Slashdot Mirror
Building Secure Computers?
maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"
So sayeth the editors of Slashdot.
Ask the Dept of Defense. Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle. No offense to /. community.
What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?
....but my gut says "vendor", if for no other reason than a little CYA.
Buildings secure computers? Computers secure building? What?
Oh, you meant "building secure computers".
My other car is first.
Build it yourself. I wouldn't rely on any manufacter.
I heard that the first step towards building secures computers is to be attentive to small details such as spelling and grammar.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
Wow...where to begin...
First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.
Second, security stickers on their own simply aren't adequate to the task at hand. Remember, you're looking for tamper-proof, not merely tamper-evident...
____
~ |rip/\/\aster /\/\onkey
"Security stickers" don't prevent tampering, they only indicate possible tampering.
"Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle."
True. But we ARE good with law, business, and economics.
How does this building secure the computers? Does it use laser cutty things like on Resident Evil?
Have you metaroderated recently?
If you have to set up a secured computer and your Facility Security Officer can't direct you how (roughly), then there's no way you'll get classified information on the system. It's not like you can set up a computer and all of a sudden the government will trust you to put secure information on it. You need to have a written, approved procedure for doing so. Your DIS rep has to authorize you to put stuff on the system.
At I place I used to work, we just bought Dells. (Heck, I think we even leased them!) When they were delivered, we'd put a standard image on them that did things like warn the users before they logged on, and turned on auditing on certain directories.
...I've been tasked with something I'm not quite prepared for...
...is it better to have a vendor do it, or yourself?
If you have to ask the question, i think you already know the answer. I'm sure there are tons of great DIY methods of securing a computer, but if you are new to it (and you are), leave it to someone who has done it before.
It would be great to get some first-hand, practical experience on the matter when you have a proper guinea pig, but a classified DoD computer is not said guinea pig.
Easy as that. If you don't know enough to lock down a computer from the ground up having a vendor supply the service is not going to do you any good because you won't know how it works and you will be at the mercy of Tech Support during a crisis. We have spent years building our own linux distro with what most might consider an over-kill in RBAC and other model implementation. When the latest greatest exploits/bugs/worms hit the scene we go right in and rip up the source and its fixed on the spot that morning, no questions asked. Try getting that out of a 1-800 service. The bottom line is security, not accountability. If you want to make things happen then make them happen, don't wait for someone else to do it. If the NSA thought Microsoft or any other MSO was a big prospect in the contract we wouldn't have SELinux. I could be wrong about trusting the security of my systems to other people, but I can't afford to take that risk, can I?
You are about to give someone a piece of your mind, something which you can ill afford...
There are various levels of Gov. approved hardware/software security. The specifications are public.. but it'd be a waste of your time to figure out how to comply on your own. Furthermore, for most interesting levels, you need to go through a few cycles with outside verification. I think you should start making phone calls.
I'm involved in IA (Information Assurance) on VA Class subs... for Voyage Management and Radar.
A sticker and removable hard drive complying with IA is like saying that a power cord is what's needed to make a computer.
At one point we had a meeting and reviewed the full blown DoD requirements for secure computing. Our estimation was that the resulting system would A) be unusable for anything due to the insane lockdown policies, and B) cost around a $million to configure and test to their specs.
It's all about configuration.
Ok, on the non-sensational side... other computers where I work, for dealing with classified data, are to be located in a certified secure room (forget the name of the certifying authority), and yes there is a "class" / "unclass" sticker on the PC, and yes, the hard-drive is removable, and yes must be stored in an approved safe while not being used. And access to the room is by approval only, with both a horribly hard to use combo lock, and a cipher door lock on top of that. Oh yeah, connection to the house-net is verboten. Any-net for that metter.
And my facility is a low-brow Secret only site. Travel to certain DoD contractors with only a Secret clearance and you're treated like a second class citizen.
It's all about configuration. (repeated intentionally)
Be prepared for mind-numbing configuration, test and audit sessions.
I am light on details because I do my best to stay at arms-length from IA at work... it's teh suxor
w
Two words:
/sad, but true.
Duct Tape
add some plastic wrap, and it's Dept. Homeland Security Approved as well.
To clarify:
Our company is rated for 'secret' information. We currently have classified information, it is just paper right now. We have been requested to expand our capabilities so we may develop new products to meet the demands. We have a set of papers that are pretty light on the details of what is required for a computer to be certified for secret information, but it does not go into enough details for us to have an open mind about it. If we want a secure computer, thats easy. Case sealed with stickers, operating system and software installed on removable hard drive, no network card, and a paper trail going all the way down to the details of the last person who sneezed on it.
What I was really trying to ask was, "In your experience, is the extra money going into a vendor worth it or, is it better just to by a chassis and setup a machine yourself?"
I'm a virgo and on Slashdot. Coincidence? Yes.
Editor is too strong a word for what is done by Slashdot staff. Person who clicks button to approve story is far more accurate, although lacking a certain panache.
Dan East
Better known as 318230.
Most of what you need to know is contained on the Defense Security Services (DSS) Information Assurance website: http://www.dss.mil/infoas/ The guiding document for DoD contractors is the National Industrial Security Program Operating Manual (NISPOM). Classified systems have to go through a formal certification and accreditation process before they will be approved for classified processing. Since your ultimate goal is to satisfy the accreditor, you should contact him/her as soon as possible to have them explain what will be required and to hear their particular areas of concern so that you can address them early in your design. Security paperwork requires considerable time to fill out, and mistake can result in long delays in accreditation, or even the rejection of your system.
However, it isn't enough to just build a system with the proper hardware and software configuration -- you also have to make sure that the physical environment and users will meet the requirements of the NISPOM. If you don't already have a facility clearance, then you have a significant issue to tackle before you can even build your system. I'm hoping that you are simply building a new computer to add to an existing classified network or house in an existing DoD closed area -- if not, you may find this to be a very daunting task.
"she says i'm lousy conversation. as if that's supposed to help."
No network is not a DoD requirement. Not being connected to an unencrypted netowk is. If you have an accredidted Secure Network.... you can network these. It is worth the extra money... trust me. I have been in your shoes. Contract writers like warrenties.
Stop signs are only Suggestions
The general specifications for DoD computer systems are freely available to all. NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL OPERATING MANUAL. Specifically, see chapter CHAPTER 8. AUTOMATED INFORMATION SYSTEM SECURITY.
... twice ... then you are on the right track.
The actual computer system is pretty trivial, the only difference may be, just as you identified, the removable hard drive. Just get any of the IDE or even SATA removable hard drive kits and you are set. This is definitely something you can do yourself.
You see the security is in the whole system DoD will be looking for security in layers, many layers. How is the building secured, who has access to the building, the same floor, the floor above & below, the room, etc. What kind of security patrol, alarms, alarms response? What kind of physical security? What kind of walls, ceiling, floor, doors? What kind of electrical service, telecommunication service? The last layer will be the actual computer. What will be attached to the computer, a small LAN, a printer? Don't even think about wireless!
Now, I've said that setting up the computer is trivial, but the administration is NOT. The NISPOM specifies a lot of documentation. Something like writing down the serial number of every component, maybe keeping logs of certain types of activities (loging in, loging out, installing software, updating software, etc.). Checking the logs weekly for suspicious acitivity, etc. If you've heard the old adage that good system administrators write everything down, double it
First of all, this may not be the best forum in the world to ask such a question (just read some of the other lame "funny" replies) but since you asked, I'm assuming you're looking for an answer from someone who actually works with this things on a daily basis and will be able to provide some insight.
The hardware on the computer does have to meet certain requirements but they're not really "set in stone". At my work, we typically use off-the-shelf Dell computers and then do some modifications to support removable hard drives on the systems. Additionally, you'll probably need to lock down all writeable removable media drives (think floppy and zip drive locks) as well as disabling USB and any built-in network interfaces, at least in the BIOS but possibly also with some stickers or physical locking devices. You'll have to work with your DIS person who approves the final system configuration to really hammer out the details and get it set the way he/she wants it to be set.
That being said, the only service I've seen Dell offer is their "Custom Factory Integration" program where they will install the removable hard drive chassis for you. Depending on the number of systems you need to support, it may be cheaper to have them do it at the factory than to do it yourself. One issue I had which caused us to do the removable drive install ourselves was the fact that we have multiple drives per system and needed extra drive trays but couldn't get information from Dell regarding the actual manufacturer of the trays nor pricing on additional units. It was just less hassle for us to purchase the removable kits ourselves.
As far as software, I believe another poster already mentioned some of the basic configuration requirements. Yes, you'll need to make sure you're pretty good on locking down Windows (I'm assuming your running Windows since you mentioned SolidWorks - BTW, SW2006 sucks configuring it to run with a non-admin user account). Auditing on certain directories is most likely going to be a requirement as well as a documented review and archive process for the system event logs. Backups are another process that will need to be done on a regular basis. Be prepared for this to eat into alot of your time since all these tasks pretty much have to be done manually since you can't have network connectivity.
If you've got any more questions, feel free to drop me an e-mail and I'll try to help you work through any issues. And don't mind any of the other sarcastic bastards posting here... I've seen the level of documentation the government gives for setting up secure systems and most of it is pretty f'ing obtuse. Best to get advice from someone who's done it before (and obviously double-check with your FSO and DIS officer).
Best of luck...
First, get your boss to sign a memo acknowledging that you're not qualified to certify computer systems as "DoD secure". Then, hire a security consultant from an insured firm which does sign a contract saying they are so qualified. Then do your best. Also, don't rely on Slashdotters' advice on how to tell if a system is "DoD secure". We're a bunch of kibbitzers on a huge website full of jokers, posers and saboteurs - indistinguishable from those with a clue.
If you think that advice means you'll get fired, resign. Better now, than after they blame you for the inevitable security breaches. That's probably their plan anyway, in whichever management layer thought that military security is just a buzzword to get an underqualified admin to comply with.
--
make install -not war
First of all you'll need a server equipped with tiny C4 charges embedded in each of the hard drives. This is a handy way of deleting data on your hard drives very quickly. I hear HP can furnish these.
Second, you will need to hire a troupe of security guards to watch over the computer. Equip them with an M16's, and have them work in shifts, escorting users to and from the computers. If you can't afford a humans, several dozen trained monkeys will do the job. Just make sure and keep at least three extra monkeys on hand so you can replace the dead ones. You'll need at least two monkey handlers if you go the monkey route - one to watch over the monkeys and one to fill in when the first one gets shot.
For a bit of extra security, you can purchase an used electric chair from one of the states that have switched to lethal injection and use it as the chair for the workstation. One armed guard can stand holding the red button, ready to fry to operator in case (s)he mishandles any data, or looks at the guards funny, while another guard stands ready to kill the other in case they refuse to press the red button.
If you can't afford or find an electric chair on the retail market, submit an "ask slashdot" article and I'm sure you'll get plenty of tips on how to build one yourself.
Or if you want to save money you could just install the super secure Gentoo Linux operating system and set it to update itself via emerge automatically every hour.
It's your choice.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
There are 3 basic levels of security in the DOD:
- Sensetive: lists of SSNs, peoples phone numbers, etc. shred the paper, password protection, light building security
- Secret: Reporting information, non-combat comunication centers, etc. shred paper, lock down computers and network but have external connection, no unauthorized location access.
- Top-Secret: Detailed reporting, strategic info, etc. Don't print if you don't need to, locked down PCs, locked down network, likely no external access/email/etc.
For secret info, I never saw anything to hard core. We had some great network techs in Quantico (just prior to the NMCI 4066/4067 consultant replacment), they had a well locked down network, but still allowed internet access and email. But they could, and did, track all of your online activities, read your emails, mirror your hard drive, and shut you down from across the globe. Any specific secret locations like com-vaults had key code or rfid doors.(Anecdotal network security story from the military, optional reading:)
I had a network support budy in Okinowa who used an external (geocities) site to hold links to internal files for updates and software. Worked good for his updating work at off site locations. One day his user account was locked, 3 gents from the MITNOC showed up with a copy of his hard drive and a log of his internet/email activity over the last 3 months. Turned out some script kiddies found his site and started hammering the firewalls trying to get the software. -Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
You'd need to be prepared to deal with people hardwiring USB keyloggers to the motherboard or inserting into keyboard itself. Or inserting whatever into any other bits of the computer which are available. Add more when you might have to deal with actual professionals in the business of compromising such systems to get at their contents or install bugs for audio. Sounds like a really poor concept to try mixing use. But do ask the real experts, who I assume are your customers.
If you want some actual military assistance, respond to my email.
Does this offer only apply to the original poster? Because I require some military assistance as well. I have two areas of concern:
1. My neighbor keeps walking his dog in front of my house and it shits next to the sidewalk. He's supposed to clean it up, but he never does. I was hoping you could take the dog out for me.
2. Gas will probably reach $3/gallon before too long. I know you military types are experts at liberating people, and sometimes there's petroleum, you know, sort of left over. I was wondering if you could liberate the local Sunoco for me so I can get some gas for my car for free.
Thank you, and I eagerly await your email.
ps remember don't ask don't tell!
As a US Air Force member who handles information and uses computers classified as Secret, I can tell you that there's no physical difference between a Secret machine and an ordinary one. If vendors are telling you that they can build a DoD Secret classified computer, then they are simply blowing smoke up your ass.
DoD classifications are all about policy, paperwork, and regulations. Not fancy computers. Most people, when they hear of DoD classifications and security clearances, are quick to imagine black vans, polygraph tests, and high-tech datacenters protected better than Fort Knox. Honestly, that's all a bunch of nonsense. All of the classified systems that I've used were just ordinary computers from ordinary manufacturers.
In my current workplace, we have a standard Gateway PC with a removable hard disk and a few Panasonic Toughbooks. Nothing special at all. The only visible difference between these and the regular office PCs is that they have red stickers all over them that say "Secret" and the fact that we are not to process Secret data on the unclassified PCs and vice versa. The Gateway machine can only be connected to SIPRNET (google it) and the Toughbooks are never connected to any network. That's it. No crazy combination case locks, no biometric devices, no odd software. They all run Windows for crying out loud.
If it is your job to configure a computer to the equivalent of DoD's Secret classification (I know you don't work for DoD or you'd already have people showing you how), I'd recommend getting whatever kind of computer will fit your needs.
Then start looking at writing mountains of policies. The first thing you have to do is restrict physical access. This can be done by putting the machine in a locked room with no windows. A laptop would be even easier... just get a GSA-approved safe and keep it in there when it's not in use. Obviously, you would never, ever, ever connect it to any network, period. All the data going in and out should be on CDRs or USB keys and should be accountable somehow. Figure out who needs to have access to it and if they can be trusted. Be sure to emphasize that failure to follow proper security procedures is grounds for immediate termination, whether any information was compromised or not. Ensure that whenever the machine is used, there are never less than two people present. Create an emergency checklist of what to do if the building catches fire, for instance.
That's all I can think of off the top of my head, you'll probably be able to envision a lot more with some careful thought. Good luck.
You will probably find, after digging through reams of directives, instructions and memos, that there are about a million ways to do this. I work in a military command and hold a top secret (SCI) clearance. At our site, all our classified work is done on ordinary workstations and laptops. Most of the systems are Dells purchaed off the shelf, and I've built at least one clone.
None of those systems have removeable drives, though having them is a good idea. It makes securing them easier, something you must do in a government-approved container (i.e., a safe). The space in which the systems are located and used must be secure to the level of classified information (secret, in your case). At our site, this is a window-less room with a large vault-like steel door. The door can be secured with a combination lock and a push-button cypher lock, the latter of whch is in use at all times (the combination lock is secured after hours). All classified material (papers, discs, ect) must be stored when the space is unoccupied.
The system will probably need to meet DOD C2 requirements, which you'll likely read about. Windows NT was close to C2, and I believe Windows 2000 is as well. The system must have positive authentication for users, appropriate warnings that appear on login, an audit trail, and ways of neutraliziing memory and swap space. Windows has a setting that clears the virtual memory/swap file on each reboot.
As for networking, if you want to network internally within your spaces, you can set up a normal LAN, but outside access will require using a secure network like the SIPRNET. You won't have access to the outside world (i.e., the Internet). Most DOD components contract for SIPR connectivity through DISA.
As you already know, labeling the CPU is important. You'll also need to label media, and keeping a log of all storage media in use is a pretty good idea to CYA. In fact, some places require it. You might also want to find out about the need for secondary storage off-site. If this is going to be a requirement, you'll need to find a similarly-classified place that you trust to stow your backup materials.
You will need to follow the DOD rules on destruction of drives and disks no longer in use...you just can't toss old floppies or hard drives onto the 20-year pile in your office. Research the destruction procedures, and learn to store unused material until you can have it destroyed.
You can buy shredders that will eat CDs and diskettes, but they have to be classified for the security level. Don't use the $29 Office Max shredder on sale for this.
The real key is getting users to follow the rules. Users, as you know, are the biggest pain in the ass, and you'll always be on top of them to keep the spaces sanitized. Remind them that once they save any classified material to removable storage, that storage is now classified and cannot be used outside of the environment.
Aren't you glad you have to do this?
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
I'm unfamiliar with the DoD's standards, but I expect there are levels, like the NSA's Common Criteria EAL 1-7 security certifications. From here on I'll be rambling about things I have little or no experience with.
A password protected encrypted partition for sensitive info, like the user's home directory if you can get it working, no swap file/partition, no sort of CD or USB auto-run, password protected BIOS, and a password protected 1 minute screen saver seem like must-haves. SELinux can restrict permissions on a per-program basis if you're using Linux. Stickers like you mentioned that are damaged when removed are a good idea which I never would have thought of. A file integrity checker like samhain may also detect tampering, at a cost of performance if you have it check everything. Unless also encrypted, backups can pose a security risk, so you'll want a mirrored RAID. If you get two drives of the same model, from the same batch, you'll have a better than average chance of both failing the same day, the second while you're rebuilding the first.
Of course, if you've gotten this far, you should also worry about emissions. CRT emissions can be picked up and reconstructed from miles away with the right equipment. There's little use in all this other security when anyone with a disk, $100, and some spare time can just look at your screen. Then, someone could always sneak in and plug a key logger into the back of the system without you noticing, so you'll need to some sort of physical security as well to prevent moving the system or accessing the back of the case, and a lock on the door to the room the system is housed in.
I love that. Don't go to /. on military security, EMAIL me. He doesn't even KNOW you, so how are you going to become a trusted source.
/. "Dear /., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!
/. Personally if I were you I'd steer well clear so he doesn't take me down with him.
This guys is a bonehead asking for advice on
And to you. Shame on you for replying on
These posts express my own personal views, not those of my employer
For the curious, here's the log of a chat with their support during the keyboard saga. /. lameness filter, otherwise it's verbatim).
,
.
(A few things have been slightly edited to either protect my client's identity and/or get past the
Keep in mind the following takes place over an hour after the initial call was placed and I've already been hung up on twice, once by the automated system and once during a transfer between operator and tech.
The session has been accepted.
NAZIM_KHAN 12:51:24 PM Thank you for contacting Dell Technical Chat Support for Notebooks. My name is Nazim Khan, May I have the initial shipping address and phone number so that I can pull up your account details ?
NAZIM_KHAN 12:52:10 PM Please let me know if you are receiving my message?
Not to rush you, are you still with me?
12:52:16 PM Name: E* S*
Contact Address:
Some Street
Small Town, NY 12345-
Phone: 123-456-7890
12:52:52 PM Name and address is for client who will be there until Monday. Can somebody get to her before then?
NAZIM_KHAN 12:53:56 PM I am afraid that we cannot proceed further without the initial verification, as the information you have given does not match with the records. Please provide with the telephone number and the address, as mentioned in the invoice (which you have used at the time of purchase).
12:54:54 PM Ah, sorry!
Address should be:
PO Box 123, Small Town, CA
Phone number I have no idea - that's her cell number.
I had initially given the current location of the client, who was travelling at the time
NAZIM_KHAN 12:55:38 PM E*, may be you have entered the wrong Service Tag, you have entered as AA0AA00
12:56:58 PM My name is actually M*. I provide IT services for them. E* gave me that as the tag over the phone and her laptop is indeed a 6000 series Inspiron. Additionally the purchase date is about when she got it, so I am fairly sure that's the correct tag...
12:57:53 PM Are we still connected?
NAZIM_KHAN 12:57:54 PM I understand your concern , This information is required for the security and privacy of your account. As the information given by you doesnâ(TM)t match with our records, I am unable to pull-out your account details. Hence, We canâ(TM)t proceed further with the chat. I would suggest you to contact Dell Customer Care at 800-624-9897, to get the system information.
NAZIM_KHAN 12:58:07 PM And feel free to contact us back, we would be more than happy to assist you. We assure you our best support all the time.
12:58:25 PM I've tried to call them twice and keep getting hung up on!
NAZIM_KHAN 12:59:51 PM I will suggest you to contact Dell Customer Care at 800-624-9897 and get the exact details and connect us back
1:01:13 PM Please read what I just typed.
NAZIM_KHAN 1:03:01 PM} I have read it and had suggested you to do some thing ( to contact customer care ) , As the information given by you doesnâ(TM)t match with our records, I am unable to pull-out your account details. Hence, As This information is required for the security and privacy of your account.
1:03:48 PM How about if you guys call her?
NAZIM_KHAN 1:04:45 PM For that I will give you the number its 800-624-9896
1:05:43 PM Promise they won't hang up? This is getting VERY frustrating!
NAZIM_KHAN 1:06:10 PM I understand your concern Believe me things will be fine, We are always here to help our valuable customer and make them happy
1:09:57 PM And this !@# automated system doesn't help!!
I was back on the phone at this point and not terribly happy that the second number he gave me appeared to lead to the same automated system
NAZIM_KHAN 1:10:17 PM Feel free to contact us back, we would be more than happy to assist you. We assure you our best support all the time.
1:10:26 PM (I'm trying to get through it right now, what does it take to get a live person?!?!?!?!)
Any of you /.'ers ever study art history? Here is a little lesson about fraud.
/. mods. You just got social engineered.
In the Art world when a piece of Art has a past where the time record has some glitches in it (Read: unaccountable) it is automatically considered a fraud. When things don't have a timeline, like this guys posting record here and the fact that his myspace profile says he is 19, you gotta know something is up.
Congratulations though
Taken from GP's Myspace profile:
thomas's Blurbs
About me:
if u really want to know just ask
Who I'd like to meet:
i would like to meet peopl from hawaii but i like meeting other people too.
thomas's Details
Status: Single
Here for: Dating, Serious Relationships, Friends
Orientation: Straight
Hometown: wipahu
Zodiac Sign: Capricorn
Smoke / Drink: No / Yes
Children: Someday
Education High school
If you're working for the DoD, you'll need a system that has been certified to handle classified material. The certification process means that it has undergone DITSCAP and meets certain criteria such as EMSEC. You really don't want to be homebrewing a machine that is going to be processing classified material, especially if it's not certified.
This may be obvious, but: 1. Don't network this computer. 2. Implement physical access controls. 3. Require strong passwords. 4. Isolate this computer from all other electronic and RF sources to comply with TEMPEST requirements. 5. Don't ask these sorts of questions on Slashdot. You have already compromised OPSEC.
how to make a really really secure system... write the whole operating system from scratch and make it so you and only you know what the hell is going on that way you can concider it job security... if they downsize they have to keep at least u to run the server....
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
For as expensive as any of the security implementations are going to be for anything that ANYONE has replied to for this question... If your boss trusts you enough to design, buy, and implement the system, why not just ask for a substantial raise (say twice your current salary to whatever the most expensive of these recommendations would run, whatever suits you) to cover the cost of you personally babysitting the machine while people use it? OK, your company would have to spend a small sum to make sure that the room the machine's in is inaccessible when you're not there. But otherwise, when you're on the clock, you're watching the thing like a hawk. Somebody tries something fishy, you ask them what the hell they're doing right then and there, and there's no risk. Think about it.
Isn't it interesting how you come to recognize posters based solely on their sigs???
For a DoD standard there is a governing instruction. It may reference other instructions. You need to have a copy of that and read. Read it again. Then take time to study it before you read it.
Your contracting officer can point you in the right direction and provide access to The Instruction
Once you have an idea of what your requirements are, draft a Project Plan, Statement of Work, Compliance Notice, whatever you call it, it details how your group will meet the standards specified in The Instruction. Get internal input and review.
Now that you have something on paper, talk to your manager and have the contracting officer or security authority review your plan. They will tell you're unsafe to entrust classified material to. Then they will produce a checklist of potential violations you must clear. This is their job and what they live for, don't annoy these people, you want their input. Review this list and clear it.
You now have a plan which will satisfy The Instruction.
If it's not a conversation for the masses, why would you be willing to talk about it to some random dude from slashdot? I call bullshit.
As a practicing Information System Security Officer myself, there's two things you need to complete before you install anything:
Step 0:
You must get the proper briefings from your site's Information Systems Security Manager.
At a minimum, you will need to get a Software Validation briefing and possibly an ISSO briefing.
If you haven't completed an SV briefing, then you are not authorized to install ANY operating system on classified hardware.
You will need the ISSO briefing if you are responsible for creating user accounts or are responsible for maintaining the audit records for the system.
Step 1:
You must have a System Security Plan (SSP). This document tells you how your system must be configured, both in terms of physical security and system/network security.
Your SSP, and any systems created under it, need an Interim Approval To Operate (IATO) from the Defense Security Service before you can begin processing classified information.
If you have an existing (approved!) SSP, and your ISSM is authorized to self-certify the OS you are using, then things can happen relatively quickly.
If you do NOT have a pre-existing (approved!) SSP for this new system, then you could be looking at months before your new system is cleared for classified processing.
What you failed to mention in your plea for help is what the location of the system will be, and to what it will be connected. Other posters with similar experience to mine have said that they didn't use anything special... but that they were on a military base, etc.
The certification process is all about controling access to the data and verifying that access was controled (and knowing who to arrest if it wasn't). People in a well-secured site that may only be accessed by persons with the same or higher clearance as the classification of the data being processed can just about get by with a sticker and be done: the facility is handling all of the physical and electronic access control, the unit will never be allowed to leave its room, and so the work is easy. If you are building this for an office where somebody just needs to "do some classified stuff", you have all that other stuff to handle.
In that situation, for example, you need removable hard drives, which will indeed be removed (all of them) between uses, and stored in a container like a safe that is certified for that kind of storage. You may need to make sure that there is no way to write data to a medium other than the hard disk or approved local printer, so you may need to remove or permanently disable the floppy drive, CD burner, and so on. And the machine cannot be on your LAN while it is being used for classified work. Even so, you'll need to pay attention to the selection of OS, turn on all of the auditing features. There will be a lot of process and procedures, check-lists that will need to be followed for each use.
Where you get your hardware is the least of your worries. Buy whatever you want that meets spec, and then expect to do substantial mods to the h/w, OS, etc. If the vendor is willing to remove stuff and do OS mods for you, less work for you.
Good luck. I've heard of groups taking over a year to get a machine certified for processing on their first time out.
Please send me a sample of the data that you are trying to keep secret - this will enable me to best work out how to keep it secure ....
There is a strong difference between .mil addresses. Personally, I have a .mil address like every military person in the world, but I'm a spouse and its easy to tell its an AKO account...
There are verification channels for all this to go through and the volunteer can just point the parent to specific documents relating to what they're doing.
There are ways - there are many ways.
The post was in relation to the timeline. Thanks for the slippery slope argument however. The poster has just popped out of no where. He stated on a another post "I've spent a number of years now building/accrediting/auditing intelligence processing systems (READ: secure computers) and you silly little Slashdot geeks have NO idea what you're talking about when it comes to DoD red-tape."
So he's spent a number of years building these systems at the age of 19? Not only that but he would of got his first TS clearance in his mid-teens. Ridiculous. I personally think he's either:
1. A troll or;
2. An actual serving member who's getting a bit too big for his britches.
3. Some guy social engineering people.
That's my opinion, so feel free to believe whatever you like.
It's scary to see how bad these answers are. I've been securing computers for the DoD and other angenies for 5 years. The short answer is that you don't need to do much. It depends on how many people need access, is it just for one project, how is the equipment secured when not in use, etc.
/. ...)
If you're doing CAD work, get a Dell Precision. If you buy the laptop version just stick the whole thing in a GSA secret approved safe when you're not using it. Otherwise with the desktop you'll need a removable hard drive. All the comments about turning off floppies and USB are stupid. You can have all of that stuff enabled...IF YOU NEED IT. When you fill in your security and IS plans you need to be able to justify what you've done.
As a starting point to securing the OS...wipe the drive, do a clean install NOT using those Dell restore disks (they put on a 32 MB FAT partition at the begining of the HD that is unsecure), format using NTFS, install drivers, apply SP2 plus all patches, install anti-virus, disable the NIC, turn off all unneeded services, install the DoD banner (you're gov't rep should give this to you). Document EVERYTHING. Anytime you even login...keep track of who, when, and that all security precautions were taken. Logging needs to be enabled on the OS.
Also, I hope you have a clearance, otherwise you'r enever going to use this computer again.
Here are some links that will get you started.
Defense Security Service (DSS)
http://www.dss.mil/infoas/index.htm
National Institute of Standards and Technology
http://csrc.nist.gov/
If you need more...email me (god help me for putting this on
rjhedgehog@gmail.com
Good Luck!
Don't forget. Over 80% of that £0.91 is tax, collected by our thieving incompetent Government. It would be nice if we knew where this money is going to because it is definitely not being invested in our country!!!
Parent is right on almost all these points:
CDs: Pressed Media is OK, but once it enters a classified computer it becomes classified and can not be used in an unclassified system.
CDs: Burned Media is a NONO. A disk must be upgraded to secure, virus scanned, then moved across into the new system. That disk must be destroyed via (No idea, I take them down to the security office first) and can not be placed in any other computer.
Typically we have our CDs disabled (snipped cable) and the microphone plugs on the sound card plugged with epoxy to prevent some really creative hacking attempts.
It's not hard to be compliant with the rules, I just think unless you have the infrastructure to protect that computer you are asking for trouble. Remember- this is now a SECRET system, and as such you will have many problems with the federal government should you inadvertenly disclose (via theft) said computer.
You'll also need a virus scanner and a firewall on the system, even if it's stand alone. If memory serves.
Most computer manufacturers have contracts in place to sell certified hardware.
Oh yeah- no opensource software if it's not approved by your dod security officer and no foriegn owned, controlled, contributed, or looked at, code can run on it. Your situatuion might be different so TALK TO YOUR DOD SECURITY OFFICER.
I mean, it's only jail time for you if you screw up.
Done, secure computer. Well of course you need to not plug it in inside a bank vault as well. Then its secure, well unless the earth parts so don't use a Bank in California. Then there is the sun expansion that will cover the earth, so you can only set up a secure computer aggrement/expectation for a few hundred million years. By then there may be more portable solutions.
First off, do you have a secure facility that you will work in? If so, you likely have security staff who have the specific requirements for your site. Make sure to speak with those who handle the AIS systems rather than physical security and personel security. As for asking on /., could you really rely on the information obtained here? Even if it is correct, you have to treat any information based on the source and trusting a post without knowing the source is unreliable. If you find that the DoD person you are in contact with does not have the answer, ask to speak with someone who does.
/. the pros and cons of vendors vs. building it yourself. I'm asking /. what unexpected challenges they may have come accross in setting up the machine.
I'm asking
Standardized equipment has become pretty common place for secure deployments. Essentially your customer security representative should provide requirements for securing AIS systems as these differ from customer to customer and project to project. Generally though, this involves disabling some physical devices (external drives and ports), disabling/securing services, detailed logging, etc.... Certainly if you are required to secure hard disk, I'd recommend an enclosure that allows easy access for that, but you may not find that option in standard equipment. This may not be the case in all environments, especially if operated 24/7 but each customer may have their own requirements that you'll have to follow.
I guess the overall message is that you really need to work with your customer rather than any public forum for the general information. My thought on the specific question for vendor vs. custom systems is that approval will likely be easier for a vendor built system but certainly a custom system can be approved for use, you may just have more security work on your hands.