Slashdot Mirror
Building Secure Computers?
maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"
So sayeth the editors of Slashdot.
Ask the Dept of Defense. Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle. No offense to /. community.
Buildings secure computers? Computers secure building? What?
Oh, you meant "building secure computers".
My other car is first.
Build it yourself. I wouldn't rely on any manufacter.
I heard that the first step towards building secures computers is to be attentive to small details such as spelling and grammar.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
Wow...where to begin...
First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.
Second, security stickers on their own simply aren't adequate to the task at hand. Remember, you're looking for tamper-proof, not merely tamper-evident...
____
~ |rip/\/\aster /\/\onkey
"Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle."
True. But we ARE good with law, business, and economics.
How does this building secure the computers? Does it use laser cutty things like on Resident Evil?
Have you metaroderated recently?
If you have to set up a secured computer and your Facility Security Officer can't direct you how (roughly), then there's no way you'll get classified information on the system. It's not like you can set up a computer and all of a sudden the government will trust you to put secure information on it. You need to have a written, approved procedure for doing so. Your DIS rep has to authorize you to put stuff on the system.
At I place I used to work, we just bought Dells. (Heck, I think we even leased them!) When they were delivered, we'd put a standard image on them that did things like warn the users before they logged on, and turned on auditing on certain directories.
CYA is exactly why you'd want a vendor to do the build. They have E&O insurance to cover their asses if they screwed something up -- you just lose your job. Also much less work & worry for you if someone does tamper with the equipment as they will have already designed a methodology to review the break-in/tampering to determine the amount of data lost. If the company doesn't have that, don't use them.
I'm involved in IA (Information Assurance) on VA Class subs... for Voyage Management and Radar.
A sticker and removable hard drive complying with IA is like saying that a power cord is what's needed to make a computer.
At one point we had a meeting and reviewed the full blown DoD requirements for secure computing. Our estimation was that the resulting system would A) be unusable for anything due to the insane lockdown policies, and B) cost around a $million to configure and test to their specs.
It's all about configuration.
Ok, on the non-sensational side... other computers where I work, for dealing with classified data, are to be located in a certified secure room (forget the name of the certifying authority), and yes there is a "class" / "unclass" sticker on the PC, and yes, the hard-drive is removable, and yes must be stored in an approved safe while not being used. And access to the room is by approval only, with both a horribly hard to use combo lock, and a cipher door lock on top of that. Oh yeah, connection to the house-net is verboten. Any-net for that metter.
And my facility is a low-brow Secret only site. Travel to certain DoD contractors with only a Secret clearance and you're treated like a second class citizen.
It's all about configuration. (repeated intentionally)
Be prepared for mind-numbing configuration, test and audit sessions.
I am light on details because I do my best to stay at arms-length from IA at work... it's teh suxor
w
To clarify:
Our company is rated for 'secret' information. We currently have classified information, it is just paper right now. We have been requested to expand our capabilities so we may develop new products to meet the demands. We have a set of papers that are pretty light on the details of what is required for a computer to be certified for secret information, but it does not go into enough details for us to have an open mind about it. If we want a secure computer, thats easy. Case sealed with stickers, operating system and software installed on removable hard drive, no network card, and a paper trail going all the way down to the details of the last person who sneezed on it.
What I was really trying to ask was, "In your experience, is the extra money going into a vendor worth it or, is it better just to by a chassis and setup a machine yourself?"
I'm a virgo and on Slashdot. Coincidence? Yes.
Editor is too strong a word for what is done by Slashdot staff. Person who clicks button to approve story is far more accurate, although lacking a certain panache.
Dan East
Better known as 318230.
Most of what you need to know is contained on the Defense Security Services (DSS) Information Assurance website: http://www.dss.mil/infoas/ The guiding document for DoD contractors is the National Industrial Security Program Operating Manual (NISPOM). Classified systems have to go through a formal certification and accreditation process before they will be approved for classified processing. Since your ultimate goal is to satisfy the accreditor, you should contact him/her as soon as possible to have them explain what will be required and to hear their particular areas of concern so that you can address them early in your design. Security paperwork requires considerable time to fill out, and mistake can result in long delays in accreditation, or even the rejection of your system.
However, it isn't enough to just build a system with the proper hardware and software configuration -- you also have to make sure that the physical environment and users will meet the requirements of the NISPOM. If you don't already have a facility clearance, then you have a significant issue to tackle before you can even build your system. I'm hoping that you are simply building a new computer to add to an existing classified network or house in an existing DoD closed area -- if not, you may find this to be a very daunting task.
"she says i'm lousy conversation. as if that's supposed to help."
No network is not a DoD requirement. Not being connected to an unencrypted netowk is. If you have an accredidted Secure Network.... you can network these. It is worth the extra money... trust me. I have been in your shoes. Contract writers like warrenties.
Stop signs are only Suggestions
First, get your boss to sign a memo acknowledging that you're not qualified to certify computer systems as "DoD secure". Then, hire a security consultant from an insured firm which does sign a contract saying they are so qualified. Then do your best. Also, don't rely on Slashdotters' advice on how to tell if a system is "DoD secure". We're a bunch of kibbitzers on a huge website full of jokers, posers and saboteurs - indistinguishable from those with a clue.
If you think that advice means you'll get fired, resign. Better now, than after they blame you for the inevitable security breaches. That's probably their plan anyway, in whichever management layer thought that military security is just a buzzword to get an underqualified admin to comply with.
--
make install -not war
First of all you'll need a server equipped with tiny C4 charges embedded in each of the hard drives. This is a handy way of deleting data on your hard drives very quickly. I hear HP can furnish these.
Second, you will need to hire a troupe of security guards to watch over the computer. Equip them with an M16's, and have them work in shifts, escorting users to and from the computers. If you can't afford a humans, several dozen trained monkeys will do the job. Just make sure and keep at least three extra monkeys on hand so you can replace the dead ones. You'll need at least two monkey handlers if you go the monkey route - one to watch over the monkeys and one to fill in when the first one gets shot.
For a bit of extra security, you can purchase an used electric chair from one of the states that have switched to lethal injection and use it as the chair for the workstation. One armed guard can stand holding the red button, ready to fry to operator in case (s)he mishandles any data, or looks at the guards funny, while another guard stands ready to kill the other in case they refuse to press the red button.
If you can't afford or find an electric chair on the retail market, submit an "ask slashdot" article and I'm sure you'll get plenty of tips on how to build one yourself.
Or if you want to save money you could just install the super secure Gentoo Linux operating system and set it to update itself via emerge automatically every hour.
It's your choice.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
You'd need to be prepared to deal with people hardwiring USB keyloggers to the motherboard or inserting into keyboard itself. Or inserting whatever into any other bits of the computer which are available. Add more when you might have to deal with actual professionals in the business of compromising such systems to get at their contents or install bugs for audio. Sounds like a really poor concept to try mixing use. But do ask the real experts, who I assume are your customers.
If you want some actual military assistance, respond to my email.
Does this offer only apply to the original poster? Because I require some military assistance as well. I have two areas of concern:
1. My neighbor keeps walking his dog in front of my house and it shits next to the sidewalk. He's supposed to clean it up, but he never does. I was hoping you could take the dog out for me.
2. Gas will probably reach $3/gallon before too long. I know you military types are experts at liberating people, and sometimes there's petroleum, you know, sort of left over. I was wondering if you could liberate the local Sunoco for me so I can get some gas for my car for free.
Thank you, and I eagerly await your email.
ps remember don't ask don't tell!
As a US Air Force member who handles information and uses computers classified as Secret, I can tell you that there's no physical difference between a Secret machine and an ordinary one. If vendors are telling you that they can build a DoD Secret classified computer, then they are simply blowing smoke up your ass.
DoD classifications are all about policy, paperwork, and regulations. Not fancy computers. Most people, when they hear of DoD classifications and security clearances, are quick to imagine black vans, polygraph tests, and high-tech datacenters protected better than Fort Knox. Honestly, that's all a bunch of nonsense. All of the classified systems that I've used were just ordinary computers from ordinary manufacturers.
In my current workplace, we have a standard Gateway PC with a removable hard disk and a few Panasonic Toughbooks. Nothing special at all. The only visible difference between these and the regular office PCs is that they have red stickers all over them that say "Secret" and the fact that we are not to process Secret data on the unclassified PCs and vice versa. The Gateway machine can only be connected to SIPRNET (google it) and the Toughbooks are never connected to any network. That's it. No crazy combination case locks, no biometric devices, no odd software. They all run Windows for crying out loud.
If it is your job to configure a computer to the equivalent of DoD's Secret classification (I know you don't work for DoD or you'd already have people showing you how), I'd recommend getting whatever kind of computer will fit your needs.
Then start looking at writing mountains of policies. The first thing you have to do is restrict physical access. This can be done by putting the machine in a locked room with no windows. A laptop would be even easier... just get a GSA-approved safe and keep it in there when it's not in use. Obviously, you would never, ever, ever connect it to any network, period. All the data going in and out should be on CDRs or USB keys and should be accountable somehow. Figure out who needs to have access to it and if they can be trusted. Be sure to emphasize that failure to follow proper security procedures is grounds for immediate termination, whether any information was compromised or not. Ensure that whenever the machine is used, there are never less than two people present. Create an emergency checklist of what to do if the building catches fire, for instance.
That's all I can think of off the top of my head, you'll probably be able to envision a lot more with some careful thought. Good luck.
You will probably find, after digging through reams of directives, instructions and memos, that there are about a million ways to do this. I work in a military command and hold a top secret (SCI) clearance. At our site, all our classified work is done on ordinary workstations and laptops. Most of the systems are Dells purchaed off the shelf, and I've built at least one clone.
None of those systems have removeable drives, though having them is a good idea. It makes securing them easier, something you must do in a government-approved container (i.e., a safe). The space in which the systems are located and used must be secure to the level of classified information (secret, in your case). At our site, this is a window-less room with a large vault-like steel door. The door can be secured with a combination lock and a push-button cypher lock, the latter of whch is in use at all times (the combination lock is secured after hours). All classified material (papers, discs, ect) must be stored when the space is unoccupied.
The system will probably need to meet DOD C2 requirements, which you'll likely read about. Windows NT was close to C2, and I believe Windows 2000 is as well. The system must have positive authentication for users, appropriate warnings that appear on login, an audit trail, and ways of neutraliziing memory and swap space. Windows has a setting that clears the virtual memory/swap file on each reboot.
As for networking, if you want to network internally within your spaces, you can set up a normal LAN, but outside access will require using a secure network like the SIPRNET. You won't have access to the outside world (i.e., the Internet). Most DOD components contract for SIPR connectivity through DISA.
As you already know, labeling the CPU is important. You'll also need to label media, and keeping a log of all storage media in use is a pretty good idea to CYA. In fact, some places require it. You might also want to find out about the need for secondary storage off-site. If this is going to be a requirement, you'll need to find a similarly-classified place that you trust to stow your backup materials.
You will need to follow the DOD rules on destruction of drives and disks no longer in use...you just can't toss old floppies or hard drives onto the 20-year pile in your office. Research the destruction procedures, and learn to store unused material until you can have it destroyed.
You can buy shredders that will eat CDs and diskettes, but they have to be classified for the security level. Don't use the $29 Office Max shredder on sale for this.
The real key is getting users to follow the rules. Users, as you know, are the biggest pain in the ass, and you'll always be on top of them to keep the spaces sanitized. Remind them that once they save any classified material to removable storage, that storage is now classified and cannot be used outside of the environment.
Aren't you glad you have to do this?
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
I love that. Don't go to /. on military security, EMAIL me. He doesn't even KNOW you, so how are you going to become a trusted source.
/. "Dear /., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!
/. Personally if I were you I'd steer well clear so he doesn't take me down with him.
This guys is a bonehead asking for advice on
And to you. Shame on you for replying on
These posts express my own personal views, not those of my employer
Any of you /.'ers ever study art history? Here is a little lesson about fraud.
/. mods. You just got social engineered.
In the Art world when a piece of Art has a past where the time record has some glitches in it (Read: unaccountable) it is automatically considered a fraud. When things don't have a timeline, like this guys posting record here and the fact that his myspace profile says he is 19, you gotta know something is up.
Congratulations though
Taken from GP's Myspace profile:
thomas's Blurbs
About me:
if u really want to know just ask
Who I'd like to meet:
i would like to meet peopl from hawaii but i like meeting other people too.
thomas's Details
Status: Single
Here for: Dating, Serious Relationships, Friends
Orientation: Straight
Hometown: wipahu
Zodiac Sign: Capricorn
Smoke / Drink: No / Yes
Children: Someday
Education High school
If you're working for the DoD, you'll need a system that has been certified to handle classified material. The certification process means that it has undergone DITSCAP and meets certain criteria such as EMSEC. You really don't want to be homebrewing a machine that is going to be processing classified material, especially if it's not certified.
As a practicing Information System Security Officer myself, there's two things you need to complete before you install anything:
Step 0:
You must get the proper briefings from your site's Information Systems Security Manager.
At a minimum, you will need to get a Software Validation briefing and possibly an ISSO briefing.
If you haven't completed an SV briefing, then you are not authorized to install ANY operating system on classified hardware.
You will need the ISSO briefing if you are responsible for creating user accounts or are responsible for maintaining the audit records for the system.
Step 1:
You must have a System Security Plan (SSP). This document tells you how your system must be configured, both in terms of physical security and system/network security.
Your SSP, and any systems created under it, need an Interim Approval To Operate (IATO) from the Defense Security Service before you can begin processing classified information.
If you have an existing (approved!) SSP, and your ISSM is authorized to self-certify the OS you are using, then things can happen relatively quickly.
If you do NOT have a pre-existing (approved!) SSP for this new system, then you could be looking at months before your new system is cleared for classified processing.
Please send me a sample of the data that you are trying to keep secret - this will enable me to best work out how to keep it secure ....