from being otherwise monitored....

All military communications and networks are controlled by one agency. This allows interoperability and consistency between the various branches of the US military (Army, Air Force, Navy, and Marines). This agency is known as DISA. The Defense Information Systems Agency. And yes, DISA is responsible for sensitive and classified information systems. However, it is no big secret on how to seek employment with DISA. If you people would just put your ?LINUX: For Dummies? book down for just a 5 minutes, and take a look at DISA?s homepage. Go ahead and find the super secret area on the bottom right hand side of their homepage which says ?EMPLOYMENT OPPORTUNITIES? and click one of the links. Hope that helps. -paul

You can read lots more about this by choosing from the links in the rejected post below. Also, it's important to note that EAL2 is NOT the highest Common Criteria certification level. The Common Criteria for Information Technology Security Evaluation v2.1 describes the security assurance requirements and EALs in detail. For a look at the details read about the Evaluation Assurance Levels at NIST.

IBM, SuSE Linux Get Common Criteria Security Certification

Linux has reached a new milestone: IBM and SuSE Linux have received the Common Criteria Security Certification from the U.S. government (mirror), specifically from the Defense Information Security Agency (DISA) arm of the Pentagon. 'Right now it is the only Linux distribution available that has this. This certification is used as a standard by 14 countries including the U.S. and Canada,' says the SuSE U.S. general manager. Linux Enterprise Server 8 is certified at Evaluation Assurance Level 2+ EAL2 with the companies jointly pursuing a Controlled Access Protection Profile EAL3 certification by year-end, then on to EAL4. More details at CNet, AP via Detnews/CNN and Reuters/Forbes. It looks like they beat Red Hat to the punch.

Gawd!

It aint that hard.

Basically:

1) It defines OSS & GPL

2) Says they're OK to use provided:
a) They comply with the same Dod policies for equivilant Off the Shelf software
b) They're comply with the requirements defined by the National Security Telecommunications and Information Systems Secuirty policy.
c) They're configured as per DoD approved security configurations from http://iase.disa.mil and http://www.nsa.gov.
d) You dont break any licenses.

Thats all!

There is now a DISA complex where the NASA used to be.

A Tablet PC might be more useful than this "airplanel V150", but the V150 seems to be targeted to no one. To reiterate his points:

It's priced at £1000 (plus tax) - that's something like $1500, I think (or $1594, accoring to this page). For that much, you can easily buy a cheap laptop, which alone is more than capable of acting as a remote display for a Windows XP Pro box. (Trust me, I know some people who use old Pentium laptops to connect to their Windows XP machines. Not terribly fast, but it works... Total cost was like $100 for laptops + 802.11b cards. Of course, they don't have a stylus, and it's much bulkier.) Of course, with the laptop, you can still use it without the host parent computer.

With a laptop, you can move it anywhere and still use it. With the V150, you have about 30 meteand still use the basirs from the wireless APs until it becomes useless. You can't just take the V150 into the office and use it - it needs to be on the same network as the computer. (Or not - even still, the point probably still stands that effectively it needs to be on the same network to be useful. I'll conceed this point to anyone with real facts.)

When you realize that the V150 is useless without a desktop PC anyway, your total cost comes to the cost of a laptop - unless you're planning on making your existing desktop more portable around the house.

In other words, the "airpanel V150" is an expensive flatscreen monitor that is minimally useful, a pain to set up, and offers nothing better than a laptop would. A real TabletPC would be far more useful than this thing, and probably only be a little more expensive (if the desktop cost were included). I think that was the original poster's point - this thing isn't really that much more useful than a laptop.

For those of you interested in this topic, you should also be aware of RedHat's DII COE (Common Operating Environment) kernel available at DISA. The kernel is available at http://diicoe.disa.mil/coe/kpc/linuxpc.html

The creation of DII COE kernel for RedHat implies that there may be some pressure to accept GNOME as a valid component of the Joint Technical Architecture (JTA).

In other words, the military bureaucracy is beginning to accept the fact that linux is part of the modern computing landscape. (Watching the wheels of military technology turn is like watching grass grow)

Here's a better link to story, sans linkspam:

http://news.com.com/2102-1001-984202.html

COE? Here's the link to their homepage:

http://diicoe.disa.mil/coe/

Admins! Get your fucking heads out of your asses and check to see if something is linkspam before posting it. This isn't the first time. Someone is making money from the click through.
Fuck them.

I can find only one relevant page on DISA that pertains to Linux/COE. This page has a link to a draft of COE Compliance Critera for Linux. The information on this page hasn't changed in several months, AFAICT.

So, what's new here? Can anyone point me to a place on DISA that substantiates the claims made by the news.com article? Where is the "real", final COE Compiance Critera for Linux?

And, no. I'm not going to be the one to try it.

link

http://www.disa.mil/coe/kpc/linuxpc.html

DISA does not stand for Defense Internal Security Agency... there is no such animal. DISA is the Defense Information Systems Agency. DISA link

DISA has released a DII COE kernel for Red Hat 7.2 This can be interpreted that the DoD is slowly accepting Linux as a "standard" server and workstation.
http://www.disa.mil/coe/kpc/linuxpc.html

An open source project to reimplement the DII COE APIs
http://rhinohide.cx

You can request free computer security training information (mostly on CD) from DISA.

http://iase.disa.mil/eta/index.html

Here, get this CD/Video set, it's free! Learn how to secure Windows NT/UNIX to goverment standards! Order now!

http://iase.disa.mil/eta/index.html

*NITSCAP
*DITSCAP
*Common Criteria
*FIPS 102 Not to mention all the other FIPS criteria, esp. regarding crypto and PKI.
*NIAP (Information Systems Certification Procedures and Assessment Scheme)
*A Plethora Of Schema and Policy
*Ye Olde Rainbow Series
*MIT GASSP [warning, .doc file]

And these are just US criteria...other nations have their own. These are becomming very important, if typical job requirements on security-jobs list are any indication. Need a BS, a clearance, and 5 years practical experiance in everything from LAN wiring, vulerability finding and exploit production, penetration testing, firewalls and IDS, to the evaluation and application of these federal criteria, and everything in between. And that will get you an entry level position!

*NITSCAP
*DITSCAP
*Common Criteria
*FIPS 102 Not to mention all the other FIPS criteria, esp. regarding crypto and PKI.
*NIAP (Information Systems Certification Procedures and Assessment Scheme)
*A Plethora Of Schema and Policy
*Ye Olde Rainbow Series
*MIT GASSP [warning, .doc file]

And these are just US criteria...other nations have their own. These are becomming very important, if typical job requirements on security-jobs list are any indication. Need a BS, a clearance, and 5 years practical experiance in everything from LAN wiring, vulerability finding and exploit production, penetration testing, firewalls and IDS, to the evaluation and application of these federal criteria, and everything in between. And that will get you an entry level position!

*NITSCAP
*DITSCAP
*Common Criteria
*FIPS 102 Not to mention all the other FIPS criteria, esp. regarding crypto and PKI.
*NIAP (Information Systems Certification Procedures and Assessment Scheme)
*A Plethora Of Schema and Policy
*Ye Olde Rainbow Series
*MIT GASSP [warning, .doc file]

And these are just US criteria...other nations have their own. These are becomming very important, if typical job requirements on security-jobs list are any indication. Need a BS, a clearance, and 5 years practical experiance in everything from LAN wiring, vulerability finding and exploit production, penetration testing, firewalls and IDS, to the evaluation and application of these federal criteria, and everything in between. And that will get you an entry level position!

Therefore, it should not come as much of a surprise that the security-conscious agencies in the federal government (CIA, NSA, DIA, Dept. of Commerce, etc.) largely write their own software inhouse rather than rely on fixing up something like Linux and hoping that they caught all the bugs.

Wow. What world do you live in? The government uses quite a bit of Open Source software - you're just not in a position to realize it.

Speaking of Nessus - I just got done doing a lot of work on it, adapting it to the government's platform so that they can use it. They didn't write their own security scanner - they hired my company to evaluate which one was best and then make it work on their systems. This happens all the time. And we're not talking for sissy little shit places in the government like the Department of Transportation - our work is for DISA, the Defense Information Systems Agency. I'll let you visit the link to figure out what they do. Look at that - they're trusting open source programs to some of their most important computers.

people seem to think that defense contractors are doing all this evil, secret stuff. man, i wish it was that exciting :) if we were doing stuff for nsa or cia, it was probably the boring shit that they didn't want to do themselves.

yes, the clearance is very very handy. and at only 20 years old, i didn't have to fill out nearly as much paperwork...

1. Global Command and Control System (GCCS) is the system used by the US military when it goes to war. It is a "system of sytems" that is used for the planning and execution of combat forces. GCCS is the single most important program in the DoD.

2. DISA has a very big say in the direction of IT in the DoD. It's in charge of planning IT needs on an Department-wide basis. Theoretically, DISA lays down the map, the Army, Air Force and Navy follow. Although this only impacts Sun systems, it will only be a matter of time before they apply the same thinking to the rest of the systems out there.

3. Given the importance of GCCS, should there be an incompatibility with it and another system, that system will have to be adapted to GCCS, and not the other way around. Applying this to the StarOffice vs MS Office debate, the easiest way to avoid Office proprietary issues interfering with GCCS funtionality will be to replace Office with Star Office

4. If the DoD saves $500 on software, that's $500 more it can spend on bullets/stealth aircraft/submarines. Most warfighters don't care who made it as long as it works. All it will take is one General to ask the obvious question.

1. Global Command and Control System (GCCS) is the system used by the US military when it goes to war. It is a "system of sytems" that is used for the planning and execution of combat forces. GCCS is the single most important program in the DoD.

2. DISA has a very big say in the direction of IT in the DoD. It's in charge of planning IT needs on an Department-wide basis. Theoretically, DISA lays down the map, the Army, Air Force and Navy follow. Although this only impacts Sun systems, it will only be a matter of time before they apply the same thinking to the rest of the systems out there.

3. Given the importance of GCCS, should there be an incompatibility with it and another system, that system will have to be adapted to GCCS, and not the other way around. Applying this to the StarOffice vs MS Office debate, the easiest way to avoid Office proprietary issues interfering with GCCS funtionality will be to replace Office with Star Office

4. If the DoD saves $500 on software, that's $500 more it can spend on bullets/stealth aircraft/submarines. Most warfighters don't care who made it as long as it works. All it will take is one General to ask the obvious question.

The military phone system uses them to assign priorities to calls. The are used for 'PRIORITY', 'IMMEDIATE', 'FLASH' and 'FLASH OVERRIDE'. If none of them is pressed, then it's a 'ROUTINE' call. In the event of the system becoming saturated, calls are dropped in order of priority, so all ROUTINE's first, then up the chain until the system is no longer saturated. There is lots on the web which you can find if you use the priorities, here is one

I have worked with it in the past and must agree, it is more a hinderance then a help.

DII COE uses segmentation to package things up, which allows easy installation, removing, documentation, source (for development). A lot of these segments just package things up and install using tar or any other appropriate install tool with an install script. This can be a way to allow for overcoming some of the shortfalls of this.

BreezyGuy

Actually, today we're celebrating the birth of the ARPANET, which preceeded the Internet.

The ARPANET was born on this day in 1968, and was finally laid to rest in March of 1991 when the IMPs (subsequently called Packet Switch Nodes (PSNs)) were finally decommissioned (long live 1822!).

The Internet was born on January 1, 1983 when the ARPANET was switched from Network Control Protocol (NCP) to the TCP/IP that we know today with not-so-gentle prodding from what was then the Defense Communications Agency (DCA, now the Defense Information Systems Agency), which had taken over operation of the ARPANET from the Advanced Research Projects Agency (ARPA).

Before that day, you had to have a computer attached to an IMP on the ARPANET to be on the network. After that day, with a router, you could be on any old LAN, and exchange IP packets with any other host anywhere, whether it was attached to an IMP, an Ethernet, a Chaosnet, an ARCnet, or whatever. The growth of the network accelerated from that point on to the world-embracing network we see today.

Now, if we can just get IP version 6 (and IP Security!) deployed to solve the address space problem. Unfortunately, we don't have any one organization with control over the Internet who can cause such a change to happen (i.e. they order it, and they have guns to back it up their authority).

Of course, there are anarchists who say that this is better...