Building Secure Computers?

maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"

Secures computers need Windowsz 95

So sayeth the editors of Slashdot.

Re:Secures computers need Windowsz 95

[jericho4.0]

"Ask Slashdot: Where New Tech Should Libraries Try Next?" posted by Cliff @ 4:30PM.

"Ask Slashdot: Building Secures Computers?" posted by Cliff @ 7:32PM.

He'll pass out by 10, I bet.

Re:Secures computers need Windowsz 95

[SYFer]

No no no. If you'd actually read TFA, you'd see that the building in question is contructed with windows and doors so small that a computer cannot be passed through them, ergo the building does indeed secure the computers. Now that IS news for nerds!

Re:Secures computers need Windowsz 95

[Baricom]

Tell me about it. Slashdot posts are the paragon of literacy, insight, and high social class. It would be utter disaster if the plebians that frequent digg were to soil the characteristic quality and originality found on Slashdot.

Don't ask Slashdot

[kevlar]

Ask the Dept of Defense. Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle. No offense to /. community.

Re:Don't ask Slashdot

[maotx]

Our facility security officer has a stack of papers that I have been reading over but it is pretty slim in details when it comes to the specifics. Network is a definate no, floppies and CDs are ok, but what about USB harddrives? Etc.

The only reason I asked Slashdot was for a jump start. My manager says we need to have something, at least a plan, by next week.

Re:Don't ask Slashdot

[TripMaster+Monkey]

My suggestion would be to disable floppy as well as USB, and only allow transmission of information to and from this system via CD. USB is right out...don't let anyone try to convince you otherwise...it's an unacceptable security risk. Also, only allow data to be transferred to and from a protected 'sandbox' area on the system, and make certain that autorun of CD-ROMs is disabled in the registry. One more thing: keep the system in a locked room, and personally supervise, if not actually conduct, all data transfers.

Sure, it sounds paranoid...bit is it paranoid enough?

Re:Don't ask Slashdot

[Creepy+Crawler]

---My suggestion would be to disable floppy as well as USB, and only allow transmission of information to and from this system via CD.

And I'd have the CD drive read lines under a hardware lock (like the old machines used) and have it shut off unless required.

---USB is right out...don't let anyone try to convince you otherwise...it's an unacceptable security risk.

Agreed. Have only PS/2 mouse and keyboard available. Also make sure that Firewire, serial, paralell, audio jacks on CD-ROM and sound card, and all peripherial devices are GONE, removed or jacks destroyed by one incapicating method or another. Super-glue in serial ports make an awful mess to "recover".

I, a long time ago, made an attack in which I recorded audio on a cd player through the audio jack. I was able to reconstruct the data from the "static sound". I'd call that an attack as much as hooking up a data casette to a Commie 64.

---Also, only allow data to be transferred to and from a protected 'sandbox' area on the system,

I would call that "Printouts".

---and make certain that autorun of CD-ROMs is disabled in the registry.

You ASSume Windows. Nobody running a secure environment would use windows, unless it's just confidential.

---One more thing: keep the system in a locked room, and personally supervise, if not actually conduct, all data transfers.

Double-lock the room, use mag-locks to determine when door is opened. Record open-close actions.

Have 2 video cams that record on any motion to a remote system (just as secure, as it could record confidential data). Have each room record the others' cameras while NEVER under any circumstances allow anybody from one get into the other room.

Also have a 10 minute delay safe for open events to even get to the hard drive. Set up a hypergolic charge in the safe in case of tampering. Also have safe monitor open-close events.

I also have a few ideas on unbeatable object-detection schemes, but I believe they're actually used in real Secure environments. I will not mention them.

Still, the good ol standard of having 2 "Armed to the teeth" guards at the door always suffice as a first precaution. If you can afford this, you can have double-locking doors that 2 seperate entities must open.

Example: To get in, you flash badge to 2 officers. You enter 1'st set of doors. You then submit to scans/checks of whatever to open 2'nd doors. To get out, you walk out the 2'nd doors, and ONLY 2 guys can open 1'st doors from outside. Very secure.

---Sure, it sounds paranoid...bit is it paranoid enough?

Nope.

Re:Don't ask Slashdot

OK... here's the basics... Excuse the AC post, but the fewer people that know you have a security clearance, the better.

Yes, you can order from Dell, Gateway, HP, etc. The removable hard drive is employed so that when the computer is not in use the hard drive can be locked in a DoD approved container (a pretty heavy duty safe or filing cabinet, normally) that only authorized users can access. If you didn't have a removable hard drive, then the entire room the computer was housed in would need to be classified as a DoD secure space. As it is, while the computer is in use it will need to be out of sight of anyone not cleared to use it. Sometimes something as simple as a curtain is used, while others might keep the computer in a separate room or closet.

The stickers are not for tamper proofing. Rather, they are used to remind you that you are dealing with a classified system and should treat it as such. You can use them across seals, but they aren't required. At the least, they will need to be put on the hard drive, hard drive caddy, computer case, and monitor.

For the drives, it's probably a good idea to disable anything that you won't be using. You can leave floppy drives intact if you want, just be aware that as soon as a non-write-protected floppy goes in the drive, it is required to immediately be labeled as a classified disk and logged. You can take material from unclassified to classified systems, but not vice versa (duh, I know, but it needs to be said). Since this system will be stand-alone, you might consider disabling all the USB ports via the BIOS and just using PS2 for the mouse/keyboard. That will help prevent USB thumb drives from being used. Remember, if the system can write to it, then it has just become classified material. CDs are safe, but floppies, thumb drives, etc. are not unless they are in write-protect mode.

Hope that helps!

Re:Don't ask Slashdot

[nzkbuk]

You give that version of windows too much credit.
it wasn't "Windows NT" that got the rating (as much as M$ hyped it, and I don't remeber the exact spec, but the spec gave the EXACT make and model of computer (and hence hardware spec (that didn't include a network card)) as well as the exact patch level of NT and it specified the applications installed.

In short it wasn't generically Windows NT, or even Windows NT4 sp2. it was much better defined than that, but that being said, yes M$ has achieved a security rating, and I'd have to agree (unlike a bunch of the posts on this topic I've seen), the security model has to fit with the company. if they are asking as a DoD contractor, the question is in the wrong place. If the question is from a company that management feels they need to secure their computing enviroment, then it's all good.

Re:Don't ask Slashdot

[jcr]

the spec gave the EXACT make and model of computer (and hence hardware spec (that didn't include a network card)) as well as the exact patch level of NT and it specified the applications installed.

It also required that the entire IP stack be deleted. It was quite a joke in the computer security business at the time.

-jcr

Re:Don't ask Slashdot

[CyberSp00k]

You cannot use the machine in both a classified and a non-classified environment. You will get the machine certified for a specific level of classified processing and lock it into a room that is effectively a people-sized safe. Access to the room will be controlled and only cleared and authorized people will be permitted in. They will log their entrances and exits. Each project hard drive and associated backup media will be stored in a separate, individually lockable and differently keyed drawer of a safe certified for classified processing. Users will log every item in each safe drawer and will log every time they open or close any drawer of the safe. EVERY scrap of out put from the system (optical media, magnetic media, or hardcopy) will have to be logged and controlled at both creation and destruction - destruction requires special handling and facilities.

Issues of bootable CD-ROMS, USB data sticks, and product licensing are trivial housekeeping compared to the work you are going to have to undertake to create and maintain a secure processing facility. By the way, printers have memory and printer ribbons retain images - you have to address those items, too. Certified print required.

If you already have a secure processing facility, you also have a certified site security officer (SSO) who has been trained in the use and requirements of the NISPOM. You should be talking to this person, not us.

Re:Don't ask Slashdot

[HD+Webdev]

USB is still thrown up in the air. I'm very uncomfortable with it but our client uses it quite often to transfer data.

Lots of stuff WILL be thrown up in the air if someone connects a USB wireless adapter.

Re:Don't ask Slashdot

[CyberSp00k]

Sigh!

The link you refer to points to material that is up to two decades old. The assurance levels you refer to (A, B, and C) are from the Orange Book, the seminal work of the Rainbow Series of security development manuals produced for the U.S. DoD.

The Rainbow Series was superceded in 1996 by the Common Criteria, an international agreement about security functional requirements, assurance requirements, and the processes needed to evaluate the security characteristics of IT products. Products that have met the requirements and undergone the process are listed in an Evaluated Products List. Among operating systems that have met the Common Criteria requirements are Mac OS X, Red Hat Enterprise Linux AS/WS 3, Solaris 9, SuSE Linux Enteprise Server V8, and Windows 2000 Server. All of these must be run on specific hardware configurations and with specific software configurations to retain their certified status in an operational environment. A recent project I was working on needed an HTML-based interface - imagine creating that on a Linux box that could not run X or even activate the frame buffer!

Secure systems are not just platforms that resist the latest script kiddie 'sploit. A system includes people, processes, hardware, software, development methodologies, and the operational environment. This is what makes a secure, assured SYSTEM, not just an expensive doorstop.

Links of (possible) interest:

Orange Book
http://csrc.ncsl.nist.gov/secpubs/rainbow/std001.t xt

Rainbow Series
http://csrc.nist.gov/secpubs/rainbow/

Common Criteria
http://www.commoncriteriaportal.org/

U.S. "Scheme"
http://niap.nist.gov/cc-scheme/

Evaluated Products List (EPL)
http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#o peratingsystem

A few too many 's'-es

[jrockway]

Buildings secure computers? Computers secure building? What?

Oh, you meant "building secure computers".

Re:A few too many 's'-es

[Basehart]

I was halfway through building a lego house next to my computer to make it more secure before I realized it was a typo.

Duh

I heard that...

[rbarreira]

I heard that the first step towards building secures computers is to be attentive to small details such as spelling and grammar.

Don't ask IANA...

"Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle."

True. But we ARE good with law, business, and economics.

A building that secures computers, interesting.

[Agret]

How does this building secure the computers? Does it use laser cutty things like on Resident Evil?

Too strong a word.

[Dan+East]

Editor is too strong a word for what is done by Slashdot staff. Person who clicks button to approve story is far more accurate, although lacking a certain panache.

Dan East

Not rocket science, but pay attention to detail.

[jinx90277]

Most of what you need to know is contained on the Defense Security Services (DSS) Information Assurance website: http://www.dss.mil/infoas/ The guiding document for DoD contractors is the National Industrial Security Program Operating Manual (NISPOM). Classified systems have to go through a formal certification and accreditation process before they will be approved for classified processing. Since your ultimate goal is to satisfy the accreditor, you should contact him/her as soon as possible to have them explain what will be required and to hear their particular areas of concern so that you can address them early in your design. Security paperwork requires considerable time to fill out, and mistake can result in long delays in accreditation, or even the rejection of your system.

However, it isn't enough to just build a system with the proper hardware and software configuration -- you also have to make sure that the physical environment and users will meet the requirements of the NISPOM. If you don't already have a facility clearance, then you have a significant issue to tackle before you can even build your system. I'm hoping that you are simply building a new computer to add to an existing classified network or house in an existing DoD closed area -- if not, you may find this to be a very daunting task.

Re:You cannot do it most likely

[DaEMoN128]

No network is not a DoD requirement. Not being connected to an unencrypted netowk is. If you have an accredidted Secure Network.... you can network these. It is worth the extra money... trust me. I have been in your shoes. Contract writers like warrenties.

Re:You've already violated protocol...

[maotx]

First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.

I don't see a problem with it. Information on how to classify a computer is not classified.

Second, security stickers on their own simply aren't adequate to the task at hand. Remember, you're looking for tamper-proof, not merely tamper-evident.

The stickers are DoD required to prove that the system has not been tampered with. They are not a means of securing the computer.

Drop the Bomb

[Doc+Ruby]

First, get your boss to sign a memo acknowledging that you're not qualified to certify computer systems as "DoD secure". Then, hire a security consultant from an insured firm which does sign a contract saying they are so qualified. Then do your best. Also, don't rely on Slashdotters' advice on how to tell if a system is "DoD secure". We're a bunch of kibbitzers on a huge website full of jokers, posers and saboteurs - indistinguishable from those with a clue.

If you think that advice means you'll get fired, resign. Better now, than after they blame you for the inevitable security breaches. That's probably their plan anyway, in whichever management layer thought that military security is just a buzzword to get an underqualified admin to comply with.

Two methods of doing this:

[toadlife]

First of all you'll need a server equipped with tiny C4 charges embedded in each of the hard drives. This is a handy way of deleting data on your hard drives very quickly. I hear HP can furnish these.

Second, you will need to hire a troupe of security guards to watch over the computer. Equip them with an M16's, and have them work in shifts, escorting users to and from the computers. If you can't afford a humans, several dozen trained monkeys will do the job. Just make sure and keep at least three extra monkeys on hand so you can replace the dead ones. You'll need at least two monkey handlers if you go the monkey route - one to watch over the monkeys and one to fill in when the first one gets shot.

For a bit of extra security, you can purchase an used electric chair from one of the states that have switched to lethal injection and use it as the chair for the workstation. One armed guard can stand holding the red button, ready to fry to operator in case (s)he mishandles any data, or looks at the guards funny, while another guard stands ready to kill the other in case they refuse to press the red button.

If you can't afford or find an electric chair on the retail market, submit an "ask slashdot" article and I'm sure you'll get plenty of tips on how to build one yourself.

Or if you want to save money you could just install the super secure Gentoo Linux operating system and set it to update itself via emerge automatically every hour.

It's your choice.

You won't like to hear this...

[Eil]

As a US Air Force member who handles information and uses computers classified as Secret, I can tell you that there's no physical difference between a Secret machine and an ordinary one. If vendors are telling you that they can build a DoD Secret classified computer, then they are simply blowing smoke up your ass.

DoD classifications are all about policy, paperwork, and regulations. Not fancy computers. Most people, when they hear of DoD classifications and security clearances, are quick to imagine black vans, polygraph tests, and high-tech datacenters protected better than Fort Knox. Honestly, that's all a bunch of nonsense. All of the classified systems that I've used were just ordinary computers from ordinary manufacturers.

In my current workplace, we have a standard Gateway PC with a removable hard disk and a few Panasonic Toughbooks. Nothing special at all. The only visible difference between these and the regular office PCs is that they have red stickers all over them that say "Secret" and the fact that we are not to process Secret data on the unclassified PCs and vice versa. The Gateway machine can only be connected to SIPRNET (google it) and the Toughbooks are never connected to any network. That's it. No crazy combination case locks, no biometric devices, no odd software. They all run Windows for crying out loud.

If it is your job to configure a computer to the equivalent of DoD's Secret classification (I know you don't work for DoD or you'd already have people showing you how), I'd recommend getting whatever kind of computer will fit your needs.

Then start looking at writing mountains of policies. The first thing you have to do is restrict physical access. This can be done by putting the machine in a locked room with no windows. A laptop would be even easier... just get a GSA-approved safe and keep it in there when it's not in use. Obviously, you would never, ever, ever connect it to any network, period. All the data going in and out should be on CDRs or USB keys and should be accountable somehow. Figure out who needs to have access to it and if they can be trusted. Be sure to emphasize that failure to follow proper security procedures is grounds for immediate termination, whether any information was compromised or not. Ensure that whenever the machine is used, there are never less than two people present. Create an emergency checklist of what to do if the building catches fire, for instance.

That's all I can think of off the top of my head, you'll probably be able to envision a lot more with some careful thought. Good luck.

Re:Secure computer

[Eric_Cartman_South_P]

Not if it's an Apple computer! Apple computers are not made, they are birthed from the vagina of a mystical creature who has nice tits.

!?!

Re:Don't ask Slashdot, ask an SSO/SSR/IAM/ISSO/IAS

[syousef]

I love that. Don't go to /. on military security, EMAIL me. He doesn't even KNOW you, so how are you going to become a trusted source.

This guys is a bonehead asking for advice on /. "Dear /., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!

And to you. Shame on you for replying on /. Personally if I were you I'd steer well clear so he doesn't take me down with him.

ATTN: Mods, this guy is a dimwit please mod down

[CHESTER+COPPERPOT]

Any of you /.'ers ever study art history? Here is a little lesson about fraud.

In the Art world when a piece of Art has a past where the time record has some glitches in it (Read: unaccountable) it is automatically considered a fraud. When things don't have a timeline, like this guys posting record here and the fact that his myspace profile says he is 19, you gotta know something is up.

Congratulations though /. mods. You just got social engineered.

MOD PARENT UP

[Adam9]

Taken from GP's Myspace profile:

thomas's Blurbs
About me:
if u really want to know just ask
Who I'd like to meet:
i would like to meet peopl from hawaii but i like meeting other people too.

thomas's Details
Status: Single
Here for: Dating, Serious Relationships, Friends
Orientation: Straight
Hometown: wipahu
Zodiac Sign: Capricorn
Smoke / Drink: No / Yes
Children: Someday
Education High school

Sample of data

[Alain+Williams]

Please send me a sample of the data that you are trying to keep secret - this will enable me to best work out how to keep it secure ....