Building Secure Computers?

maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"

Secure computer

[AVazquezR]

Build it yourself. I wouldn't rely on any manufacter.

Re:Don't ask Slashdot

[maotx]

Our facility security officer has a stack of papers that I have been reading over but it is pretty slim in details when it comes to the specifics. Network is a definate no, floppies and CDs are ok, but what about USB harddrives? Etc.

The only reason I asked Slashdot was for a jump start. My manager says we need to have something, at least a plan, by next week.

Re:I've never had to worry about this...

[some2]

CYA is exactly why you'd want a vendor to do the build. They have E&O insurance to cover their asses if they screwed something up -- you just lose your job. Also much less work & worry for you if someone does tamper with the equipment as they will have already designed a methodology to review the break-in/tampering to determine the amount of data lost. If the company doesn't have that, don't use them.

Too strong a word.

[Dan+East]

Editor is too strong a word for what is done by Slashdot staff. Person who clicks button to approve story is far more accurate, although lacking a certain panache.

Dan East

Drop the Bomb

[Doc+Ruby]

First, get your boss to sign a memo acknowledging that you're not qualified to certify computer systems as "DoD secure". Then, hire a security consultant from an insured firm which does sign a contract saying they are so qualified. Then do your best. Also, don't rely on Slashdotters' advice on how to tell if a system is "DoD secure". We're a bunch of kibbitzers on a huge website full of jokers, posers and saboteurs - indistinguishable from those with a clue.

If you think that advice means you'll get fired, resign. Better now, than after they blame you for the inevitable security breaches. That's probably their plan anyway, in whichever management layer thought that military security is just a buzzword to get an underqualified admin to comply with.

Environment is more important than hardware.

[joedoc]

You will probably find, after digging through reams of directives, instructions and memos, that there are about a million ways to do this. I work in a military command and hold a top secret (SCI) clearance. At our site, all our classified work is done on ordinary workstations and laptops. Most of the systems are Dells purchaed off the shelf, and I've built at least one clone.

None of those systems have removeable drives, though having them is a good idea. It makes securing them easier, something you must do in a government-approved container (i.e., a safe). The space in which the systems are located and used must be secure to the level of classified information (secret, in your case). At our site, this is a window-less room with a large vault-like steel door. The door can be secured with a combination lock and a push-button cypher lock, the latter of whch is in use at all times (the combination lock is secured after hours). All classified material (papers, discs, ect) must be stored when the space is unoccupied.

The system will probably need to meet DOD C2 requirements, which you'll likely read about. Windows NT was close to C2, and I believe Windows 2000 is as well. The system must have positive authentication for users, appropriate warnings that appear on login, an audit trail, and ways of neutraliziing memory and swap space. Windows has a setting that clears the virtual memory/swap file on each reboot.

As for networking, if you want to network internally within your spaces, you can set up a normal LAN, but outside access will require using a secure network like the SIPRNET. You won't have access to the outside world (i.e., the Internet). Most DOD components contract for SIPR connectivity through DISA.

As you already know, labeling the CPU is important. You'll also need to label media, and keeping a log of all storage media in use is a pretty good idea to CYA. In fact, some places require it. You might also want to find out about the need for secondary storage off-site. If this is going to be a requirement, you'll need to find a similarly-classified place that you trust to stow your backup materials.

You will need to follow the DOD rules on destruction of drives and disks no longer in use...you just can't toss old floppies or hard drives onto the 20-year pile in your office. Research the destruction procedures, and learn to store unused material until you can have it destroyed.

You can buy shredders that will eat CDs and diskettes, but they have to be classified for the security level. Don't use the $29 Office Max shredder on sale for this.

The real key is getting users to follow the rules. Users, as you know, are the biggest pain in the ass, and you'll always be on top of them to keep the spaces sanitized. Remind them that once they save any classified material to removable storage, that storage is now classified and cannot be used outside of the environment.

Aren't you glad you have to do this?

Re:Don't ask Slashdot, ask an SSO/SSR/IAM/ISSO/IAS

[syousef]

I love that. Don't go to /. on military security, EMAIL me. He doesn't even KNOW you, so how are you going to become a trusted source.

This guys is a bonehead asking for advice on /. "Dear /., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!

And to you. Shame on you for replying on /. Personally if I were you I'd steer well clear so he doesn't take me down with him.

The Zeroth and First Steps...

[harmless_mammal]

As a practicing Information System Security Officer myself, there's two things you need to complete before you install anything:

Step 0:

You must get the proper briefings from your site's Information Systems Security Manager.

At a minimum, you will need to get a Software Validation briefing and possibly an ISSO briefing.

If you haven't completed an SV briefing, then you are not authorized to install ANY operating system on classified hardware.

You will need the ISSO briefing if you are responsible for creating user accounts or are responsible for maintaining the audit records for the system.

Step 1:

You must have a System Security Plan (SSP). This document tells you how your system must be configured, both in terms of physical security and system/network security.

Your SSP, and any systems created under it, need an Interim Approval To Operate (IATO) from the Defense Security Service before you can begin processing classified information.

If you have an existing (approved!) SSP, and your ISSM is authorized to self-certify the OS you are using, then things can happen relatively quickly.

If you do NOT have a pre-existing (approved!) SSP for this new system, then you could be looking at months before your new system is cleared for classified processing.

Re:You won't like to hear this...

[Damingo]

Yes but there is more.

Let a brit teach you yanks how to make a secure WS.
Ok dropping the gump, I work for the British MoD and my job is exactaly yours, apart from I oversee (and do) the making of all WS (Work Stations) within the Defence Procurement Agency of the MoD.

When I started making WS for the DPA they were a little less secure than the ones that Eil is suggesting. However I soon made one improvement, the inroduction of a "Magic Card", a device which returns the HDD (boot sector, fat (and no i dont mean NTFS as im talking about the actual F System), etc) to a predefined image each time the WS reboots. A rebot is demanded by the system each time a user logs off. This ensures that when a idiot user, saves data to the HDD it is deleted. This also ensures that any Temp Files (intRAnet or otherwise) are deleted.

Otherwise we use a basic Nakard-Dell (Packard) machine, no outside lan, but access to the Defence Secured EVA System. Data is imported on a removeable drive via a second machine, which needs not be clasified (it is as the av software is, but that dosnt matter). The second machine simpaly boots to CD and runs a full virus sweep of the removeable drive, then shuts down. It has no HDD of its own, so can not actually access the clasified data. When not in use this removable HDD is kept in a SecNoFoN safe (Secret No Forign Nationals). Oh and to ensure a VScan has been run, the second machine sets a flag at the end of the storage drive, when the main pc boots it checks for this flag if it is not present it demands a VScan and shuts down (if it is present it is deleted, and the machine boots).

As for entry into the room, it is controled by a rifid card (swipe will serve for you), which all members of the base hold (their ID Cards) and only the authorised rifid cards are granted entry to the room. The room contains a shreader and nothing more.

I hope that this has been of some use!

Damingo C

p.s. The machines run a modded version of Win 2k (i have the source woot woot)/.