Assured Session I

From AFCEAWiki

Jump to: navigation, search

Contents

[edit] Session I: Protecting the Core Networks

JOIN THE ONGOING SOLUTIONS DIALOGUE ON THE GOOGLE GROUP SITE

[edit] Abstract

How do we protect Core Networks while enabling collaboration with key partners? Have an industry/government panel to review refined architecture coming out of NITT and Initiative 7.

[edit] Moderator

  • Dr. Dan Wiener, Vice President and Chief Technology Officer, BAE Systems

[edit] Panel

  • Mr. Bob Gleichauf, VP/CTO Enterprise Services & Security, Cisco
  • Col. Barry Hensley, Director AGNOSC
  • Maj. David Partridge, JTF-GNO, J35, USA
  • Mr. Marcus Sachs, Executive Director of Government Affairs for National Security Policy, Verizon


Speaker BIOS

Audio Podcast

Col. Hensley: 

- What is the core network? "It depends on where you sit."
- How reliant are you on that network?
- What is it worth to keep that network operational?
- DoD's right to hold NGO/Industrial partners to same level as internal requirements.
- Most important piece is the confidence of key partners/end users in the operators/defenders ability.

Marcus Sachs: 

- Core networks to communications sector is many things...high speed internet, satcom, mobile/cellular, etc...(key infrastructures)
- Most communications infrastructure was designed in 1950's hardened to survive nuclear attack.
- Need to maintain that mindset for network resiliency.

Maj. Partridge: 

- JTF-GNO is 'pushing' IA at the application layer
- Application layer security needs to work in concert with network layer.

Bob Gleichauf: 

- Difficulty in defining where something starts/ends (network boundaries, controlled segments, server infrastructure, etc...)
- Legacy was threat defense (keep bad things out) and now the challenge is keep good things in. "The former is a PhD problem, the latter is a Nobel Laureate problem"
- "Security is the availability of the transaction"

Interactive Session: 

- ~89% Dod networks run on commercial fiber (lightwave level). 
- Not sufficient to have tech plan if that plan can't be sustained. 
- Defining the core is similar to delineating strategic versus tactical.
- User and administrator have different perspectives. To the user, it doesn't matter. To the administrator, security is about predictive operation. Must have visibility.
- Lots of money spent on hardening, while the hacker spends little on finding a penetration.

Question from Audience: 

- How do we have a common trust engineering methodology. Who is going to do it, lead it?
  - PKI is part of it, but the core of networks assumed no machine trust (IP). Today the network is trusted but humans are not, yet protocol (IP) is unchanged. Need leadership in strategic thinking. (Marc Sachs)
  - No single protocol will adress it all. Need to intermix (IPSEC, PKI, etc...). Someone needs to package and define it at the data layer, contextually. (Maj. Partridge)
  - Trust is dictated by policy. Whose policy? 
  - The Chinese are going to show us how, if we don't get in front of the problem!!! (Marc Sachs)



- No policy or governance for authorization. Mr. Wennergren issued a memo to address the issue.
- Vulcanization of networks. Trust, IP address issuance. Governments want proprietary ciphers...no trust of vendor chipsets. Interoperability nightmare.
- Number of devices that can send "headerless" packets if growing. Need new trust models. 802.1ae (look it up), new standard MACSEC that builds trust into every NIC. Hardware based trusts...

- What happens once access if granted? Trust but verify?
  - Need a mechanism for audit and review of audit logs (that is the verify).

- Will less internet connections for the DoD network lower the resource requirements?
  - Bandwidth won't change, just less pipes for the same/more flow.
  - What percent is 'official' traffic? Can't take the Humvee to the store, why is the network used for 'casual' use? Weed out the noise to assit in protecting what is critical. Will we impose policies on the use of NIPR?
  - Mr. Gleichauf asked about using poor performance to demotivate the use of unknown, unneccesary purposes/recreational use (P2P, Video, etc...).
  - Childs IM buddy list...they grasp the "white list" paradigm. 
  - Community of interest trusts based on transactional audit. Situation visibility tied to such COI/mesh.

- COTS product trusts....
  - Look at equipment, how do you know that the fan/memory, etc... is a genuine Brand X? Assured Supply Chain.
  - Even with contractural compliance mandates, outsourced manufacturing can only allow for so much assurance.

- Markings are good, as they are not permanent and can be revised and/or turned off. Unlike MPLS which is like paving a road...you are stuck.
- Situational based audit tools are working better (heuristic based).

- Web content filtering:
  - No single solution. DISA is looking at it as part of the DMZ project.
Retrieved from "http://www.afcea.org/wiki/index.php?title=Assured_Session_I"
Personal tools