Slashdot Mirror
Building Secure Computers?
maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"
So sayeth the editors of Slashdot.
I click on "read more" and what do I see? "Nothing to see here, move along." Nice.
Marvin knew: "Think of a number, any number..."
Prepare for "I could tell you, but..." comments.
Ask the Dept of Defense. Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle. No offense to /. community.
You are not qualified for your job. Quit.
What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?
....but my gut says "vendor", if for no other reason than a little CYA.
Buildings secure computers? Computers secure building? What?
Oh, you meant "building secure computers".
My other car is first.
What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?
Oh yeah trolls? My text is encrypted in rot26. Any reposts and/or making fun of my error is evidence that you broke my encryption. I shall be sending dmca agents over shortly.
I have a fairly secure computer squared away between my ears. Every once in a while it will over heat and quit, but that's fine with all the advanced functions it has like "Sneezing" and realistic "Artificial Intelligence". It is very good at being a CAD, with only one problem... it doesn't interface with PAPER at as good of a quality as some other head computers.
My UID is prime... is yours?
Build it yourself. I wouldn't rely on any manufacter.
I heard that the first step towards building secures computers is to be attentive to small details such as spelling and grammar.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
Though I have never worked for DoD, here is a guess on how this works:
If you are building this system for DoD at a request from DoD, then you have what is called a "need to know", which qualifies you for getting a security clearance sufficient for you to receive the exact requirements for such a system after that it is simple just meet the requirements. Of course, once (if!) you get the clearance (and this is an expensive, tedious and long long process involving the polygraph in some cases) and are given those documents, you will be forbidden from sharing this information with anyone else without breaking the law and risking a severe penalty.
If youre not building it for DoD, (or for them but not at their request - e.g. in hopes they'll buy your product), then you have no "need to know" and cannot apply for clearance and be revealed the requirements.
Im guessing its the latter (or you wouldnt be posting to /.), so
the answer is you simply cannot build such a system because you cannot
know the requirements.
Use Novell Suse linux with built in support for encrypted filesystems......
What is you're experience in setting up a secure computer
Don't use windows
and is it better to have a vendor do it
Yes, teamwork, a way to share the blame!
"I'm going to f***ing bury that guy, I have done it before, and I will do it again. I'm going to f***ing kill Google"
Wow...where to begin...
First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.
Second, security stickers on their own simply aren't adequate to the task at hand. Remember, you're looking for tamper-proof, not merely tamper-evident...
____
~ |rip/\/\aster /\/\onkey
"Security stickers" don't prevent tampering, they only indicate possible tampering.
Building secures computers? Yes, if the building has good locks. Even then, I'd invest in motion sensors and trustworthy guards.
"Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle."
True. But we ARE good with law, business, and economics.
YES! That's what I need. Forget hardening the system, forget locking down the administrator! Forget DOD requirements. I'll put a STICKER on my machine and it will be secure!
http://www.bistolas.net
How does this building secure the computers? Does it use laser cutty things like on Resident Evil?
Have you metaroderated recently?
The only totally secure computer would be one on a physically disconnected network and if the information is that valuable then this would be the only realistic solution.
If you have to set up a secured computer and your Facility Security Officer can't direct you how (roughly), then there's no way you'll get classified information on the system. It's not like you can set up a computer and all of a sudden the government will trust you to put secure information on it. You need to have a written, approved procedure for doing so. Your DIS rep has to authorize you to put stuff on the system.
At I place I used to work, we just bought Dells. (Heck, I think we even leased them!) When they were delivered, we'd put a standard image on them that did things like warn the users before they logged on, and turned on auditing on certain directories.
Even if anyone reading this did know, I'm pretty sure it's illegal for them to give you details.
Come to think of it, I'm pretty sure it's illegal for you to even disclose the fact that you're building computers for a classified project...
...I've been tasked with something I'm not quite prepared for...
...is it better to have a vendor do it, or yourself?
If you have to ask the question, i think you already know the answer. I'm sure there are tons of great DIY methods of securing a computer, but if you are new to it (and you are), leave it to someone who has done it before.
It would be great to get some first-hand, practical experience on the matter when you have a proper guinea pig, but a classified DoD computer is not said guinea pig.
My advice- Don't buy from Dell. Not because they don't have good business computers (They frequently treat businesses ok) but because even within the same exact model number, different motherboards/video cards/sound cards are used because of price fluctuations. And we all know Dell buys the cheapest stuff possible. Pull one hard drive out of one of these systems and put it into another (seemingly identical) system that happens to have a completely different motherboard, and poof, blue screens of death all over the place.
I've heard that Dell is decent to business buyers. But if you want to buy identical boxes with the chance to buy more in a few months time, you might want to steer clear.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Easy as that. If you don't know enough to lock down a computer from the ground up having a vendor supply the service is not going to do you any good because you won't know how it works and you will be at the mercy of Tech Support during a crisis. We have spent years building our own linux distro with what most might consider an over-kill in RBAC and other model implementation. When the latest greatest exploits/bugs/worms hit the scene we go right in and rip up the source and its fixed on the spot that morning, no questions asked. Try getting that out of a 1-800 service. The bottom line is security, not accountability. If you want to make things happen then make them happen, don't wait for someone else to do it. If the NSA thought Microsoft or any other MSO was a big prospect in the contract we wouldn't have SELinux. I could be wrong about trusting the security of my systems to other people, but I can't afford to take that risk, can I?
You are about to give someone a piece of your mind, something which you can ill afford...
Make sure the "security stickers" are washable. Seriously, most DOE sites require various forms of such stickers, too. At the same time they ditched secure systems like VMS. These days you see lots of Dell and Gateway PC's with Windows or Linux - and of course with security stickers.
Computers left outside are hacked at rates many times higher than those secured in buildings.
Surely the Department of Homer Simpson, er, Homeland Security, will now outlaw naptha. Should go well with the duct tape.
(naptha dissolves the adhesive on most stickers, making them easy to remove cleanly)
Well, I saw a couple of non-slanderous posts which had good ideas. Just combine them and I am sure you will have your secure machines.
1. Are the specs required to have a secure terminal, i.e. opening the case, using boot disks etc.
2. Are there items sensitive enough to require a encrypted filesystem? If so, you don't necessarily need to use SuSE to do this.
3. Are there requirements for the local/network authentication? i.e. retina, fingerprint etc? I am sure you could find a vendor for these solutions as well.
Good luck, don't listen to people trying to tell you aren't qualified. Experience is not something alot of people would have with this.
I for one welcome our new DoD computing overlords...I would expect that 'removable drives' would not be protected by stickers at all. Perhaps you should bury it in concrete and post sentries at all times to guard the files. Don't let vendors build anything, source it yourself...there's some fine mercenary computer builders out there..
Install, Then Run
I'm relatively sure you'd need to use two or more factor hardware and software encryption on multiple levels, an approved OS which would likely not be Windows given statements by Homeland Security, and some other things that I'm sure the people from the DoD will no doubt be only too happy to tell you if they want you to actually do something for them. They'll definitely tell you what to do. In excrutiating detail. They're funny that day.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
There are various levels of Gov. approved hardware/software security. The specifications are public.. but it'd be a waste of your time to figure out how to comply on your own. Furthermore, for most interesting levels, you need to go through a few cycles with outside verification. I think you should start making phone calls.
I'm involved in IA (Information Assurance) on VA Class subs... for Voyage Management and Radar.
A sticker and removable hard drive complying with IA is like saying that a power cord is what's needed to make a computer.
At one point we had a meeting and reviewed the full blown DoD requirements for secure computing. Our estimation was that the resulting system would A) be unusable for anything due to the insane lockdown policies, and B) cost around a $million to configure and test to their specs.
It's all about configuration.
Ok, on the non-sensational side... other computers where I work, for dealing with classified data, are to be located in a certified secure room (forget the name of the certifying authority), and yes there is a "class" / "unclass" sticker on the PC, and yes, the hard-drive is removable, and yes must be stored in an approved safe while not being used. And access to the room is by approval only, with both a horribly hard to use combo lock, and a cipher door lock on top of that. Oh yeah, connection to the house-net is verboten. Any-net for that metter.
And my facility is a low-brow Secret only site. Travel to certain DoD contractors with only a Secret clearance and you're treated like a second class citizen.
It's all about configuration. (repeated intentionally)
Be prepared for mind-numbing configuration, test and audit sessions.
I am light on details because I do my best to stay at arms-length from IA at work... it's teh suxor
w
Here's a little how the NSA makes there Macs secure.. html/ and such, your on your way to very secure computing.
http://www.nsa.gov/snac/downloads_macX.cfm/
There is also some more info there on how to secure other platforms,
Combine that with stickers, biometrics http://bssc.sel.sony.com/Professional/puppy/index
Cheers
All you need to have is a removable hard drive. When the computer is to be secured, the hard drive must be removed and placed into a safe rated for Secret information.
I suppose this could be out of date information, but this is how we did it in the military in 1995. Just garden variety Gateway PC's at the time, but with a removable hard drive tray so we could through it in the safe. Even in '95 we no longer had to observe TEMPEST requirements for material classified Secret.
Simplest way. Put it in a private room and only the people who NEED (not want, NEED) a key get it. Then make sure no one leaves the door open and you can get nothing more secure.
Obviously it's easier to buy from a company, then you can go "hey Dell said it" and you keep your job.
I like muppets.
Movement sensitive when the PC is turned off, these alarms put out a LOUD alarm sound that can only be deactivated by turning the PC on, or turning the key.
First off the DoD will not ever specify use windows NT and have a cisco firewall in front. What they will say is have a secure operating system and necessary network protection. The key is to eliminate possible ways of data leaving the PC. So no USB slots, or ZIP Drives. CAD drawings are relatively large in size so having a Floppy drive if fine. Also go with a vendor solution and then modify it. Showing the DoD that you purchased a secure PC and then made additional enhancements helps then saying you did everything yourself. Of course this was just all BS that you probably already figured out.
Two words:
/sad, but true.
Duct Tape
add some plastic wrap, and it's Dept. Homeland Security Approved as well.
You should provide a method of contact I dont think a slashdot forum is the place to discuss such things
You need to take the NISPOM CH8, Requirements for Industry (or something like that). It is offered by the DSS, but the waiting list is usually months. That class should tell you most of what you need to know.
somebody probably getting paid more than quite a few of us, asking Slashdot to do their job for them.
Yay.
While we're on this topic, does anyone want to write some code for me? I don't feel like really researching it on my own. I'll just ask Slashdot to tell me how to do it.
I'm not a sysadmin, but there are certain universal constants...
;-)
a) Get ahold of the standards that will actually be applied to test the system and what it actually needs to have/means to be in compliance. Understanding that comes first - make sure you understand it as well as you can (ideally at least as well as the vendor you're buying from.) A.K.A Operation Build BS Detector.
b) Find out your responsibility - can you hand off responsibility for the computer being built to specs to the vendor, or will you ultimately catch the heat for it regardless of method of purchase? If you're in the hot seat you need to be very sure you can trust the vendor to do it right! In that situation perhaps doing it yourself might be the best way to be sure there are no unpleasant surprises in store, since you can make sure yourself you meet all requirements.
c) Is there some former sysadmin around who has been through purchasing a system that meets these particular specifications before? They may make a good resource - there's nothing like having been in the trenches to teach you all the mistakes and how to avoid them.
d) Do your department have performance reports compiled based on past performance of products purchased from your potential vendors? Also occasionally useful, particularly if you need hard data to justify a choice. This is not the way necessarily to pick the BEST system, but if you don't have the leeway to try a new vendor sometimes you have to go with the gold standard. (Microsoft built an empire based on this principle, and it's worse when you need something secure.) Indeed, I am surprised there isn't a vendor qualification process for something like secure computers, and "approved" vendors which constitute the only choices. If that IS the case, it's down to the usual questions when choosing between vendors - quality, price, performance, etc.
e) Perhaps you could look at uses of BRL-CAD? IIRC some of its uses are classified, so perhaps people using that system could give you some good pointers.
I'm assuming this computer is not networked, and physical security is the only criteria? If so operating system is not an issue, presumably.
Best of luck!
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
If you build a computer that is compliant, then found out that it is not, and the shit hits the fan, you could be in big trouble. If HP or IBM builds that computer, and it is found out it is not compliant, but they state it is, and sell it as one, the shit hits the fan, and you are in trouble, but not the "get fired, and never work for the government again" kind like the building your own might do.
Welcome to the Entropy Bar, may I take your order?
DoD/Navy have op-sheets for securing Windows machines for use on nuclear subs with warheads/etc
try again.
Anonymous FTP access. Saves the hacker a lot of time and trouble, ya know?
"This food is problematic."
Back in TI's DOD days this was handled by the computers all being in a vault room (like a bank vault - just a little bigger and with cubicles). Surprising not TEMPEST compliant. Regardless, the machines were TI Explorers (at least where I was at) and the only people who had access to the room were those that had clearance. Nothing special was done to these workstations while they were in production, but were destroyed in complaince with DOD mandantes when the project was done. Physical security is the only realistic, and probably only legal, way to make sure the machines are secure.
Coming from someone with federal security clearance and who has had this issue themself, let the vendor do it. Its just easier and you know it will comply. You seem to not have dealt with this stuff before or you were improperly briefed when you got your clearance, so be warned that once the box is classified, anything that touches it must become classified or destroyed. Make backups of CDs before you use them in the machine because according to policy, if they are to leave the classified area, they must be destroyed. These regulations do vary with different levels of clearance, but the above requirements are most common. Regardless, slashdot is not the place to ask this question, there are government departments set up to handle this, and more importantly, your company's security officer should know exactly what is needed as it is his job. If your company doesn't have a security officer (or head of security, whatever they call him at your place), notify someone quickly because you are most likely violating a federal policy. Do not *ever* plug the computer in on a public network, you can't use the machine then (well you'll need a new harddrive). Once again, this all depends on the level of clearance this computer needs, but the above is the most common criteria I've come across.
Regards,
Steve
Having to deal with this on a daily basis, I can tell you that you are ultimatly going to be responsible for the computer, it doesn't matter what the vendor does, your name is on the dotted line and it will be your tail either way.
Need to know is part of it, the other part is who's rules are you going to be going by? Nispom or some dod agency? Each one requires something a little different, also the protection level of the system will dictate how it is setup as well.
Editor is too strong a word for what is done by Slashdot staff. Person who clicks button to approve story is far more accurate, although lacking a certain panache.
Dan East
Better known as 318230.
There are two ways of securing the computers, but first you need to make a choice:
1. Use the computers in an unsecured (unclassified) area
2. Classify the entire area the computers are in
If #1, you will need to make sure that the area has no uncleared personnel while the classified info is processed and that the drives on the computer are removable and lockable and can be placed into a secure area (like a Mosler safe) for storage when not in use.
If #2, you will secure an area of the building. The advantages to this is that the entire floor or room is secure. PCs in this area can be regular off-the-shelf jobs because the room itself needs to be secured with an alarm, appropriate locks, etc. for access control.
If you really want to get into the nastiness with classified data, try transferring data (unclassified) from a classified system to a non-classified one and see the hoops you need to jump through. Do it improperly and you have another classified system to deal with. That's a real pisser if it winds up being your personal notebook.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
1. keep the lan off the internet
2. think twice before you allow a laptop to be
connected to the lan.
Most of what you need to know is contained on the Defense Security Services (DSS) Information Assurance website: http://www.dss.mil/infoas/ The guiding document for DoD contractors is the National Industrial Security Program Operating Manual (NISPOM). Classified systems have to go through a formal certification and accreditation process before they will be approved for classified processing. Since your ultimate goal is to satisfy the accreditor, you should contact him/her as soon as possible to have them explain what will be required and to hear their particular areas of concern so that you can address them early in your design. Security paperwork requires considerable time to fill out, and mistake can result in long delays in accreditation, or even the rejection of your system.
However, it isn't enough to just build a system with the proper hardware and software configuration -- you also have to make sure that the physical environment and users will meet the requirements of the NISPOM. If you don't already have a facility clearance, then you have a significant issue to tackle before you can even build your system. I'm hoping that you are simply building a new computer to add to an existing classified network or house in an existing DoD closed area -- if not, you may find this to be a very daunting task.
"she says i'm lousy conversation. as if that's supposed to help."
I heard the Chinese will sell you a real nice 100% DoD compliant computer for really cheap. The only caveat is that you have to use their ISP for network connections.
EvilCON - Made Famous by
Its been a while since I had anything to do with secure systems. However, when I used to do this stuff, DND (Canada's version of DoD) used a series of standards called TEMPEST. In general computers that dealt with classified information could not be networked in any manner. There are strict limits on the radio frequency emmisions that the computer can emit. With a good antenna and some hardware, it is possible to figure out what is on a typical computer screen from the emitted RF. The hard drives have to be removable. Normally the hard drive is stored in a safe, and only checked out when there is work to be done. In at least one case, we found it cheaper to build a TEMPEST chamber to contain the computers rather than buy half a dozen TEMPEST qualified computers.
You could use a RAID 0 for the drives to make it less likely to steal the drives out of it. That you couldn't just walk out with just one drive and have all the info. Especially if you are working with large files and the system writes to both to keep speed hight. That someone would have to take all the drives to have all the info. This could last line of defense for what the person has to get out of the building with. And if they try for one drive one day, another the next, the PC will crap out on them since one drive is missing, thus drawing attention. But as they always say, nothing is safe unless its locked in a safe, and not powered on.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
Take a look at this "very readable" document: http://www.dss.mil/isec/nispom.htm Also look at: http://iase.disa.mil/stigs/stig/ Get some help! The DSS is the approving authority if I am reading your needs right (a computer used by a civilian contractor). If you didn't know about the DSS, you really need to find someone who knows the processes. Talk to your facility security officer -- they should be able to point you to the right folks in your company.
Don't tell a community of savvy computer users that you're building it.
Buy a computer with no floppy, no usb, or disable usb in the bios, no CDROM, the case locks and is tamper proof. Run a certified version of Windows on it. Use the approaved hardware from the machine they got the certification on.
Lock the computer into a room with no connections to the outside. Filter the power, cover all the windows, paint the room with antispy paint. Cover everything with copper mesh, eh voila, secret computer.
Make it take two people to enter or leave the room. Disallow taking any bags or papers or books or writing utensils into the room. It's best if they change into tyvex coveralls after a strip search with full body cavity inspection. Once they enter the room the are locked in until they are allowed to leave 12 hours later, no food water or bathroom priviledges allowed.
Enjoy your secret computer!
Your company should have a security officer who knows the current regulations and requirements, and can provide you with reliable information and training in how to handle classified information.
Mea navis aericumbens anguillis abundat
Most current vendors have contracts to meet the standards you are inquiring about.
I would buy from a vendor for many reasons. The least being the warrenty. A home brew system will not have the same warrenty support and those who write the contracts like that stuff. Also the vendors also probably know the requirements better than you do. Also get with your organizations IASO, ISO, or IMO in order to find out what you will need network wise for your accredidation.
check what your maximum requirements are and then find a package that meets your needs. It will save you a lot of headaches.
BTW.. I have done
"First of all, if he works for the DoD why would he spill that on a public website? Secondly, why would he tell everyone what it is that he's doing?
...Ditto what he says.
I don't think he needs to worry about computer security. The breach in security here is his need for public adulation."
First of all, if you are to detain classified, secret, top secret or nato secret level data in your facility you need to physically secure it before you even build/buy that computer.
1) You need a badge system that prevents intruders from getting inside the building without autorisation.
2) You need security staff that checks employee background information.
3) You need a security guard on site after business hours.
4) Follow strict company-wide IT security policies.
5) You need to apply for a gov security clearance for each of your employees.
6) You probably need security cameras recording every doors that enter/exit the building.
7) Keep logs of entry access of the badge system.
8) Visible employee badge with picture as to be always worn. Challenge anyone who does not have one.
9) You need a TEMPEST (like a faraday cage) protected enclosure when your staff will work with computers that will have secret data. It is sometimes called a shield. It normally has an automatic door connected to a badge system, plenum floors, sensors, automatic fire exinguisher, etc.
10) You need to that that shield build right in the middle of the building for many reasons.
11) You need to have that shield inspected many times a year for EM leaks.
12) When employees that the data out the shield with a removable hard disk, they must secure the drive inside a heavy metal cabinet that has a front metal bar (prevent opening cabinet) and a big lock.
Then after you met all these criterias, you can start to think about building that computer. All that stuff is pretty comon sense and these best practices are not secret at all.
Any off the shelf computer equipment will do. You just need to use the computer inside the shield if you are to view/create/modify the data.
If your computer skills are anywhere near your writing, you're going to cock up something bigtime, and you DON'T want to be working for the DoD when that happens. I might even be so extreme as to suggest a change in career, for the safety of all involved.
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Personaly If your job was on the line to protect this computer and hard drives I would go with a hardware solution, in conjunction with desk locks.
g e=2&linktitle=computer+security+case
http://www.computersecurity.com/index.html?linkpa
I just googled and found the above site, it may give you some ideas
- MOSKIE
Well, the headline's an obvious typo, but it still got me thinking. Specifically, it got me thinking about how buildings could be used to secure computers.
Unfortunately, all I could come up with was old Simpsons gags. Worse, they're all sight gags, so I can't even post "Oblig. Simpsons."
"The real humans won't... won't burn quite as fast." No, it's just not the same.
Close linked system with 2 redundant servers locked in titanium cases. Throw in some security stickers and you're done.
1. You are risking your clearance. This is the last place on the planet that you want to be asking these questions. Also, the answers I've read in this thread so far are mostly dead wrong.
2. If you, or for that matter your boss, have to be asking these questions, you are not qualified to hold your jobs...I don't mean to say this in a cruel way, but you're not. You fuck this up, and you could be looking at fines, jail time, Cuban vacations, etc. Hire a qualified FSO/OPSEC guy (they aren't cheap) or else you WILL get caught during your first audit and that will be the end of your career. And probably your bosses' career as well.
Quite.
Security level?
FOUO, Secret, Top Secret, Other
Physical security?
Is the actual room secure, or just the hardware?
What platform?
Win/Lin/Mac/Other?
Fingerprint scanner? SmartCard reader?
Some sort of secure LAN, or standalone workstations?
And this is just scratching the surface. You need to find out these answers, and far more. But don't ask in here.
Call your person who set up the contract, the DoD program manager, and your building security manager
Then call Dell. Especially if you need a basic plan soon.
A removeable HD and a sticker does not a secure system make.
I have never been responsible for this but this should be a good start for you.
Have a vendor do the initial build then you verify it. A little direction for you...
Read the DOD directives regarding this. They are publicly available. They are somewhere in the 8000 series.
DISA and the NSA release gold standard guidelines to harden your systems . I would also look into C&A since it will house classified data.
your security plan that must be submitted and approved prior to machine setup. Your company Security Office should be able to supply it. If you do not have one, the hardware is irrelevant.
As to hardware:
You must have a minimum of three removable hard drives per machine. One is the "reference" drive, which will serve as template for all subsequent "user" drives. Secondly, you must have an "admin" drive for performing required maintenance on the PC. Thirdly, at least one "user" drive, although there may be many.
All of these are kept in a safe by your security officer when not in use. Ours are not connected to the network and the NICs are BIOS disabled with a BIOS password implemented. The OS' (XP) have all relevant security and auditing procedures enabled.
Above all, the machine must conform to an approved security plan. If not, you're wasting your time.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
maotx you need to check with your Facility Security Officer and/or ISSM/ISSO if you have one. If you don't have one, then you'll need to contact you DSS representative for guidance. You can't just buy a system that is ready to go. There is a lot of documentation and policies/procedures that you need to prepare AND get approved before you can do any classified work on a system. I would also suggest that you visit the DSS web site at www.dss.mil and try and take the NISPOM Chapter 8 course before anything as it'll give you some background on your task. (I think it's available as an online course now) Consequently, you should NOT be asking these questions in a public forum as you draw attention to yourself and your line of work... which is not a good thing.
See the National Industrial Security Program Operating Manual for basic information, and then talk to your company's security officer.
Mea navis aericumbens anguillis abundat
A lot of the guidelines are already published. You can find recommendations to software that can be installed to government encryption algorithms. Try this: http://iase.disa.mil/policy.html and http://www.nist.gov/
There is no
First, I'm not sure you understand all that's entailed in building a terminal for handling secure information. There are basic docs you can pick up at the .mil sites that should give you and idea where to start, and after that I'd go with a Dell/HP because they have experience doing these builds and can give you a box to start with, but there are mandated OS configurations, permissions, auditing that fill filling cabinets. Also there are restrictions on access and other things that will have to be managed (lockable keyboards/shelves, power control, network access control), so the box itself is just the beginning. Have you considered bringing in a computer security officer to tell you how to set up your environment? You'll need one before you can have it designated anyway, and your sales guy who set up the deal should know who to talk to to get one to come over.
This is a complicated thing, and your exact security levels and the number of people involved make it worse. If you are in a secured building already then I'd say do what they do in the rest of the building, then talk to your Sec Officer to make sure a dell is fine. But otherwise there should be people around who know how to get you started, and it's a big enough deal that if your building is designated insecure you have a long ass road ahead of you.
The first rule of USENET is you do not talk about USENET.
This really needs to be modded to the top. This is the ONLY good advice this poor SOB has gotten in his comments.
The general specifications for DoD computer systems are freely available to all. NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL OPERATING MANUAL. Specifically, see chapter CHAPTER 8. AUTOMATED INFORMATION SYSTEM SECURITY.
... twice ... then you are on the right track.
The actual computer system is pretty trivial, the only difference may be, just as you identified, the removable hard drive. Just get any of the IDE or even SATA removable hard drive kits and you are set. This is definitely something you can do yourself.
You see the security is in the whole system DoD will be looking for security in layers, many layers. How is the building secured, who has access to the building, the same floor, the floor above & below, the room, etc. What kind of security patrol, alarms, alarms response? What kind of physical security? What kind of walls, ceiling, floor, doors? What kind of electrical service, telecommunication service? The last layer will be the actual computer. What will be attached to the computer, a small LAN, a printer? Don't even think about wireless!
Now, I've said that setting up the computer is trivial, but the administration is NOT. The NISPOM specifies a lot of documentation. Something like writing down the serial number of every component, maybe keeping logs of certain types of activities (loging in, loging out, installing software, updating software, etc.). Checking the logs weekly for suspicious acitivity, etc. If you've heard the old adage that good system administrators write everything down, double it
If you want to know about Government information security requirements, there are plenty and more of standards available. Search for TCSEC/Orange Book, ITSEC, Common Critiria. Know the classifications from the orange book D, c1, c2, c3, b1, b2, b3. Finally, search for FIPS compliance. All this stuff is standard for the CISSP speciality of ISSEP, which would be a good body of knowledge for you to have.
The government/DOD, etc. has a good record of keeping classified information secret, just not unclassified information, like personal information.
This guy uses weird job titles with even weirder acronyms, and says "heck" in his documentation. He must be in the US military and therefore knows what he's talking about. Follow his advice.
I was once trying to setup a Windows workstation that was reasonably secure. One of the requirements was to prevent removeable media, such as USB Thumb drives, from being used to covertly steal proprietary data. Its been awhile, but disabling this functionality in Windows 2000 was not trivial. After messing with drivers for awhile, a co-worker showed up with super glue! We simply glued the USB ports!
:-)
Low-tech solution to a high-tech problem
Without full access to what DoD, itself, would require, I would start from here and then fill in the gaps from SANS' reading room, and move on to studying security mailing list archives, and/or by asking specific questions in those public forums.
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
Because there are very specific and well-documented protocols for procuring and securing a computer to deal with "secret" level material. Consulting with Slashdot is not one of those methods.
If you have a job in a secure environment and your job is to procure computers, you SHOULD know these... if you don't you need to talk to your security officers... he is violating protocol, and when you are dealing with secret information this is a Very Bad Thing.
-everphilski-
So I ran # chmod 666 /dev/hda
I say that is secure.
Yesss....the more secures they are, the betters...
"I might have made a tactical error in not going to a physician for 20 years." -- Warren Zevon
Build it yourself.
If this is for a DOD contractor, you have a security liason somewhere within your company who can requistion the requirements if he or she does not already have them.
If this is for a government agency, there is an Office of the Inspector General's office connected with that service / agency which can supply the requirements to you.
I have seen $500,000 non-returnable mistakes made relying on federal suppliers to ensure systems are secure.
M
Secures Computers Precious. The nasty hobitses needs secures computers precious. What has the nasty hobitses got in it's pockets precious?
Here's to losing my Karma Bonus again....
This has got the be the worst case of RTFM ever -- here's the manual:
Read chapter 8. It sounds to me like you haven't ever handled classified information before. Karl Rove, is that you?
I don't know of any manufacturer who will mark a computer with classified stickers. Do the computers come from Dell with classified information on the hard drives? HELL NO! Three quarters of the NISPOM requirements are designed to make sure idiots like you don't accidentally plug these machines into the internet. The stickers and banners make it clear anyone that this isn't a machine that is to be taken lightly.
Ohh and another thing, would you trust a "secure" machine that showed up in the mail promised by dell, microsoft and china to be secure???? What about after it made it's way through half a dozen loading docks?
It is your job to make sure the computer meets the NISPOM requirments and that it is tamper resistant and set up with the proper restrictions. Please, please, please ask someone where you work.
Years ago, my experience was all the computers were used in a vault that eliminated RF leakage. The computers had removeable hard drives that were removed and placed in a safe in the vault each night. I don't recall if there was other removeable storage. I think not though a CD readable was in each. The computers were networked only to each other, no outside connection. I would assume there should be no USB. I think backups were made to a second or centralized removeable drive which was also locked up of course. Presumably there was some sort of rotation of backup drives. There was nothing special about the computers themselves other than the removeable HD and elimination of anything that could be used to walk out with. There might have been a metal detector (hidden) at the door to alert to the removal of a drive.
Make sure you turn off auto-login, and remember to disable CD booting. A strong password is no good if you can boot from the rescue CD :)
I can tell, a removable hard drive and security stickers to prevent tampering.
You are joking right ?
You're asking for a secure computer, but also describing that computer to have removable media ? And not just any media, but a removable HDD.
Go take a look. having removable media, esp. if the OS is on the removable media is one sure way of throwing your security out the window. The stickers will only show it's been tampered with.
Yes you can encrypt the data, but if someone has access to the keys then what is the point. If they don't have access to the keys what's the removable HDD for ?
This sounds like a bit of an oxymoron if you ask me.
First step, look at a secure case for the pc. One that only has holes for network cable (if you allow network access from it (yes I know another potential attack vector)), screen cable, mouse & keyboard. There should be a power plug, reset switch and that's it. no usb, no parallel ports, no serial ports. atleast none physically accessable.
You've got to think about a netwok attack (secure os) and a physical attack (physically secure the box). The physically securing the box is the easyiest part. Concrete floor with a few bolts sticking out. put a steel box ontop using padlocking the box to it. only have holes through the box for the cables I've mentioned above. If you lower the security slightly you can put connectors on the steel box. Then put a regular pc inside with a secure OS.
The thing above all you've got to remember is there is no 100% security. The best you can do is discourage and slow people. make it so hard that 99% won't bother and the remaining 1% will take a long time.
It also depends on who is your regulator. Do you need to meet NISPOM standards? Or some other standard? If NISPOM, what level (PL-1, PL-2, PL-3, etc.)? Again this all depends on who your overseeing entity is. Yes, ultimatly it is the DoD, but is it the Air Force, Navy, Army, etc., as this all makes a difference.
I am surprised that the hard drives themselves need to be in removable sleds. In my experience, the only reason to do this is to more easily de-classify the system, but it creates an increased headache as it is a little easier to physically remove the drive (yes, even those locking sleds are easily bypassed).
Some basic things that are required:
BIOS Level password is required.
Lockout all bootable mediums to only disk.
Disks themselves need to be tracked and marked.
All administrative access needs to be loged with each individual person who has administrative access having a seperate account (no generic accounts allowed)
System critical files need to be monitored for both failed attempts to alter/access and successful attempts (depends on OS and your rep as to what the "system critical files" entail, I deal mostly on UNIX and LINUX OS's and these include everything under "/etc" and "/var/", as well as some other areas)
Login Banners are required. There are specific texts that need to be displayed at/before login to people who are going to log in
Specific rules are in place for "screen lock" occuring after a set amount of time
Stickers/signs are required for designating the system as a classified system
These are just some of the measures that are normally required. Other things such as system location, monitor placement (i.e. does it face out into an isle where others migh be able to see it, can it be seen from a window, etc.), physical locks on the system, security tamper tape over the possible entry points into the system, removable media, such as floppy disks, CD-RW's, DVD+/-RW's, tape drives, etc., are also part of the specific rules of your area and how to deal with those media.
Open storage of "secret" data is also something that might be needed for the area that the systems are located in. This "could" be the reason for the removable drives, as your local policy might not allow the drive to be kept in the system while an authorized user is not actively using the system (hence the drive must be pulled out of the computer and locked in an approved safe).
Again, it all depends on who is your oversight group, and what their standards are and who interprets the standards for your site. Any and all of those factors will contribute to a specific set of security requirements.
They will have you run a demo of their requirements to meet their satisfaction. One thing that I suggest not showing them is how easy it is to gain complete control of any computer that you have physical access to (even with BIOS passwords, and such, it only takes 2 minutes to break open just about any case, pull the BIOS battery, switch the CMOS jumper and boot up without any BIOS password, change the boot medium to a USB thumbdrive/CDROM/floppy/seperate hard drive and crack the root/administrator password). Let alone simply connecting up a laptop/palmtop computer to the classified network port (if there is a classified network) and start hacking away....
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Computer buildings secure you!
liability, foo
In Soviet Russia, computer secures buildings.
Remove the floppy drive and do NOT install a burner. And pay your bills on time.
ur gram3r iz fux0r3d
Not a good point of refrence when trying to secure a computer/network imho. /shrug
-Quixxilver- "Where am I going?
First of all, this may not be the best forum in the world to ask such a question (just read some of the other lame "funny" replies) but since you asked, I'm assuming you're looking for an answer from someone who actually works with this things on a daily basis and will be able to provide some insight.
The hardware on the computer does have to meet certain requirements but they're not really "set in stone". At my work, we typically use off-the-shelf Dell computers and then do some modifications to support removable hard drives on the systems. Additionally, you'll probably need to lock down all writeable removable media drives (think floppy and zip drive locks) as well as disabling USB and any built-in network interfaces, at least in the BIOS but possibly also with some stickers or physical locking devices. You'll have to work with your DIS person who approves the final system configuration to really hammer out the details and get it set the way he/she wants it to be set.
That being said, the only service I've seen Dell offer is their "Custom Factory Integration" program where they will install the removable hard drive chassis for you. Depending on the number of systems you need to support, it may be cheaper to have them do it at the factory than to do it yourself. One issue I had which caused us to do the removable drive install ourselves was the fact that we have multiple drives per system and needed extra drive trays but couldn't get information from Dell regarding the actual manufacturer of the trays nor pricing on additional units. It was just less hassle for us to purchase the removable kits ourselves.
As far as software, I believe another poster already mentioned some of the basic configuration requirements. Yes, you'll need to make sure you're pretty good on locking down Windows (I'm assuming your running Windows since you mentioned SolidWorks - BTW, SW2006 sucks configuring it to run with a non-admin user account). Auditing on certain directories is most likely going to be a requirement as well as a documented review and archive process for the system event logs. Backups are another process that will need to be done on a regular basis. Be prepared for this to eat into alot of your time since all these tasks pretty much have to be done manually since you can't have network connectivity.
If you've got any more questions, feel free to drop me an e-mail and I'll try to help you work through any issues. And don't mind any of the other sarcastic bastards posting here... I've seen the level of documentation the government gives for setting up secure systems and most of it is pretty f'ing obtuse. Best to get advice from someone who's done it before (and obviously double-check with your FSO and DIS officer).
Best of luck...
...build and administrate the systems of the DoD, and military services, it is absolutely no wonder that they were over run by something as simple and preventable as the Zotob virus. We were down and out on Okinawa for 2 full days and then some because of it.
I was a network/security admin previous to my career as one of The Few, The Proud, and it sickened me to see this happen. I know that had I been in my old office job, I would have been applying patches day 1, even if that required staying late and doing all the appropriate testing beforehand. Of course, knowing full well what happens when you do things your not supposed to on gov't computers based on two up close cases, I just sat back and watched it unfold, rather than chance a trip to the brig.
It's not a slam against you, as you openly admitted you are growing into the position. You may very well be a bright, and intelligent person, but I doubt that you will consider everything on the first run. And therefore, because you are without the appropriate guidance and leadership you will probably fail. It's more of a slam your bosses and the system, for not giving you what you need up front, and for giving you more to bite off than you can chew.
OpenBSD.
ROMANES EUNT DOMUS
First, get your boss to sign a memo acknowledging that you're not qualified to certify computer systems as "DoD secure". Then, hire a security consultant from an insured firm which does sign a contract saying they are so qualified. Then do your best. Also, don't rely on Slashdotters' advice on how to tell if a system is "DoD secure". We're a bunch of kibbitzers on a huge website full of jokers, posers and saboteurs - indistinguishable from those with a clue.
If you think that advice means you'll get fired, resign. Better now, than after they blame you for the inevitable security breaches. That's probably their plan anyway, in whichever management layer thought that military security is just a buzzword to get an underqualified admin to comply with.
--
make install -not war
Hi!
I guess, you're working for a major consulting company. Maybe Accenture, or something. It's always the same: you've been dropped to a project, which involves "IT-Security" and you don't understand anything about that.
Am I right? I think so, because all your replies are indicating that.
You can't learn it in your hotel room. You can't learn how to implement the requirements in a week.
That's one of your replies:
Our facility security officer has a stack of papers that I have been reading over but it is pretty slim in details when it comes to the specifics. Network is a definate no, floppies and CDs are ok, but what about USB harddrives? Etc.
The only reason I asked Slashdot was for a jump start. My manager says we need to have something, at least a plan, by next week.
It must by a joke, isn't it? The "Department of Defense" is asking you (contractor) to build a "secure computer" and you are talking about floppies and CDs? Look at this first.
Ask guys like Secunet or Code Blau. Small companies, but they know how to set up a secure "computer" - computer in quotation marks, because that's just the computer and not the network, it is connected to. It's all about experience, when it comes to IT security.
For me, it is just a troll article. Sorry. It's a joke.
Bad idea. Transferring tools between secure and insecure environments draws the curious in the nonsecure environment, and opens the door to someone clueless saying, "Well that thing moves between secure and insecure, so it should be okay to move something else superficially similar between secure and insecure."
If you do it, and there is a problem, guess who is on the hook?
Also, please do get Windows installed.
Then there will be no problems, unless, of course , you do not install all of Microsoft's patches quickly and religiously.
You have probably noticed by now that computers with problems are always ones that the patches for Windows were not up-to-date, right?
Also, put all of the computers in a very secure room, and allow nobody acess to the room.
Then give them xterms to log in with, over encrypted networks, and control all of the passphrases.
Money won't buy you security. Keep in mind that somebody still has to *use* this computer. If they're dishonest (or just plain curious), you've basically just wasted a lot of cash.
I would invest in "top-shelf" knowledgable & trustworthy personnel before I would purchase a military-grade secure computing environment.
First state which goverment. Lets assume that because you think that you're at the centre of the world that you're from USA.
Then request standards. What does "secret" mean. Security Standard are not classified to a high level so you can easily justify access.
It is ok to have win95 on a PC as long as the surrounding system meets the security requirements. These items may include evaluated locks, alarms amd access controls. What you demonstate is that the system is secure. How you do this is by using products evaluated to provide this degree of seperation or getting your own product evaluated to be able to fulfill this role.
Is the system expected to maintain seperation between an user with no clearance working on a doorbell and a user designing a new ignition system for fusion weapons?
I'm an army contractor in charge of securing non-secret systems.
.mil address). That may or may not even be the appropiate document, depending on your orginazation.
You need to find the regulations for your orginization (Army Regulation 25-2 for us), and read it. If you don't know that regulation well, and improperly impliment things according to that regulation (which may or may not follow normal security protocols) you can be held crimialy and legally liable.
All that being said, most of that security is all software configuration & auditing, not hardware. Lots of Classified/secret stickers and sometimes removable disks is the only hardware differences.
Slashdot is not the right place to be asking about DoD specific policies. It may be the right forum to ask about generic IT policies, but not the arcane policies of a specific buracuracy.
Army Regulation 25-2, the Army regulation for Information Processing is located at http://www.usapa.army.mil/pdffiles/r25_2.pdf (may only be accessable if your on a
Actually, contrary to what a lot of the posters here claim (based on the fact that they speak out of ignorance) DoD computer requirements aren't classified, and he is not "risking his job" by asking about them. And in the case of DoD secret, stickers that provide evidence of tampering are sufficient, and usually the norm.
Do a web search, the DoD requirements are found on places such as fas.org.
Hire a contractor. Someone who's done this before. Better yet, someone the DOD recommends.
This is NOT the time to try and figure it out yourself... there is SOOO much stuff that you have no idea that you don't know, it's not funny.
Hardware is part of the equation, but the biggest issue will be implementation.
(Nothing personal here... it just looks like you're WAY over your head in this one).
$0.02 (CDN)
There's lots of stuff about certification and acreditation, etc., at the defense information systems agency's information assurance support environment web site.
http://iase.disa.mil/
First of all you'll need a server equipped with tiny C4 charges embedded in each of the hard drives. This is a handy way of deleting data on your hard drives very quickly. I hear HP can furnish these.
Second, you will need to hire a troupe of security guards to watch over the computer. Equip them with an M16's, and have them work in shifts, escorting users to and from the computers. If you can't afford a humans, several dozen trained monkeys will do the job. Just make sure and keep at least three extra monkeys on hand so you can replace the dead ones. You'll need at least two monkey handlers if you go the monkey route - one to watch over the monkeys and one to fill in when the first one gets shot.
For a bit of extra security, you can purchase an used electric chair from one of the states that have switched to lethal injection and use it as the chair for the workstation. One armed guard can stand holding the red button, ready to fry to operator in case (s)he mishandles any data, or looks at the guards funny, while another guard stands ready to kill the other in case they refuse to press the red button.
If you can't afford or find an electric chair on the retail market, submit an "ask slashdot" article and I'm sure you'll get plenty of tips on how to build one yourself.
Or if you want to save money you could just install the super secure Gentoo Linux operating system and set it to update itself via emerge automatically every hour.
It's your choice.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
YAY another SSO/S-2
I have done that before and I suggest getting the pc from dell becuase of the warranty.
Haha, my thoughts exactly. My mod points just expired. Truly, this was the only useful comment in the whole thread.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
An acronym for Transient Electromagnetic Pulse Emanation Surveillance Technology. A system developed by the US Government which allows at attacker to analyze the electromagnetic radiation emitted from the hardware used in a cryptosystem in order to determine secret information including cryptographic keys. (from google)
Essentially, any piece of secure equipment must be very well shielded to prevent third parties from reading electromagnetic radiation eminating from the equipment.
Creating a tempest-safe computer case, cables, monitor, keyboard, mouse, power supply connection, and a lot of things that you probably would never think of is a serious engineering task, not something that's going to be thrown together by a computer technician.
If they need secure computers, they need to buy computers that are certified by NSA (or someone like that) as secure. If you try to build your own, someone is going to have to spend a lot of money testing them.
Your best bet is to buy computers that DOD trusts to be secure.
I used to work on secure equipment. You would not believe some of the steps they take to make them secure. I could give you details, but [insert old stale joke here.]
Dude, you're getting a Dell. I think Dell is the way to go becuase I've had to setup a few. It's the way to go.
"Don't blink. Don't even blink. Blink and you're dead."
El oh el!
o Use unlimited mod points to moderate things using "OVERRATED" to suppress opinions you don't like.
o Pretend you're a legitimate news site when it serves you. Pretend it's a "geek site" when it doesn't. That way you get all the benefits that come under the pretense of "journalism", without any of that troublesome "integrity".
There are 3 basic levels of security in the DOD:
- Sensetive: lists of SSNs, peoples phone numbers, etc. shred the paper, password protection, light building security
- Secret: Reporting information, non-combat comunication centers, etc. shred paper, lock down computers and network but have external connection, no unauthorized location access.
- Top-Secret: Detailed reporting, strategic info, etc. Don't print if you don't need to, locked down PCs, locked down network, likely no external access/email/etc.
For secret info, I never saw anything to hard core. We had some great network techs in Quantico (just prior to the NMCI 4066/4067 consultant replacment), they had a well locked down network, but still allowed internet access and email. But they could, and did, track all of your online activities, read your emails, mirror your hard drive, and shut you down from across the globe. Any specific secret locations like com-vaults had key code or rfid doors.(Anecdotal network security story from the military, optional reading:)
I had a network support budy in Okinowa who used an external (geocities) site to hold links to internal files for updates and software. Worked good for his updating work at off site locations. One day his user account was locked, 3 gents from the MITNOC showed up with a copy of his hard drive and a log of his internet/email activity over the last 3 months. Turned out some script kiddies found his site and started hammering the firewalls trying to get the software. -Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
simple scrap all the drives, make it a network boot system that pulls all its programs from the same server which is locked away in a sacred tomb of the Pyramids. Then simply unplug that server from the world. Therefore you have no incoming traffic and no outgoing traffic outside of the holy DVD format, but the only way to burn to that media is from whichin the locked tomb that reqquires committee approval to release the coordinates and locking sequenses.
Think simple, if you unplugged you home PC from everything but the electricity and set it up in a vault connected to hair trigger global nuclear warheads it would be the most secure workstation you could design. Its locked in your vault with zero outside vulnerability. Anybody breaths around it and they get vaporized. Unless you start passing out your vault code or plug in a network card nothing on that machine can ever be stolen. Oh and be sure to enclose what ever storage device you choose with a minimum of 47 inches of pure Lead sealed inside a 6 inch thick case of titanium. This way if anyone tries to jack you, the nuks go off and obliterate everything living thing on the planet so even though your data survived, there isn't a single person left to do anything with it. Nevermind the EMP given off by the nuks that disabled every electronic device within the blast radius.
Long story short make sure that no desk system can duplicate any data and that the central system is locked up tighter than 7th grade prom date.
Someone please tell me just how this system could ever be compromised.
I'm waiting...........
I just love the irony of mentally masturbating to ourselves on slashdot, keyboards humming away to each other, on the edge of our tin-foil conspiracy kicks, when suddenly out of nowhere big-brother clears his throat and says "uhh actually no, and we should not be talking about this".
Not a tin-foil nut myself, but the irony is inescapable.
The first rule of USENET is you do not talk about USENET.
You fucking liberal pussy.
...but then I'd have to kill you.
If you want some actual military assistance, respond to my email.
Does this offer only apply to the original poster? Because I require some military assistance as well. I have two areas of concern:
1. My neighbor keeps walking his dog in front of my house and it shits next to the sidewalk. He's supposed to clean it up, but he never does. I was hoping you could take the dog out for me.
2. Gas will probably reach $3/gallon before too long. I know you military types are experts at liberating people, and sometimes there's petroleum, you know, sort of left over. I was wondering if you could liberate the local Sunoco for me so I can get some gas for my car for free.
Thank you, and I eagerly await your email.
ps remember don't ask don't tell!
You have NO IDEA who this person is coming out of the blue on internet. I would certainly think you were comprimising security even communicating with him.
You need to talk to people in your own chain of command, not people you meet from an internet broadcast.
Man, don't sweat it... I was the ISSM (Information Systems Security Manager) for 1 of the 3 MAC1 (Mission Critical) systems the DoD currently has. It was embarassing how bad the security was and the DoD didn't seem to mind. I also had the NSA as my certification/accreditation authority and they were LAME light-weights, except for a few top guys.! Just do a google for the following:
;-)
DoD 5200.x specifications
NIST/NSA OS security config guides
and obtain the DISA "Gold" vuln scanning disks for the required OS's.
That will give you everything from scanning to remediation. Don't worry about "full" compliance, ANYTHING can cause you to be out of compliance. IIS is a CAT1 finding EVEN for a WEB SERVER! So do what you can, test your @ss off and write business cases for the things you can't fix.
Just remember, it isn't "security" the DoD is concerned with... it is "assurance" and data handling is much more important than the computer security. If it is "Secret" data with a NIPR/SIPRNET connection than you can't connect it to the internet for ANY REASON. So your real risk is people talking, and carrying data out of the room. Lockable removable HD, NO CD BURNERS, NO FLOPPY, and disable USB ports (flash drives) via the bios with strong (NSA compliant, 4of4) password. I would strongly recommend removing IDE cables to prevent access to devices, don't just disable them in software.
It's cake... DoD has worse security than most of the clients I do private sector security consulting for. I resigned cause it was horrid and no one seemed to care.
-=v00d00=-
http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1
Is a good place to look for information about securely configuring various devices and operating systems. And I completely agree with what was said above; talk to your SSO!
Much Madness is divinest Sense --
To a discerning Eye --
Much Sense -- the starkest Madness
As a US Air Force member who handles information and uses computers classified as Secret, I can tell you that there's no physical difference between a Secret machine and an ordinary one. If vendors are telling you that they can build a DoD Secret classified computer, then they are simply blowing smoke up your ass.
DoD classifications are all about policy, paperwork, and regulations. Not fancy computers. Most people, when they hear of DoD classifications and security clearances, are quick to imagine black vans, polygraph tests, and high-tech datacenters protected better than Fort Knox. Honestly, that's all a bunch of nonsense. All of the classified systems that I've used were just ordinary computers from ordinary manufacturers.
In my current workplace, we have a standard Gateway PC with a removable hard disk and a few Panasonic Toughbooks. Nothing special at all. The only visible difference between these and the regular office PCs is that they have red stickers all over them that say "Secret" and the fact that we are not to process Secret data on the unclassified PCs and vice versa. The Gateway machine can only be connected to SIPRNET (google it) and the Toughbooks are never connected to any network. That's it. No crazy combination case locks, no biometric devices, no odd software. They all run Windows for crying out loud.
If it is your job to configure a computer to the equivalent of DoD's Secret classification (I know you don't work for DoD or you'd already have people showing you how), I'd recommend getting whatever kind of computer will fit your needs.
Then start looking at writing mountains of policies. The first thing you have to do is restrict physical access. This can be done by putting the machine in a locked room with no windows. A laptop would be even easier... just get a GSA-approved safe and keep it in there when it's not in use. Obviously, you would never, ever, ever connect it to any network, period. All the data going in and out should be on CDRs or USB keys and should be accountable somehow. Figure out who needs to have access to it and if they can be trusted. Be sure to emphasize that failure to follow proper security procedures is grounds for immediate termination, whether any information was compromised or not. Ensure that whenever the machine is used, there are never less than two people present. Create an emergency checklist of what to do if the building catches fire, for instance.
That's all I can think of off the top of my head, you'll probably be able to envision a lot more with some careful thought. Good luck.
You will probably find, after digging through reams of directives, instructions and memos, that there are about a million ways to do this. I work in a military command and hold a top secret (SCI) clearance. At our site, all our classified work is done on ordinary workstations and laptops. Most of the systems are Dells purchaed off the shelf, and I've built at least one clone.
None of those systems have removeable drives, though having them is a good idea. It makes securing them easier, something you must do in a government-approved container (i.e., a safe). The space in which the systems are located and used must be secure to the level of classified information (secret, in your case). At our site, this is a window-less room with a large vault-like steel door. The door can be secured with a combination lock and a push-button cypher lock, the latter of whch is in use at all times (the combination lock is secured after hours). All classified material (papers, discs, ect) must be stored when the space is unoccupied.
The system will probably need to meet DOD C2 requirements, which you'll likely read about. Windows NT was close to C2, and I believe Windows 2000 is as well. The system must have positive authentication for users, appropriate warnings that appear on login, an audit trail, and ways of neutraliziing memory and swap space. Windows has a setting that clears the virtual memory/swap file on each reboot.
As for networking, if you want to network internally within your spaces, you can set up a normal LAN, but outside access will require using a secure network like the SIPRNET. You won't have access to the outside world (i.e., the Internet). Most DOD components contract for SIPR connectivity through DISA.
As you already know, labeling the CPU is important. You'll also need to label media, and keeping a log of all storage media in use is a pretty good idea to CYA. In fact, some places require it. You might also want to find out about the need for secondary storage off-site. If this is going to be a requirement, you'll need to find a similarly-classified place that you trust to stow your backup materials.
You will need to follow the DOD rules on destruction of drives and disks no longer in use...you just can't toss old floppies or hard drives onto the 20-year pile in your office. Research the destruction procedures, and learn to store unused material until you can have it destroyed.
You can buy shredders that will eat CDs and diskettes, but they have to be classified for the security level. Don't use the $29 Office Max shredder on sale for this.
The real key is getting users to follow the rules. Users, as you know, are the biggest pain in the ass, and you'll always be on top of them to keep the spaces sanitized. Remind them that once they save any classified material to removable storage, that storage is now classified and cannot be used outside of the environment.
Aren't you glad you have to do this?
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
...Task is not a verb! So to be "tasked" with something is like, uhhn, I can't think of a good example. But I am not a native speaker.
This is the best advice I've seen here. I've been around military and industrial computer security for most of my working career (~30 years) and everything that jinx90277 posted is spot on.
The original poster needs to get a fast course in the nuances of the NISPOM. His site needs an accredited Security Officer, a certified facility, special-purpose safes, training programs for the system users, policies and procedures, security clearances, and, finally, a machine for doing the actual classified processing. The last is ABSOLUTELY the cheapest and easiest part of the process.
The original poster needs to check out jinx' references ASAP.
As for all you folk hassling him for asking about his problem here, you need to take a chill pill. Asking for help is the only way to learn and the NISPOM is a beast that no one should face unprepared and alone.
Spiritus ex Machina
"The universe is not only stranger than we imagine, it's stranger than we CAN imagine."
I'm unfamiliar with the DoD's standards, but I expect there are levels, like the NSA's Common Criteria EAL 1-7 security certifications. From here on I'll be rambling about things I have little or no experience with.
A password protected encrypted partition for sensitive info, like the user's home directory if you can get it working, no swap file/partition, no sort of CD or USB auto-run, password protected BIOS, and a password protected 1 minute screen saver seem like must-haves. SELinux can restrict permissions on a per-program basis if you're using Linux. Stickers like you mentioned that are damaged when removed are a good idea which I never would have thought of. A file integrity checker like samhain may also detect tampering, at a cost of performance if you have it check everything. Unless also encrypted, backups can pose a security risk, so you'll want a mirrored RAID. If you get two drives of the same model, from the same batch, you'll have a better than average chance of both failing the same day, the second while you're rebuilding the first.
Of course, if you've gotten this far, you should also worry about emissions. CRT emissions can be picked up and reconstructed from miles away with the right equipment. There's little use in all this other security when anyone with a disk, $100, and some spare time can just look at your screen. Then, someone could always sneak in and plug a key logger into the back of the system without you noticing, so you'll need to some sort of physical security as well to prevent moving the system or accessing the back of the case, and a lock on the door to the room the system is housed in.
http://www.digitalnet.com/solutions/information_as surance/xts400_trusted_sys.htm
My advice would be incorporate a biometric fingerprint system, no floppy drives.
Also, things to consider:
If you are using Swappable hardrives remember USB ports can be bootable from a thumb drive as well as that USB port can also be used to save data on one.
Do the CD burners have to be bootable? If not, I would set it in the bios not to boot from a CD ROM.
Password the BIOS and make sure it is a new enough BIOS that just jumpering it will not bypass the BIOS password.
Secure the physical access. It doesn't do any good to secure the computer if the location it is at is open to anyone.
Does this computer HAVE to be on a network if it has a burner and swappable hardrives? Not all do...
I would also not put it on the network where there is an internet connection or considering VLANS, Subnets that are out of range on a network (If it HAS to be on a network) so it restricts it from being on the internet. If the function does not require internet usage.. that's one less security risk.
Admin restrict the services that are run on the computer. - If using Windows, not all services are necessary even with a default install.
Consider using a *nix or *BSD OS and if windows has to be loaded, use VMware.
Set password expirations and complicated passwords that brute force and dictionary attacks would not get. Run programs against it to check for password protection to see how close these programs get.
Also use tools to check for exploits, keep it updated, and check the ports that are open on it if connected to a network.
Just my 2 cents.. or 3. I could think of a lot more, but those are just off the top of my head and many are overlooked.
On the above website is a list of glossaries...one of the links is broken, but google for 4009.pdf glossary will nail it.
I suspect you are going to have to learn more of the language then "sticker". Consider the glossaries your bed time reading for the next few days/weeks...etc.
g'luck and don't forget to smile when you get your RFID tag implanted.
No, really!
;-)
It is silly to ask this question over here,
EXCEPT for the case when it is fishing for
the interesting answer to some completely
unrelated question, like, "How's computer
security in your DoD-approved location is
done?".
No, I've never had a clearance (though
worked in a place where I'd need one to
advance any further) -- and I do know
that on the "dark" side of the network
they did not use Wintel, they used DEC...
Paul B.
I love that. Don't go to /. on military security, EMAIL me. He doesn't even KNOW you, so how are you going to become a trusted source.
/. "Dear /., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!
/. Personally if I were you I'd steer well clear so he doesn't take me down with him.
This guys is a bonehead asking for advice on
And to you. Shame on you for replying on
These posts express my own personal views, not those of my employer
Part of the problem is that you can scan any portion of memory with Windows or Linux. If you can scan any part of memory, you can find keys and such that will allow you access. And since both are 'general purpose' they are only using Privilege Level 0 and PL 3 of the processor. Probably would help if they would write it to use PL 1 and PL 2 too. But that would be a major rewrite.
What you'd need to do is to build a new OS from the ground up which would take privilege levels into account and prevent memory scans from the get go. Then you'd have to sell it to some 3-letter agencies and get them to use it.
Fortunately, the company I am currently working for is doing just that. You can read about it shortly (I hope). In fact, I'm sure that some of you who have read the Register have heard about us.
Unless you've got experience with this sort of thing, get the vendor to do it.
You know how security is...you just miss one single thing, and it's unsecure, and you're screwed. Getting a vendor that knows what they're doing gets this monkey off your back, and it puts the burden on them... if they screw up, they're liable, not you.
Require good passwords.
Step 2
Include removable hard drive that's easy to steal.
Step 3
Pull head from butt and notice the insecurity inherent in removable hard drives. Why not just give them floppy disks and a laptop.
Give a man a fish and he'll eat for a day. Teach him to fish and he'll wipe out the species.
Links! Thats what I really needed. Our building and company is already certified, we're just adding computers to the list now. What I was really trying to get at in my question was, what should I expect and what is the pros and cons of purchasing the computer from a vendor and building itself.
Thanks, your post was one of the few good ones.
I'm a virgo and on Slashdot. Coincidence? Yes.
If your building & company are already certified for classified processing, then your company already has a security officer who knows what you need. This is the person you should be talking to, not /.
Duh.
-- Cerebus
Get your seedy mate (everyone has one) to break in and steal one from DoD!
One thing I do remember from working on milspec projects many years ago was that our project failed an inspection because some pipe valves were black. The part number was identical to milspec, but they weren't painted milspec green.
Spray paint took care of it, and the next inspection was passed.
Seriously, check with someone who knows the requirements. Even though I'd worked on milspec systems, I never knew the security requirements, nor did anyone else I worked with. Those requirements were handled by other specialists on the project, and no one had access to any specs that weren't needed for their part of the project.
I do not fail; I succeed at finding out what does not work.
The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering
I'll sell you "Do Not Tamper With!" stickers for...wait, this is for the government? $10,000 each.
Any of you /.'ers ever study art history? Here is a little lesson about fraud.
/. mods. You just got social engineered.
In the Art world when a piece of Art has a past where the time record has some glitches in it (Read: unaccountable) it is automatically considered a fraud. When things don't have a timeline, like this guys posting record here and the fact that his myspace profile says he is 19, you gotta know something is up.
Congratulations though
Our FSO is not very experienced with secure computers and definatly not an IT person. I posted this on /. for a more techinical viewpoint. I have the information to secure a computer and call in an auditer to certify it. OPSEC is not being violated here. All information being discussed is public knowledge and you don't know who I am or who or which company I may work for. I'm just asking a whatif. Heck, I could even be a high school student researching this for an English paper or wanting to know how to do it if I choose to go into a classified IT job. In all reality, I just want to know the pros and cons of going through a vendor as opposed to building it yourself and what steps can be taken to go beyond the minimal requirements.
I'm a virgo and on Slashdot. Coincidence? Yes.
in "Computer Security Criteria: DoD Standards" otherwise known as The Ugly Red Book that won't fit on a shelf. Jeez man, have you never seen Hackers?!?!?!
I have no idea in these matters. But you asked slashdot...
Find the definition of a safe at this security level, safe enough to store documents, get a laptop, and put the laptop in the safe.
Taken from GP's Myspace profile:
thomas's Blurbs
About me:
if u really want to know just ask
Who I'd like to meet:
i would like to meet peopl from hawaii but i like meeting other people too.
thomas's Details
Status: Single
Here for: Dating, Serious Relationships, Friends
Orientation: Straight
Hometown: wipahu
Zodiac Sign: Capricorn
Smoke / Drink: No / Yes
Children: Someday
Education High school
Methinks no computer system is completely secure, considering both the technical and human aspects.
Your role is just to supply a system that respects the specifications, except you were probably given fuzzy specifications. If something bad happens, you will be the one getting blamed, certainly not the ones giving you fuzzy specifications and having high security expectations.
Hence, you'd better minimizing your personal responsability, delegating the task to a vendor. You will accomplish two results: having someone already knowledgeable involved, which never hurts, and removing yourself from a very hot spot, in the remote case that something untowards does eventually happen.
Do not do this yourself if you do not have suitable know-how already. Knowledge has a cost for a reason. Delegate to vendors, repeating exactly the same fuzzy specification you were given.
If you have a DoD-certified FSO/SSO, he or she has an opposite number or point-of-contact in the DoD who can help answer a lot of your questions.
Definitely call in an outside, licensed, professional consultant who specializes in DoD and NISPOM security issues to help you with this. Even with a facility already certified for handling classified material, you will need to have more policies, procedures, and physical tools in place to handle the additional requirements for IT security.
Good luck.
Spiritus ex Machina
"The universe is not only stranger than we imagine, it's stranger than we CAN imagine."
If you're working for the DoD, you'll need a system that has been certified to handle classified material. The certification process means that it has undergone DITSCAP and meets certain criteria such as EMSEC. You really don't want to be homebrewing a machine that is going to be processing classified material, especially if it's not certified.
This may be obvious, but: 1. Don't network this computer. 2. Implement physical access controls. 3. Require strong passwords. 4. Isolate this computer from all other electronic and RF sources to comply with TEMPEST requirements. 5. Don't ask these sorts of questions on Slashdot. You have already compromised OPSEC.
how to make a really really secure system... write the whole operating system from scratch and make it so you and only you know what the hell is going on that way you can concider it job security... if they downsize they have to keep at least u to run the server....
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
What irony? The guy was offering to provide correct information through a private means of communication. He wasn't telling the parent to "please stay quiet."
hello dear sirs my name is jamesh i are india (bihar) can u guide me install red had linux 9?
Use VMware ACE to lock it down.
For as expensive as any of the security implementations are going to be for anything that ANYONE has replied to for this question... If your boss trusts you enough to design, buy, and implement the system, why not just ask for a substantial raise (say twice your current salary to whatever the most expensive of these recommendations would run, whatever suits you) to cover the cost of you personally babysitting the machine while people use it? OK, your company would have to spend a small sum to make sure that the room the machine's in is inaccessible when you're not there. But otherwise, when you're on the clock, you're watching the thing like a hawk. Somebody tries something fishy, you ask them what the hell they're doing right then and there, and there's no risk. Think about it.
Isn't it interesting how you come to recognize posters based solely on their sigs???
For a DoD standard there is a governing instruction. It may reference other instructions. You need to have a copy of that and read. Read it again. Then take time to study it before you read it.
Your contracting officer can point you in the right direction and provide access to The Instruction
Once you have an idea of what your requirements are, draft a Project Plan, Statement of Work, Compliance Notice, whatever you call it, it details how your group will meet the standards specified in The Instruction. Get internal input and review.
Now that you have something on paper, talk to your manager and have the contracting officer or security authority review your plan. They will tell you're unsafe to entrust classified material to. Then they will produce a checklist of potential violations you must clear. This is their job and what they live for, don't annoy these people, you want their input. Review this list and clear it.
You now have a plan which will satisfy The Instruction.
No kidding. The moderating system simply doesn't work here and the admins of this website seem to prefer sitting on their thumbs about it. Maybe they don't think there's anything wrong. Anyway, whatever.
"No security through obscurity"?
Atheism is a non-prophet organisation
If it's not a conversation for the masses, why would you be willing to talk about it to some random dude from slashdot? I call bullshit.
http://www.micronic.sk/index.php?lang=en
Remember, secure computer doesn't consist of removable HD and stickers. You have to prevent any elecromagnetic leaks from inside tha case / monitor / keyboard. Keyboard, for example has to be connected by an optic cable, or the metallical cable has to be *perfectly* shielded. You also have to protect data on HD, so nobody can read it even after removal from the case. This is done by encrypting data written to the disk via a PCI card. The card has its own processor, and the main CPU in computer never sees the encryption key. You have different levels of "securing" the computer, and anything above certain level will multiply the price of computer MANY times.
...seen anything like this. This is one question that I would never ask on /. There are many smart people who comment on here from time to time, but I would ask for assistance from some other military command if you don't have the knowledge available at
your current workplace. Also, some other guy posted
on here about using normal computers, this could be true, I have always seen computers purchased from normal vendors, even the ones connected to SIPR and NIPR networks and i'm no expert on this, but it IS all about policy.
So what the hell did you guys do with flight 77 anyway?
I've been a SysAd on the SIPRNET / JWICS and others for a few years now. You don't need anything special (physically) for a computer to be placed on the SIPRNET. Obviously you need to be up on your IAVA patches and only have software accredited for that particular network. If you have questions about what can and cannot be placed on the SIPRNET then contact your security manager.
as an imo for the us army, dod security is easy -
-anything connected to a secret machine is secret, ie: other computers, networking components(hubs, switches, routers, etc...), usb drives, cds, floppies, printers
-if it is networked, the entire network must be confined to a secret area, or encrypted to the current standards when crossing insecure areas
the only thing to keep in mind is if it is on a network it must meet the minimum requirements of that network, most dod networks require a minimum quantity of ram, hd space, processor speed, os, all os patches must meet the regulations put out by that network(some updates are not authorized, others are required) - if its not being hooked up to an outside dod network then the network administrator makes the rules regarding what to patch unless there is an overseeing dod agent(assuming this is for goverment work).
As a practicing Information System Security Officer myself, there's two things you need to complete before you install anything:
Step 0:
You must get the proper briefings from your site's Information Systems Security Manager.
At a minimum, you will need to get a Software Validation briefing and possibly an ISSO briefing.
If you haven't completed an SV briefing, then you are not authorized to install ANY operating system on classified hardware.
You will need the ISSO briefing if you are responsible for creating user accounts or are responsible for maintaining the audit records for the system.
Step 1:
You must have a System Security Plan (SSP). This document tells you how your system must be configured, both in terms of physical security and system/network security.
Your SSP, and any systems created under it, need an Interim Approval To Operate (IATO) from the Defense Security Service before you can begin processing classified information.
If you have an existing (approved!) SSP, and your ISSM is authorized to self-certify the OS you are using, then things can happen relatively quickly.
If you do NOT have a pre-existing (approved!) SSP for this new system, then you could be looking at months before your new system is cleared for classified processing.
Not quite as secure, but I design and build security and information systems for Corrections Facilities (where people generally have a lot of time to figure out how to get around enforced rules - and that is just the officers...)
My first suggestion would be - does the PC need to be in the same location as the user? We lock away PCs in a server or equipment room with KVM extenders, or use Terminal based systems. These are a much better idea than letting a user have physical access to the box.
I use access control (use biometrics if you really need to) and CCTV in and out of the server rooms. This provides an audit history of people who have access the PC areas.
Our users don't generally need to load and save files (they view fixed network data), so you'd have to look at a method of doing this securely.
Oh wait, they do.
It's pretty easy to tell who's who in the DoD...
A house divided against itself cannot stand.
What you failed to mention in your plea for help is what the location of the system will be, and to what it will be connected. Other posters with similar experience to mine have said that they didn't use anything special... but that they were on a military base, etc.
The certification process is all about controling access to the data and verifying that access was controled (and knowing who to arrest if it wasn't). People in a well-secured site that may only be accessed by persons with the same or higher clearance as the classification of the data being processed can just about get by with a sticker and be done: the facility is handling all of the physical and electronic access control, the unit will never be allowed to leave its room, and so the work is easy. If you are building this for an office where somebody just needs to "do some classified stuff", you have all that other stuff to handle.
In that situation, for example, you need removable hard drives, which will indeed be removed (all of them) between uses, and stored in a container like a safe that is certified for that kind of storage. You may need to make sure that there is no way to write data to a medium other than the hard disk or approved local printer, so you may need to remove or permanently disable the floppy drive, CD burner, and so on. And the machine cannot be on your LAN while it is being used for classified work. Even so, you'll need to pay attention to the selection of OS, turn on all of the auditing features. There will be a lot of process and procedures, check-lists that will need to be followed for each use.
Where you get your hardware is the least of your worries. Buy whatever you want that meets spec, and then expect to do substantial mods to the h/w, OS, etc. If the vendor is willing to remove stuff and do OS mods for you, less work for you.
Good luck. I've heard of groups taking over a year to get a machine certified for processing on their first time out.
HEY! Secure by default!
Use PF (packetfilter) to send scriptkiddies to
The very lowest rule of OPSEC is security through obscurity. I know it was a joke, but obviously you've never been around the military.
When overseas, this rule applies to everything, including daily life in or out of your home. Personally, the idiots that walk around with an American t-shirt in a rough area deserve what they get because they don't listen to OPSEC in any way.
If you have to deal with classified information, you may want to use an information labeling operating system (one that supports mandatory access control) such as Trusted Solaris.
Any OS that has been evaluated against the TCSEC B1 specification should be suitable.
However, I don't know much about special hardware... AFAIK there isn't a lot of certified hardware from the mainstream PC vendors (Dell, HP,...); some companies more specialized in IT security (Getronics for example) offer combinations of certified hardware and software (up to TCSEC A1 IIRC).
Please send me a sample of the data that you are trying to keep secret - this will enable me to best work out how to keep it secure ....
As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in/. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better.
A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin.
Not all admins are this way, but a suprising number of them are.
If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so.
A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.
Maybe you should read up briefly on the domains they specified in the CISSP Exams, maybe that will give you some leads.
It has been a long standing policy for "Secured/Classified" Computers to have such things as removeable hard drives which are locked and unlocked by a special key. It is the most effective way to control who uses the computer itself, obviously the OS is stored on the HDD. Simply control access to that specific hard drive and there you go. Unfortunatley I wouldnt go through all the trouble of securing access to "sensitive" information just to boot into windows. I would use OS X or another UNIX/LINUX variant. As far as hardware goes..being that our secure HDD's are about 5-6 years old now they were from a popular vendor who likes to subcontract all of its components from the lowest bidder. I shall refrain from saying their name because I believe their are many other companies that offer better quality computer hardware.
/. Everything I hae said comes from knowledge of computer components and easily Googled information concerning COMPUSEC and COMSEC policies implemented by DoD.
As for the stickers something BIG and RED, but slightly less than an eyesore is great. It is a sign that no one could miss!
As for building a completely secure computer? Err...why not just make sure the case itself has locks, and if you really want to go the extra mile, remove the memory after each use. Im pretty sure that would keep your computer secure.
PS. Things like this should never, never be discussed further on
Please lock and/or otherwise prevent further discussion on this topic.
sorry I am not spell checking at 415 am.
Since you had to post this question on /. it says alot about your qualifications to perform such a task. But since I'm partially sympathetic your cause I'll give you a clue or two.
First of all, it depends on your budget. That will be your first constraint in designing and acquiring a system. If there is a large enough budget, go with a DoD contracting company that does it for a living. If not, go ahead and give a whirl at building your own.
Second, technical expertise. If you are not very technical (since you mentionted that you've been pushed towards being an administrator - probably because you know what an OS is), then you should highly consider a DoD contracting company that will provide technical assistance to you with the system. Take in consideration operational needs (24x7, etc).
Third, since you are probably belong to a contracting company to a DoD agency, contact them for assistance. Their security personnel will give you guidance since you will be processing classified information related to them.
Fourth, take some IT classes and get your company to pay for them. It can only help you out since you have been "growing into the job of a system administrator". Consider getting a degree.
Fifth, don't be a moron and tell the whole world how inept you are at your job and maybe get fired because someone from your company or your coresponding DoD agency reads your post and figures out who you are.
Sixth, don't tell everyone in the world that you are building a classified network (especially the level of classification - definitely not what anyone else outside of your company needs to know) when what you really want to know is pros and cons of using a system vendor versus building your own and giving away unclassified but sensitive information that an opponent of the U.S. can use against you.
Hope that helps you out.
First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.
Yeah, why would you ask a question on a site read by some of the brightest minds in the computer and networking industries?
Just filter out the assholes who use multiple lines for ASCII sigs and have no idea what they are talking about. I hate using the scroll wheel more because you've bought a subscription and try to get the top post on every god damn topic. And what is up with to mods? +5 "Interesting?" Should be "Redundant" with a dash of "Idiot" because you clearly don't understand the question being posed.
Why must people do this everytime an "Ask Slashdot" is posted? Just answer or post your tripe on another topic.
Get your Unix fortune now!
I have seen that it is possible to read out RAM contents today, with an acceptable low bit error rate.
So shouldn't the RAM be removed as well ? Or is the US not concerned about secrecy but only bureaucracy ?
Stop hating on the military.
If it wasn't for those mother fucking godless terrorist heathens from the Middle (B)East the Word Trade Center would still be standing.
The military protects pussies like you from motherfuckers like them.
Of course, you probably believe September 11th was "understandable" due to the "oppression" of the Arab peoples.
Abu Ghraib? Kiss my fucking ass! WTC, Flight 93, Pentagon, and an attempt on the Capitol is my response to those pissing and moaning "Abu Ghraib".
And we didn't desicrate a Koran - that was a liberal lie.
Meanwhile Christians get beheaded in Sharia ruled countries. You like that - that's fucking diversity and tolerance - only tolerate the enemy.
Dhimmi go feel thyself subdued! Pay the jizra and submit to you Islamofascist overlords!
Back to "oppression":
I'm fucking oppressed by $3/gal gas price and fear the terrorists are going to strike again and knowing my city of birth was attacked worse than Pearl Harbor.
They getting rich, those terrorists and their supporters while we get poor. Those high gas prices hurt US and help Them. We get poor and we get bombed with our own gas money.
Please Bush, turn on the Texas wells. And keep up the good fight.
Ok - so this prolly isn't enough for the DOD, but in our environment, I was able to shut down the USB services on a Win2k box with this .reg script:
i ces\USBSTOR]
i ces\USBHUB]
.reg, and change the 4's to 3s'.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
"Start"=dword:00000004
To re-enable USB, create another
HTH
"like this guys posting record here and the fact that his myspace profile says he is 19, you gotta know something is up." On behalf of the 19 year olds reading this site, I would like disagree with your prejudice comment based on ageism. Although he states only has a high school education, this does not state his experience and knowledge (or lack of) in his field. Although discriminatory generalisms can be applied for comedic references without too much negatory feedback; however, a direct discredit based solely on his age gives a reprensentation of your respect for the youth. Please refrain from this ignorant behaviour in the future. Thank you, and please enjoy your day. Just as a side note, I am not 19.
There's a Secret network where I work, and most people on here obviously have no idea what's involved. Speak to your FSO/ISSO.
Main things:
If the whole room is not a vault (SCIF), the drive will have to be removable to put it in a safe, unless it is a laptop which will fit.
Every thing containing classified data will have to be marked prominently with the highest classification on that system.
$3 a gallon!
;)
Jesus, I've just paid £0.91 for litre of fuel. Thats $1.64 for a litre, or $6.21 a gallon and its about the same all over Europe. I know you guys relate gas prices to freedom, but seriously, if going to ask for military help, maybe you could ask them to behead our government and get them to drop our fuel prices first
Scared of flying, pointy things snce 1979!
>>This isn't really a conversation for the masses
Oh dear!
You're a bit of a cunt really, aren't you.
For DoD use, I would stick with something that comes with a hardware crypto device and encrypts all access to the hard disk with a password which must be entered on boot.
I am TheRaven on Soylent News
Mod parent up!
:>
All the guy is looking for is the official howto. DISA maintains them all.
Here it is again: http://iase.disa.mil/
All these posts and only one AC hits it
They have very detailed step-by-step guidelines for securing all kinds of boxes and OSs (including all of the administrative procedures).
Even other sites link in to their work:
http://csrc.nist.gov/pcig/cig.html
And this link to another of his posts seals the suspicion in my mind:
r eshold=1&commentsort=0&tid=172&tid=4&mode=thread&p id=13395350#13395427
http://ask.slashdot.org/comments.pl?sid=160010&th
"Heck, I could even be a high school student researching this for an English paper or wanting to know how to do it if I choose to go into a classified IT job."
Socially engineered indeed. Trying to get the peoples of Slashdot to do your homework for you, good work, I guess. Though it doesn't take much to slip by the editors these days...
The post was in relation to the timeline. Thanks for the slippery slope argument however. The poster has just popped out of no where. He stated on a another post "I've spent a number of years now building/accrediting/auditing intelligence processing systems (READ: secure computers) and you silly little Slashdot geeks have NO idea what you're talking about when it comes to DoD red-tape."
So he's spent a number of years building these systems at the age of 19? Not only that but he would of got his first TS clearance in his mid-teens. Ridiculous. I personally think he's either:
1. A troll or;
2. An actual serving member who's getting a bit too big for his britches.
3. Some guy social engineering people.
That's my opinion, so feel free to believe whatever you like.
1 - buy a Mac ...
2 - plug it in
3 -
4 - profit!
I recommend buying one from a vendor - that way, you are assured that th emachine not only meets the physical requirements but has the paperwork/certs (if any) need to satisfy the DoD.
Also scheck with who handles DoD security for your company - there's a lot more too it than just buying a machine - controlling access; ensuring everyone who does has the required clerance and is granted access; labeling any mdia put in it with the right classification notice (putting your jump drive in the machine means it now must be marked and treated as Secret)
The machine is a minor cost - and bad paperwork will cause nightmares if your auditted.
I'm a consultant - I convert gibberish into cash-flow.
Removable disk packs that lock into the case and can be taken out and put into a safe. Red Classified stickers on the case and the disk packs. Is there a designated security officer in your workplace you can check with? The right computer brand? I don't know how that fits in with physical security, but I've had Dell, Gateway, and Sun.
It's scary to see how bad these answers are. I've been securing computers for the DoD and other angenies for 5 years. The short answer is that you don't need to do much. It depends on how many people need access, is it just for one project, how is the equipment secured when not in use, etc.
/. ...)
If you're doing CAD work, get a Dell Precision. If you buy the laptop version just stick the whole thing in a GSA secret approved safe when you're not using it. Otherwise with the desktop you'll need a removable hard drive. All the comments about turning off floppies and USB are stupid. You can have all of that stuff enabled...IF YOU NEED IT. When you fill in your security and IS plans you need to be able to justify what you've done.
As a starting point to securing the OS...wipe the drive, do a clean install NOT using those Dell restore disks (they put on a 32 MB FAT partition at the begining of the HD that is unsecure), format using NTFS, install drivers, apply SP2 plus all patches, install anti-virus, disable the NIC, turn off all unneeded services, install the DoD banner (you're gov't rep should give this to you). Document EVERYTHING. Anytime you even login...keep track of who, when, and that all security precautions were taken. Logging needs to be enabled on the OS.
Also, I hope you have a clearance, otherwise you'r enever going to use this computer again.
Here are some links that will get you started.
Defense Security Service (DSS)
http://www.dss.mil/infoas/index.htm
National Institute of Standards and Technology
http://csrc.nist.gov/
If you need more...email me (god help me for putting this on
rjhedgehog@gmail.com
Good Luck!
In Soviet Russia, you can get a chassis for free
One thing I do remember from working on milspec projects many years ago was that our project failed an inspection because some pipe valves were black. The part number was identical to milspec, but they weren't painted milspec green.
Perhaps they were using such small points as a nit-picky "canary" check for standards elsewhere; in much the same manner that the No Brown M&Ms clause did for Van Halen.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
A secure computer (by my standards, I'm not familiar with what the DoD would want but I imagine it'd be similar - would be:
1. No networking whatsoever, if it can hook up to a second computer you have to secure that computer too, if it's online, somebody someday will crack it just out of random IP guessing (duh, just pointing out no networks of any size).
2. Usable storage depends on this in my opinion, if your building more then one of these computers, go usable storage and be sure to make it the only writable storage (so that they can't stick in a USB stick and backup their work off the hard drive, this means the only place to store the stuff is on their or to bring in another laptop/usb reader to copy their removable storage that has all their work on). Something like 80%+ of all networks broken into come from the inside, your employees are your threat, this is increased to 100% if you have no networking capabilities, and no alibies for them either. If you are going usable storage you want to collect them everyday when they are done using them and distribute them every morning, nobody leaves without handing theirs' in. If it's one computer, you want no removable storage whatsoever, and no external ports that can transfer hard drive information. Then you want to bolt the case shut (after making sure it works and everything is tightly plugged in) so that the easiest way for someone to get into it involves a half hour with a welding torch (if you know how to pick locks you won't trust a lock/key solution) I'd water cool it just so you don't need ventilation holes, I'd be that careful (your the one demanding DoD). Remember, all your passwords, logs, and secure software mean fuck all if they can just remove the hard drive and deal with it Slaved in the comfort of their home.
3. For one computer I'd have 2+ (redundancy issues) cameras watching the computer in a locked, secured room. For many computers I'd have no privacy walls, many cameras watching all the computers in the middle, this is so that any attempt to dismantle the computer requires the cooperation of your entire staff in the room, coups will tend to be smaller than your entire staff, and if they all want to fuck you, your probably already fucked and just haven't realized it. If you want to be dick, have a very large magnetic gateway built into the door of the room so hardrives leaving the room are wiped, or just have a metal detector, but that's an even bigger pain I think because people carry metal objects.
4. If you do this, you won't even need a secure OS or passwords or logs or anything, because nothing but a photographic memory, or a tank is leaving that room with your information (the tank through the wall I imagine).
5. For the anal retentive, a few feet of concrete around those walls or that radio interfering chicken wire I can't recall the name of would be even dandier, so that no items can be brought in to manually enter information, and then transmitted out of the room, because they could look innocent all day are their desk and be actually copying/transmitting information out. No windows would nice too, if you have them in said room, make sure they don't open (bolts are the duct tape of physical security, IMO).
Honestly you don't need all this, the first three are for you really, even with all I've said I'd still use a protected Linux with full security settings. If you did all of it no superhacker, black Op, or alien ninja will manage to remove your information even if you leave it blatantly unprotected (like Windows) in your room with anything less than a hostile takeover, of the close encounter kind.
Sincerely, SkillOverKill - wireless network "enthusiast"
The computer itself matters very little (as far as classification goes). If it will be on a network, all of the encryption will be handled by an external device. You should already know that though.
Point being, choose the hardware based on what you need to run the programs it will be used for.
Don't forget. Over 80% of that £0.91 is tax, collected by our thieving incompetent Government. It would be nice if we knew where this money is going to because it is definitely not being invested in our country!!!
The computers that sit on DOD classified Secret networks are no more secure than the rest of them. Probably less secure seeing as how they trust this network. The network is encrypted using hardware encryption keys. That's basically the only difference.
Parent is right on almost all these points:
CDs: Pressed Media is OK, but once it enters a classified computer it becomes classified and can not be used in an unclassified system.
CDs: Burned Media is a NONO. A disk must be upgraded to secure, virus scanned, then moved across into the new system. That disk must be destroyed via (No idea, I take them down to the security office first) and can not be placed in any other computer.
Typically we have our CDs disabled (snipped cable) and the microphone plugs on the sound card plugged with epoxy to prevent some really creative hacking attempts.
It's not hard to be compliant with the rules, I just think unless you have the infrastructure to protect that computer you are asking for trouble. Remember- this is now a SECRET system, and as such you will have many problems with the federal government should you inadvertenly disclose (via theft) said computer.
You'll also need a virus scanner and a firewall on the system, even if it's stand alone. If memory serves.
Most computer manufacturers have contracts in place to sell certified hardware.
Oh yeah- no opensource software if it's not approved by your dod security officer and no foriegn owned, controlled, contributed, or looked at, code can run on it. Your situatuion might be different so TALK TO YOUR DOD SECURITY OFFICER.
I mean, it's only jail time for you if you screw up.
I'd strongly recommend you read Defense Information Security Agency's guidelines for computing in a secure environment - you can find security technical implementation guides (STIGs) at https://iase.disa.mil/ but you need to conform to the STIG on both hardware and OS configuration.
You'll find other regulations for making machines that process classified material, but if you're looking for hardware specs it's pretty easy.
I don't belleve Windows XP has been certified by NIST but that doesn't mean you can't use it. If you're looking for a really high security Windows box the only Microsoft OS that's certified by NIST is Win2kSP3 with the Q326886 patch. You can get the patch by looking up the KB article number (Q326886) at http://support.microsoft.com./
Look here for more NIST information - http://niap.nist.gov/cc-scheme/vpl/vpl_type.html
Don't take my word as gospel, look at the regs - but here it is in a nutshell:
- Unless the box can be secured in a safe (like a laptop) it must have a removable hard drive and that hard drive must be stored in a safe when not in use.
- No wireless. Not any. Not 802.11, not Bluetooth. Do not pass go, go not collect $200. And it can't just be disabled, the hardware cannot have the capability.
- The machine must conform to both DISA STIGs and DoD CERT advisories.
- No Internet connections - you can connect a classified machine to a LAN provided the *entire* LAN is accredited and contained within the security vault. No outside network connections except to SIPRNet
Be careful and methodical - and like I said, read the regs. Don't take my word or anyone else's word for any of this stuff - it's gonna be your ass on the line if the machine doesn't conform.To answer your other question - machines processing classified material can have removable drives - but removable media may never leave the physical security enclave unless it's properly accounted for.
Hope this helps -
we see things not as as they are, but as we are.
-- anais nin
I work in the army with signal equipment but I don't actually administer the machines. What follows is just my observations of those who do. It seems that the main way to make sure a classified computer system meets security needs is pretty simple. The computer itself isn't normally a classified device. It's the Harddrive itself. Almost all machines I've seen have an easily removable drive slot and you can use either a secret/classified drive or a regular/for official use only drive. Whenever a secret drive or computer is not in use or you don't have positive control over it, it goes in a comsec safe. You NEVER hook the machine with a secret drive up to a regular network, unsecure thumbdrive, insert unapproved CDs/DVDs, unapproved hardware or drivers etc. Normally they will have a small red box on the top of the screen that is always visible that denotes it's security classification, in case anyone decides they want to install quake or surf slashdot... Secret machines are only allowed on to DOD secure networks. It's kinda like a mini internet of just defence machines. It is generally a totally different network from the internet and they have their own news websites and such.
It's pretty simple. If you don't want people breaking into your computer or messing with it, just make sure you are the only one to use it, and that you don't allow untrusted code or networks to access it. If you are afraid someone might forcebly steal the computer, make sure the entire drive has strong encryption. If you are afraid someone will torture you for the key... well that sucks.
Give me a break. You must be a friggin' idiot to be asking that question of Slashdot and expect to get answers that comply with those DOD standards. It's obvious you have no business handling such a project if you are not cognitive enough to research the appropriate DOD docs governing computer security.
My karma is not a Chameleon.
You have 4 distinct needs:
1- a DoD compliant secure computer
2- a secure environment for it
3- verifiable evidence of correct execution of the task of purchasing or building this system.
4- maintain the security of the system. This depends heavily on #2, and is one reason you require verifibility (#3).
If another admin or support person after you breaches security, you need to be able to verify who did what, when.
There are some clues in your post:
"Growing into the job of a system administrator..."
This indicates you have been tossed into a sysadmin position like many people, without the training and experience to do it. You've learned on the job, and are getting better. But you know there are gaps in your experience. You also know you don't know where all the gaps are. You aren't experienced enough to do something like this on your own, -and- properly document and verify its completion.
"...I'm not quite prepared for..."
This shows good sense.
"The computer...must have, *from what I can tell* (emphasis mine), a removable hard drive and security stickers to prevent tampering."
If you have to qualify statements with "from what I can tell", you aren't prepared for this. You can get assistance from a vendor or consultant, but this will always be -your- responsibility. You need to get prepared, and self-study and web research ain't gonna do it.
Inform your bosses that you can't take on this responsibility without the additional training to handle it. Find out what you need to learn, find a school, and present the proposal.
I have -no- experience setting up DoD secure systems, but I do set up high-security systems for businesses. I do read the DoD standards in order to be up to date. In other words, I'm better trained to do this than you, and I wouldn't try it without more training.
Unless the entire network is classified, and unconnected to the world at large. Assuming you're in a SCIF. Otherwise, the AC reply to your post is good guidance.
Best Slashdot Co
You're = "You Are"
Your = possessive you.
Get it right. Please?
Why not tell US what the specs are, and we can help you, rather than presume that we all already know DoD specifications?
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Something to ponder: If you decide that USB is unacceptable, then you need to be very careful about your hardware selection. Particularly with a manufacturer like DELL, they are making fewer and fewer PC's with PS/2 ports for your keyboard and mouse. A large percentage are USB driven mice and keyboards. It's simply becoming cheaper to leave the PS/2 ports off and go with all USB connectivity.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
If you want a secure system don't use any version of the virus and spyware laden and inherently insecure Microsoft Windows. Use a real OS such as Linux that is secure, has a real permissions system, and is not susceptible to viruses. Another advantage is that you can easily encrypt your entire harddrive.
I'd say mod him up funny! it's obviously hilarious :)
I promise to remove the security stickers before I start tampering with the computer!!!
It is being invested in wars elsewhere of course.
These wars are to protect our country from terrorist attack, locate and destroy WMDs, bring stability to the regions concerned, and lower oil prices.
All in all, clearly a thoroughly worthwhile investment.
PS: wanna buy a bridge ?
To get a overview, I would recommend this book. Not just for windows users.
I've heard that the IBM AS/400 (they call it the iSeries now) will pass NSA ratings, and that a Windows box can only pass these same ratings if it's turned off. It's a different platform, so you have several other challenges, but properly administered, it's secure. Check it out.
To a politician, one email equals one voter.
The best bet for securing a computer for the government would be to follow their "bibles". Those would be DoD Directive 8500.1 which gives a high level overview of the requirements of securing the computer, DoD Instruction 8500.2, which tells you how to implement the instructions in 8500.1. It is alot cheaper for you to do it and just takes a little time and effort. Having the vendor do it is an option, but you're still having to continuously update the machine for patches and security fixes so IMHO, knowing what's on the machine by building it yourself is easier. The DoD also puts out security scripts that are freely downloaded that check your security configuration, I'd also recommend using those tools as well as the guidelines outlined by the NSA on their web site (again, free download).
And building a computer is one thing, you just have to remember that you have to make sure that the computer is stored in a secure facility before the government will give you permission to post any sort of classified information on it and that's a subject for another posting. Hope this helped.
1) Forget windows (too many ppl use it, so everybody who gets access to the system can get in). /everything/ behind what they don't need, this includes car-keys, wallet, cell-phone, etc. /You/ thoroughly check the code of all software which gets on that computer. /near/ the safe need to get clearance for it.
2) No networking
3) Log every action.
4) No removeable media other then CD-R/W.
5) When somebody's going to use it, they must beforehand tell what they're going to do, how they're going to do it and how long they're going to be busy. Also they're going to leave
6) Put it in a safe, this is no joke (make it large enough to work in).
7) Keep it on surveilance 24/7.
8) It's off outside office hours, and won't go on outside office hours.
9) Change passwords with every use.
10) No janitors in there, you do the cleaning yourself.
11) Only the tools needed are available to the users... Tools not needed by those users aren't even on the system.
12) No empty sockets in the system case... No wireless thingies, no empty sockets on the main board.
13) The safe where the thing is located is otherwise empty.
14) Only 2 trustworthy persons have the access method (preferably some wierd keypass in combination with a code).
15) The safe should be filled with some poisonous gas when nobody is supposed to be there (a bit to dangerous perhaps, but surely effective)
16) The safe is controlled by the computer inside it.
17) No printer or scanner attached to it.
18) The computer and safe recieve their power from a UPS, which in turn is charged by the regular power grid. The UPS is on the inside of the safe.
19) The CD-RW which has some data from the computer in question, gets destroyed the moment it isn't needed anymore (destroyed = shredded + melted).
20) The computer in question is bolted in place and welded shut (so nobody can just pick it (or part of it) up and walk away with it).
21) The walls of the safe should absorb EM-radiation.
22) The walls of the safe should absorb sound.
23) Metal detector at the entrance, which is again controlled by the computer on the inside.
24)
25) The persons which need to get
26) The persons working with it should be hardened against social engineering - this includes testing them for vurnability. You should do that when they least expect it.
27) The safe is in a wierd location, and the entrance looks completely innocent.
There were good and informative replies to this topic.
Thanks.
-Russian spies.
This is probably not going to be seen, but one way to secure a system is to have it so the users can't plug stuff into it (like USB sticks) and walk away with sensitive data. Disabling or plugging the USB ports with gunk might work. Of course, that doesn't stop anyone from e-mailing themselves the same data.. Unless you want to restrict network access to a private intranet.
Same for the floppy drive slot. Big gobs of superglue. More in the network card thingie.
Its not hard to secure a computer. Heck, even though I used three or four tubes to secure my computer in a room with little ventilation, I was still able to type this post. Yeehaw!
JEDI is the Joint Enterprise DoDIIS [Department of Defense Intelligence Information System] Infrastructure. It's fully compliant with DCID 6/3 and will secure a system up to the TS/SCI certification level. It allows you to control USB ports and lock down drives (floppy and DVD) and also has security classification banners that you may customize. If you're using a Winblows AD infrastructure there are centralized event log's and items to be placed into OU's to centrally manage your JEDI systems. You can use it on any hardware platform, mine are Dell Precision 670's, and it's compatible with XP and some versions of Solaris.
http://www.rl.af.mil/tech/programs/jedi/jedi.html
If you're worried about OPSEC, then you wouldn't send this kind of information to a total stranger, especially not over e-mail.
Als those laptoc need to run ultra-vnc, with a password set to "slashdot" so that the collaberate efforts of all /. people can maintain the maximun security levels of the OS.
https://infosec.navy.mil/
Get the stigs for you computer, and your DoD compliant. Sounds easy, it is not. But your computer will be locked down to the security needs that you will be expected to comply to.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
First look at the Dod recommendations for Trusted OSs.There are few, and the level of assurance (that they do what they claim) varies.
Choose EAL4 at least. You can probably get SE Linux or Trusted Solaris.
After you choose the OS, you'll have to pick one of the supported hardware platforms.
Then you'll have to read up a lot about Mandatory Access Controls and Role Based Access control.
Don't forget that once you secure one machine, you'll have to make sure anything that touches the info on it is secured too otherwise, the weakest link will surely break.
Good luck.
We on slashdot are going to use your own time-honored techniques of smear and fear on you!
Blar.
This coming from a 1337 cyberspook!?! You're just looking for more information against us, aren't you? AREN'T YOU!?
No, no, I think 75% of the "SHHHH DON'T SAY THAT" replies were people not understanding what can and can't be discussed publicly, but I've noticed a lot of replies saying things like "Well, I'm in this agency or this branch of service, I work on this ship or this base, and this is the security procedure we have in place. Oh, and this is the type of network, PCs, physical security, etc. that we use." Now that's starting to get dangerous, since you can easily compile a large list from all of the comments...
Other than that, I'd say your advice is even more spot-on than Jinx's. And that goes for any sort of government requirements. In manufacturing for govt projects we spent more time certifying our product, inspecting it, etc., than we actually did make it. Then, when you're dealing with stuff like this, yeah, policies and procedures, training, WRITTEN PROOF of all of the above, etc. is going to be a major pain in the ass.
Better seek out some serious help, and I'd say probably best off finding someone who works in this field to help.
SWM seeks new sig for a brief fling
Well, what could you to prevent tampering.
Disable all those that you don't need (network, usb, etc), and forgo the sticker for tampering. Most motherboards that I've bought have a header for a case open switch that will trigger an alarm. I suppose there might be specialty motherboard that upon opening the case would, at minimum, shut the computer down.
There are special screws making case opening harder.
No Burners.
Run a secure OS, and that mean no Windows, no unhardened Linux or BSD. But that probably affects how well your end user can use them.
I doubt Windows could be secure enough for DoD compliance, but obviously I don't know for sure.
My assumption would be you'll be needing to meet the NISPOM (DoD 5220.22-M) Chapter 8 requirements.
That being the case, there are tremendously useful resources at www.aissecurity.com.
I'd start there.
Here's what I've learned: Home support from anybody I've tried - Dell included - is really bad.
Dell Small Business support answers the phone promptly and is quite helpful. Probably a half-dozen issues, all resolved great. The last was probably a year ago.
Next-day onsite warranty support because a clients desktop CD-ROM drive was too loud. I didn't even have to go there, and I spent about 10 min on the phone total.
I tell everybody to buy their Dell from the Small Business division - the only differences are the packages and the support. The price is usually less. Applies to refurbs too - as long as they are Small Business refurbs.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
First and foremost, make sure it's in a secure location. Physical access is a quick and easy path to destruction/theft. If it's a Windows server you're talking about, a quick boot to a Linux password-resetting CD will give anyone with physical access to the server the ability to seize root... er... obtain administrator permissions. Think locked room, biometric security, at a minimum.
Now accepting PayPal donations!
After reading your post, I can't imagine this is genuine. My guess is you have some kind of nefarious intent. Please, for the love of all that is good and true if you actually have a security clearance or know something about it do NOT post and tell us all about it.
To secure a machine (Windows, Linux, a toaster) you need to know everything about it. What starts when you boot, what you really need, deactivate or dont install what you dont, etc.
So you are telling me that you can know in one week what every line of configuration file is doing in Linux? Forget it. You can't become a security expert in one week, but you can make a one year plan to learn.
No sig for now.
Stickers don't "prevent" tampering. They also aren't a very good indicator - I've been defeating them since I was 15 using a hairdryer.
I can give you all sorts of advice on how to secure a system. The best advice is to have a competent security person evaluate their individual needs. I can easily tell you how to build a fort-knox style system, but it may cost your business more money in lost productivity than it saves by preventing corporate espionage.
Oh, and most biometric scanners are defeatable. Nothing beats a good 20 character alphanumeric password that is changed weekly.
You'll just need a computer running Microsoft Windows XP with Service Pack 2.
Windows is really secure, after all. They have "trusted computing" and everything.
What can I say? My day job makes Byers look laid back. :(
;-)
YOU will have to decide for yourself if you need to wear a tinfoil hat when I'm around.
Spiritus ex Machina
"The universe is not only stranger than we imagine, it's stranger than we CAN imagine."
WTF are you talking about? He was dead right about OPSEC. You wouldn't believe how much information I've gathered from this thread. Follow the links to peoples' websites, read their previous posts... Easy to find out where a lot of these people work. And they're posting their fucking security procedures! Now I know some of the security procedures for quite a few different companies, can narrow down the others to a few different companies.
Hell, just the fact that his particular company just got a contract on a project like this tells me a lot. It can definitely tie into OPSEC, but basically it's a blatant security violation at the least. Not that I'm complaining, I'm eating this up.
You have to love that engineers (techies, geeks, nerds, etc.), who just love to share information about their implementation of technology, are simultaneously one's biggest adversary and one's easiest source of information for defeating them.
The original poster skirted an OPSEC violation, depending on how much information I can get about identifying his company or the kind of work they do, but the comments combined built quite an interesting picture.
Anyways, back to work. Just wanted to let you know.
I don't see a problem with it. Information on how to classify a computer is not classified.
No, it's not. The problem isn't revealing classified information. It's relying on a public forum to try and solve an ironclad security problem. The people here have some of the expertise that you're looking for, but they're not involved in your design decisions. They don't have the knowledge of the information that needs to be protected, the use cases, physical security issues, the hardware requirements, etc. And you aren't paying them to do it, so it's not their ass on the line.
Asking Slashdot for hints is one thing. But I hope that's as far as you're taking things. Depending on the information received would be folly. It's similar to asking random people on the street how to design a secure bank vault. You're sure to miss some very important things.
My suggestion: Follow what this guy says about rules and regs for DoD contractors. Second suggestion: find someone else who has already done this. There has to be someone in your organization or other organizations. Don't take this on yourself. Remember, if you designed it, you're going to be held accountable for it. Be sure you're ready for that.
The most secure computers are not plugged in... Steal the power cord...
-M
when you see the word 'Linux', drink!
...to make a commodity pc computer (i.e. Windows, x86) that will actually comply with 100% of the DoD security mandates both on paper and in actual practice.
Wash your hands of the matter of making the system yourself and require that the computer be bought from a vendor to meet the requirements. That way when the security audit fails (and it will for sure), you can point the finger of blame at the vendor for fraud.
Epoxy, rather. USB disabled from BIOS can be re-enabled from BIOS, passworded or not. Shoot a blob of epoxy into the bits you don't want accessed, but are attached to the mainboard (assuming you wouldn't rather just remove those bits entirely by desoldering and removing the sockets/ports), like USB and serial ports. If you wind up needing access to USB in the future, you could always open up the case and plug leads into the spare unused USB headers most PC motherboards have these days. I've torn off the usb ports on a motherboard with a pair of pliers in a fit of frustration, and the machine worked fine. Security through violence worked fine for me.
For starters, I suggest that you look at products like Utimaco's SafeGuard Easy (AES 256-bit full disk encryption), SecureWave's Sanctuary (for device and port securing), and Kanguru's AES 256-bit encrypted thumb drives (gaining FIPS approval currently)...
Vendors like HP and IBM have vendor-specific technologies to protect instances of hard drives being stolen as well, but you need to use a third-party FDE (full disk encryption) to complement those products (plus the others I listed above)... those should get you started in th right direction.
Good Luck!
www.TakeArms.com
I know of two vendors who make systems that fit your requirements. Hetra (in Florida) and DigitalNet (in Virginia)
They came for the Communists, and I didn't object - For I wasn't a Communist; They came for the Socialists, and I didn'
Don't know why you were modded troll. Their is a lot of insight to your post.
I'm a virgo and on Slashdot. Coincidence? Yes.
If you looking for the answer to this question, ask your organizations SSO or the SSO for the org that's hiring you. Anything you do yourself is probably not going to dot the i's and cross the t's.
seg fault
http://www.enovatech.net/
128-bit and 192-bit AES are available.
They even have cards to handle multiple PATA or SATA RAID channels.
Just load Windows ME or even a secure O/S like Windows 2000 on it and connect it to the Internet. It should be secure enough and we all know that no one will hack it.
Go to www.dell.com. Buy a computer. Put it in a classified area. Slap a red SECRET sticker on it.
Woe be the person who sticks uncleared media into the machine, or attaches it to an unclassified network.
You are done.
I am very small, utmostly microscopic.
http://www.enovatech.net/
128-bit and 192-bit AES are available. Comes with 3 duplicate hardware keys. No performance degredation. Good key generation and database policies (they destroy it after making the keys).
They even have cards to handle multiple PATA or SATA RAID channels.
right now. And take the NISPOM Chapter 9 course.
Funny that, I thought it was to make the current administrations's friends @ Exxon richer.
Jaysyn
There is a war going on for your mind.
If they were going for an Orange Book, or standalone, certification, it would make sense to yank the IP stack (which would sort of be needed to achieve a Red Book, or networked, certification) off of the box. Or would removing all unneeded cruft from a box be counter-intuitive when you're hardening it? If this is so, can I get some security clearance so I can play nethack on a classified box? That would be SWEET.
Also, I thought the rumormongering consensus around here was that Microsoft "borrowed" its IP stack from the reference BSD implementation?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
The first thing you need to realise is that the system will NEVER be able to have acess to the internet in anyway. Any updates and upgrades that involve software will require your manually searching and looking for them and then applying them.
I have recently set up a Win 2k3 server that meets the current DOD requirements and personaly the hardware is the least of your issues. setting the OS as the DOD demands and then alowing your users to still get work done is DAMN near impossible.
Wihtout the connection to the internet over 90% of the security issues you face are gone. It then becomes an issue if ensureing that your users do not violate the polocies that the DOD has put into place. In reality your seturity/IT intergrator should be able to give you more speffic info.
Hey, previous post has good advice...
You are working for the government now so Cover Your Ass. Don't do anything that doesn't have somebody assigned to be blamed. Then, find out what your higher-ups want you to say, and always echo that. If it is impossible, get some flunky who needs the cash to sign off that they guarantee it will be done to spec.
You'll be on your way to a promising career. Remember, its not about doing good, but looking good.
>>"ad space available -- low rates!!!"
With respect to the computer specifically, really it's a lot simpler than you think. What you need is to get it certified for classified processing. What this means is finding the person who will be doing the certification and ask them what they are going to check for. Then impliment that. As a contractor facility it should be DSS who does this. A good place to start is getting your hands on a copy of the DISA Gold Disk and a copy of the Minimal Security Activity Checklists (MSACs). I also recommend patching the computer as completely as possible. Also read up on the DoD 8500 series and DIACAP.
I do security
buildings secure computers!
As the sysadmin, you will be the ultimate blame for all things wrong, including, but not exclusively, security breaches, down-time, and cost overruns.
Become Software-Agnostic. Look for the best product for the job.
Follow all DOD guidelines (dot "i's", cross each "t".
If one thing is possibly wrong, the entire endeavor goes under a microscope. Everything is the tip of an iceberg.
The only thing new in this world is the history that you don't know.[Harry Truman]
Password protection in the BIOS.
One CD-ROM drive, no burner
No floppy drive
Remove any data transfer ports (USB, serial, network). If they can't be removed, don't just disable them via software, disable them via hardware. I am sure there are lockdown mechanisms out there, but superglue and old connectors, along with tamper stickers should suffice.
The only thing I can see that you would also need would be the ability to back up the work somehow. But you wouldn't want it to be portable to prevent unauthorized access. Maybe offline backups of the removable drive? (I assume there will be strict procedures around removing and connecting the drive, and it will be stored somewhere secure) However, if you don't have the computer networkable, and you can physically lock down the machine, it might be better to have a redundant drive system that isn't removable.
My beliefs do not require that you agree with them.
buying a dell is like ... like... a sin.
Dimitry.
Having a vendor supply the workstation isn't an issue. Install the removable drive cage onsite. Each workstation should have the appropriate labelling, and an OPI for the hard drive should be selected. The hard drive should be controlled, and stored in an approved container when not in use. In a non-operational zone, the workstations monitor should not face a hallway where people without the proper clearance, or foreign nationals can view the screen.
The DoD machines I worked on were standard PCs with removable hard drives, in locked rooms without network access. The doors required a passcode and logged entry and exit. When a part had to be replaced, I was monitored while I worked on the machine. When I was done, I had to answer a series of questions like:
"What did you replace the [part]?" - "Because [part] was broken. Testing including replacing suspected bad [part] with new [part] and determining if things worked corrertly"
"Does new contain any listening or broadcasting devices?" - "No"
And the like. Every possible part of the machine was covered with the break-seal sticker that had to be logged when broken and replaced by yet another person. Interestingly enough the mouse had break-seal stickers as well...
"Does this mouse contain any listening or broadcasting devices?" - "All mice are engendered by their creator with ears (listening devices) and a mouth (broadcasting device). I am unaware if now or at any time if this mouse has been a member of communist party."
(Not sure if that comment ever made it into the log or not but the interviewer and I thought it funny.)
Find out what the appropriate Common Criteria evaluation rating should be. For example Trusted Solaris 8 is something like EAL4. You'll also probably want the OS to support RBAC too.
Since your company seems amazingly oblivious, you can show that you deserve to be a sysAdmin by TELLING THEM IMMEDIATELY THAT YOU ARE NOT THE PERSON TO DO THIS.
Better to tell them now, and a show you are a competent professional, than to get FIRED later for FAKING IT now.
Security is a process. Buying and setting up a system is just one part of that process.
Get Bruce Schneier's book, "Secrets and Lies". Read it. Then get some experienced help to build your secure system.
This guys is a bonehead asking for advice on /. "Dear /., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!
/. the pros and cons of vendors vs. building it yourself. I'm asking /. what unexpected challenges they may have come accross in setting up the machine. I'm not asking for secure information. I'm asking questions that the computer illiterate DoD person can't answer. Can you do that? Or are you to high on your horse to admit you don't know? If anything else may I recommend you try not to talk trash in situations in which you assume?
Welll, I bet you're fun at partys. I can make my own secure box. I have the documentation. That is not the problem. The problem is that the documents are so minimal to the requirements that we can not have an open mind on building it. I'm asking
I'm a virgo and on Slashdot. Coincidence? Yes.
The NISPOM reference is all the rules you need. Google it or just use http://www.dss.mil/isec/nispom.pdf . Don't try to over think this. Thinking something is secure won't cut it. You have to be able to prove it to an inspector who is NOT a security researcher. They are government inspectors, think like TSA at the airport, and your cool ideas won't help them fit you into the "followed the rules" box.
WTF! Why aren't you referencing DoD guidelines?
No computer is ever any more secure than the environment it is placed in. Having a secure computer located in an area that is physically accessable to any/all workers, let alone the contracted night cleaning crew, is not secure. Period.
Physical security could be as simple as using a locked room, but who has the keys (and who took a night course in locksmithing)? Keycard access in conjunction with an electronic combination lock is a step up in security. Adding some form of biometric identification (iris scan, thumbprint or voiceprint) is better still.
What is the secured room constructed of? Chain-link, steel reinforced glass, or bullet-proof lexan walls allows retricted access to an otherwise public area. Steel rebar reinforced concrete walls, or even walls constructed of steel plate can make the room more safe-like. Radio frequency emmissions may also need to be shielded, so a fine mesh brass or copper might be required. 24 hour video recording entry and exit, along with the date & time stamp, may be a requirement.
All of the above does not even begin to address the design of the computer itself. Are there requirements for "tempest" hardening? The computer chassis should be fitted with tamper-proof fasteners, as well as foil security tape across chassis sections. Media control requirements may mean using a removable hard drive (to go into a real safe) -- floppy drive, CDROM, DVD, or especially available USB ports might be prohibited. Any network connection might also be eliminated, or else restricted to a fiber optic subnet that is isolated, or heavily firewalled.
Access control at the console may be restricted by the use of a keycard, password, and biometric scanner. The choice of operating systems should be limited to those that provide separate filesystem and user account security, including complete access and executable audit logging.
(Somehow, I think this will eliminate the copy of Windows 98 that you had tucked away.) Given the limited physical or network access, Win2Kpro or WinXPpro, OpenBSD, FreeBSD, Linux (with SElinux patches), or Solaris10 might be candidate OSes. That choice should be driven by the applications required (COTS, GOTS, proprietary in-house, or F/OSS).
While this bit may give you a head start, you should rely upon established DoD security publications for guidance.
Economics is what interferes with doing the RIGHT thing, which is giving everything away.
Someone else commented on your ignorance of the law, I guess I'll comment on your ignorance of economics. Economic is figuring out how to take what you have and get what you want. Economics is not business, although the subject of economics is important to business, just like the subject of mathematics is important to business. Economics is part of the foundation of FOSS: How do I get the software I want? I write a small bit of it and share it with others who are doing the same. That is economics.
If you are going to go on an anti-capitialist rant at least take some time off from the playground and go to some Communist Youth meeting. They should be able to provide you with some rudimentary knowledge so you actually understand some big words like "economics" and don't make a such fool of yourself. Or at least when you do it won't be on such a boneheaded thing.
In general, security procedures themselves are not classified. The more specific you make them, the more "sensitive" they become, but still, they tend to remain unclassified.
Look into TNE (http://www.gd-ais.com/default.cfm?navLeft=/menu_p s.htm&Main=/Capabilities/productpages/tne.htm)
Done, secure computer. Well of course you need to not plug it in inside a bank vault as well. Then its secure, well unless the earth parts so don't use a Bank in California. Then there is the sun expansion that will cover the earth, so you can only set up a secure computer aggrement/expectation for a few hundred million years. By then there may be more portable solutions.
The only time we'll ever be secure is when we all learn to live in a society without secrets!
I like my women how I like my sugar.. granulated.
After all, information wants to be free!!!!
(ducks eggs and tomatoes)
Wait, did somebody mention terrorists a few posts ago??? Huh, seems they read /.!
EMSEC is a classified policy, thus you need a security clearance to be able to obtain the document.
First off, do you have a secure facility that you will work in? If so, you likely have security staff who have the specific requirements for your site. Make sure to speak with those who handle the AIS systems rather than physical security and personel security. As for asking on /., could you really rely on the information obtained here? Even if it is correct, you have to treat any information based on the source and trusting a post without knowing the source is unreliable. If you find that the DoD person you are in contact with does not have the answer, ask to speak with someone who does.
/. the pros and cons of vendors vs. building it yourself. I'm asking /. what unexpected challenges they may have come accross in setting up the machine.
I'm asking
Standardized equipment has become pretty common place for secure deployments. Essentially your customer security representative should provide requirements for securing AIS systems as these differ from customer to customer and project to project. Generally though, this involves disabling some physical devices (external drives and ports), disabling/securing services, detailed logging, etc.... Certainly if you are required to secure hard disk, I'd recommend an enclosure that allows easy access for that, but you may not find that option in standard equipment. This may not be the case in all environments, especially if operated 24/7 but each customer may have their own requirements that you'll have to follow.
I guess the overall message is that you really need to work with your customer rather than any public forum for the general information. My thought on the specific question for vendor vs. custom systems is that approval will likely be easier for a vendor built system but certainly a custom system can be approved for use, you may just have more security work on your hands.
You would also need a secure TEMPEST cabinet.
Run a virtual machine (eg. vm ware) and encript its representation (i.e. files). Etc...
try looking at clearcube.com --- various people who are very concerned about security install these systems; lock down the terminals and keep the backroom secure. You still need the physical security for the terminal's etc., but it simplifies some of the other stuff. Of course, if you're just doing one, maybe its not worth it.
Come on, you know you want to tell. You are dying to give us the secrets....
Really, is this the kind of task that a business would trust to a person who does not know the difference between "you're" and "your?" And, yes, I know I'll probably get reamed for asking this.
Huh?
In the real art world, when a forgery has been hanging on the wall of a museum long enough, it's considered genuine.
Networks are OK, as long as they're confined to the computers in the closed environment, the computers are all cleared for the same projects, and the network has absolutely no links out to an unclassified network. The fact that the company has asked you to figure something out could mean one of two things:
1. The company is really clueless and has no idea what's involved in doing classified computing.
2. Your company already has an SSO but nobody bothered to tell you about it.
The NISPOM is your Bible here, but you shouldn't be trying to follow it. It's a full-time job. One of the jobs of an SSO is often to oversee management of closed areas, which are, as the parent said, basically human-sized safes, and are the only places that classified computing may occur. If your company isn't set up do classified computing already, and you don't have an SSO, then you've been given a task that you can't possibly perform in two weeks, and probably can't correctly perform at all without a lot of help and support (including your company hiring people who do classified computing professionally, or sending you out for lots and lots of training).
(Posting anonymously on purpose, but not from fear of you guys...other reasons.)
First, get a network admin who know something about security and dealing with classified IT systems (someone asking for advice on slashdot using a yahoo account doesn't qualify). Seriously - go talk to your ISSM/ISSO/CIO, that's what they are there for. Do you really trust this collection of boobs to give you advice that won't land your ass in jail or get your security clearance yanked for stupidity?
Next, if your ISSM/ISSO/CIO is the usual non-technical pencil pusher and doesn't have the proper resources or knowledge, head over to DISA, specifically DISA STIGS for implementation guides and hardening tools. Also talk to the OADR and project owner to make sure there are no requirements above the DOD minimums such as Tempest or additional physical security requirements.
As stated earlier, DoD requires their servers to be DITSCAP'd. The process costs at least $50K, takes about six months, and needs to be performed by an official who represents the requesting branch of the Government. I don't think that's what your looking for but it is a starting point. It's one thing to be DITSCAP certified, it's another the be DITSCAP compliant. check out http://www.nist.govand do a search for DITSCAP. You'll find all the relevant information there.
I'm a DoD sysadmin myself, have been for years.
Pay attention to all the posts that tell you to turn to DoD for these answers, and not Slashdot. Depending on where you fall within DoD or the IC, different policies apply. Your boss' requirement to have the Tech Guy go "figure this out" is the wrong approach- start with your security office, and tell your boss to be prepared to wait many moons.
Comment removed based on user account deletion
I'm doing contract work at Rockwell Collins, and saw this in the twice-weekly press release email they send out. It could be the ultimate solution to the security issue:
"NSA Gives Certification on MicroProcessor -- Rockwell Collins has received National Security Agency (NSA) certification for its Advanced Architecture MicroProcessor 7 Government Version (AAMP7G), a Multiple Independent Levels of Security (MILS) device for use in cryptographic applications
"The AAMP7G MILS certification represents a significant milestone for our programmable cryptographic engine development efforts and strengthens Rockwell Collins' credentials in the Information Assurance market segments," said Bruce King, vice president and general manager of Communication Systems for Rockwell Collins.
"The AAMP7G provides MILS capability through its unique micro-architecture, which employs a secure hardware-based separation kernel. It offers a more capable solution that is smaller, uses less power and is more cost effective than current crypto devices.
"The AAMP7G is capable of simultaneously processing the full spectrum of information from unclassified through top secret codeword information. It will be used in the multi-channel, MILS-capable, programmable crypto engine currently being developed by Rockwell Collins.
"The NSA currently is evaluating the programmable crypto engine for Type-1 certification. This next generation programmable crypto engine will address the Department of Defense's (DOD) Crypto Modernization efforts to support future secure communication, navigation and data link capability for the warfighter."
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
You should consider OS level security in addition to hardware. I once worked as an intern for a place called Argus Systems Group http://www.argus-systems.com/ which modifies the Solaris kernel to conform to government standards. I'm sure there are probably several other similar vendors out there.
Nice use of nonexistent evidence, CHESTER TROLLBOT. Do you work in the White House?
Welll, I bet you're fun at partys.
I am actually...but...Well I bet you're bad at insults.
I'm asking questions that the computer illiterate DoD person can't answer.
You're talking to the wrong person at the DoD then.
Or are you to high on your horse to admit you don't know? If anything else may I recommend you try not to talk trash in situations in which you assume?
I freely admit I don't know. No high horse there. But I do understand the basic concept of a SECRET. You don't seem to understand that informing the world you have something of value to secure is not the best way to begin, and that you've made your system less secure from the get go by opening your mouth about it. I DO understand what a secret is. My assessment still stands.
These posts express my own personal views, not those of my employer
I believe that disabling CD booting (via Open Firmware) also prevents single-user startup. It certainly prevents the use of safe mode.
As many here have mentioned, you need to follow the DoD standards (http://www.dss.mil./
You need inspection and approval of your location and systems.
Your systems need to be audited (see the standards) on a regular basis.
Your systems need to be physically secured. This especially applies to any rewritable media.
If something needs to be removed from the secure area, you need to ensure any classified data is no longer on it. This includes CRTs, eprom, ram, disks, floppies, CDs. For example, a CRT must be powered off for 24 hours before it's judged safe to be removed from the secured areas. You can't connect to external networks once it's classified.
People must be cleared and briefed on a need to know basis to access.
Everything must be documented and reviewed. This means all hardware, OS, all software (including patches) must be inventoried. Updates and patches may need approval before being installed.
As far as computer security,
telnet is allowed, rsh is allowed. sniffers are disallowed. Only the sysadmin (ISSO/M, gotta read my docs) is allowed to use sniffers if it's needed. SSH is not required, etc, etc. All software brought into the secure environment must be installed by the sysadmin.
Remember, there's no connection to other networks. Users are not supposed to be installing software.
It's up to the manager of the secured area to ensure that procedures are followed. I've heard of them being fired when inspections were failed.
Its the policies.
Keep it off the net, and enforce secure usage polices.
---- Booth was a patriot ----
Most secure CAD software: AutoCAD (I am a drafter by profession, I should know) Allows to set passwords, as well as publishing certificates.
How to make the entire system secure:
Run MAC OS X on a Intel based motherboard (plenty of sites telling you how to do this).
In order to run AutoCAD you would need either Virtual PC, a copy of windows or running Wine using the fact that MAC can run Linux and Unix based software (the last is indeed the most secure, esp. if you set permissions for each folder and file in addition to the passwords).
Use one of the thumbprint mice (or other devices), that makes it impossible to even turn on the computer without the right finger print.
Also you a "removeable media key" these come in many shapes and sizes, basically you have to plug it in before the compuer can turn on, I would recommend putting it on a flash drive.
Yes, of course a removeable hard drive and tamper proof stickers (although they really aren't tamper proof in most cases).
Now if that wouldn't meet with DOD standards, there's a problem, basically no one but you would be able to even turn the computer on, let alone access the files.
It may save some bucks in the short term to make it yourself. But if a security breach does happen (Because governmental guidelines rarely do anything useful) then you have the vender to pass or share the blame, vs. Doing it yourself and when there is a problem you are responsible. So unless you want to get fired from your job or prevent future promotion, I would suggest you get a vender to do it. Any saving of doing it yourself isn't worth the risk of you owning the computers, and being responsible for them.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This is based on types of classified systems I've worked on myself, and more than a little experience dealing with computer security requirements. It sounds like your first problem is to identify equipment, so focus on that for now. Procedural things, like the handling of CDs and USB drives, can be left to work out with the Defense Security Service, or whoever it is who ends up certifying your setup.
Here's the easiest thing to do:
Buy a laptop and a printer that are small enough to fit in file cabinet drawers.
Do NOT tell the vendor that the device is for classified processing!!
If you need a large screen, you should be able to leave that outside the file cabinet and just hook it up when you take out the laptop. It doesn't have to be anything special, assuming it's LCD. Ditto for separate keyboard and mouse, but DO NOT use a wireless KB or mouse! If you need extra hard drive space, be sure there's room for an external HD in the cabinet.
Now, of course this file cabinet has to be a GSA approved container for Secret information.
I doubt that the DSS will allow you to leave a generic PC out unprotected even if it has a removable hard drive. The laptop is more likely to be approved.
Ultimately the right thing to do is set up a "closed" area where the equipment can sit out. That's a secured room with an approved combination lock or other approved lock. Then when you have to take a break you don't have to shut everything down, load it into the safe, and lock it up.
Plan for the laptop near term if there's a deadline to get started, but be sure your boss understands how important it will be to set up a closed area. Developers will spend half their time booting, shutting down, and assembling their workstations.
Good luck.
This is the WRONG PLACE to get details on computer or network security. Find a company that does computer security for DOD or the like for a living, get your facts there. What you need, I think, is not only a secure computer but a secure environment and set of procedures, documented rules, to protect both the computer and environment, and to help detect situations that do not conform to those prescribed in the procedures. What you are asking for is not trivial.
Get a CISSP to help you design the system and the setting for the system. Make sure that individual includes, as part of due care, studies of folks with similar systems.
The bottom line, I fear, is that your management needs to sign off on what they believe is secret. Without management buy-in, you have nothing but alot of dollars wasted.
Think less about the system as a whole and more about the setting it's in, and the access to it. Secure systems can run Windows, as long as that is noted in the company policy and accounted for in the access controls.
Just make my entire website http://www.newpath4.com/ as a TSR shell (Terminate-and-Stay-Resident) where any Internet Visitors seeking their information first has to read all my 186 pages TO GET TO THEIR STUFF. hahahahahahahahaha Yep, that should just about take care of that... Plus what the other guy said about the DoD small door situation. UNBEATABLE.
Can the iMac hard drive be split so it can run both iMac and Dell software?