The U.S. Defense Department’s networks now are safer and more secure as the result of an upgrade that Defense Information Systems Agency (DISA) officials say promises superb end-point security. The department’s client-server Host-Based Security System (HBSS) attaches a management agent to each host—server, desktop or laptop—for end-point security across its enterprise. Local administrators manage the system, which is configured to block known bad traffic using an intrusion prevention approach and a host-level firewall.
The HBSS provides a framework that enables Defense Department components to integrate existing security products and eliminate redundant management processes. The system’s functions and capabilities comprise a centrally managed host-based enclave-level Tier 3 information assurance/computer network defense tool that includes an intrusion detection system. In addition, the HBSS features a robust white-list capability that allows use or execution of only authorized software and hardware, including peer-to-peer software, applications, USB devices and thumb drives. Other attributes of the system include automated support for information operations conditions baselining, robust buffer overflow protection and rogue system detection as well as the ability to detect and report unauthorized computer systems on the network.
Development of the HBSS can be traced to 2003 with the formation and chartering of the Defense Department’s Enterprise-wide
Because the ESSG highlighted comprehensive host-based security as a priority for the department, the group began gathering detailed requirements in the summer of 2005. In March 2006, the department awarded a contract to BAE Systems plc and McAfee Incorporated for an automated host-based security system solution. The goal was to provide network administrators and security personnel with mechanisms to prevent, detect, track, report and remediate malicious computer-related activities and incidents across all Defense Department networks and information systems. Piloting began at 22 sites a few months later, followed by testing, certification, accreditation and source code reviews. Separate contracts were put into place to acquire additional capability modules.
The deployment and installation of the HBSS became mandatory across the nonsecure Internet protocol router network (NIPRNET) in October 2007 through a JTF-GNO communications tasking order. This order required all Tier-3 enclave-level NIPRNET networks to have the HBSS installed by June 2008.
In February 2009, the JTF-GNO issued an additional order requiring immediate acceleration of HBSS deployment and installation on the secret Internet protocol router network (SIPRNET). DISA, working in concert with Defense Department agencies, the military services and the combatant commands, identified the required resources to meet implementation goals for the aggressive timeline. Agency planning also factored in additional teams to perform worldwide installations and in-person training classes as well as to create virtual training for system administrators.
The pilot phase of the HBSS life cycle captured valuable lessons, including that HBSS installation and deployment success most often occurred in organizations with strong network defense workflow processes, a full understanding of the local network infrastructure, and strong and enduring leadership support. As a result of the work, leaders and operators at all levels who are responsible for defending their portion of the network are becoming more aware that admitting one malicious information packet into the network can cause mission-impacting damage, DISA officials relate. Educating network users and deploying HBSS end-point security capabilities can mitigate the probability of a user’s activities endangering the network environment or putting other Defense Department networks at risk, they agree.
The HBSS is just a single tool in the Defense Department’s information assurance and computer network defense portfolio and is not a network security silver bullet, DISA officials emphasize. Multiple practices and toolsets achieve the required layers of defense. Leaders and resource managers should understand that the HBSS is not an autonomous system and requires dedicated, trained and conscientious administrators. However, once HBSS hardware and software are properly installed in a network enclave, configuration management becomes relatively straightforward, they state. As new modules become available, they can be added seamlessly to complement existing network and information system defense capabilities.
Additional information about the HBSS is available through DISA’s Information Assurance/ NetOps Program Executive Office and at the Information Assurance Support Environment Web site as well as through the Defense Knowledge Online portal.
Mike Gawlas provides program support and information assurance/computer network defense subject matter expertise to the ESSG and JTF-GNO, part of a team from DELTA Resources Incorporated and Scitor Corporation. After graduating from the