Building Secure Computers? 628
maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"
I've never had to worry about this... (Score:3, Insightful)
Secure computer (Score:3, Insightful)
stickers don't prevent tampering (Score:2, Insightful)
Re:Don't ask Slashdot (Score:5, Insightful)
The only reason I asked Slashdot was for a jump start. My manager says we need to have something, at least a plan, by next week.
Re:I've never had to worry about this... (Score:3, Insightful)
if you have to ask... (Score:2, Insightful)
If you have to ask the question, i think you already know the answer. I'm sure there are tons of great DIY methods of securing a computer, but if you are new to it (and you are), leave it to someone who has done it before.
It would be great to get some first-hand, practical experience on the matter when you have a proper guinea pig, but a classified DoD computer is not said guinea pig.
BYO (Score:2, Insightful)
Re:Secure computer (Score:3, Insightful)
It still has to be made of parts, and generally those parts are made by manufacturers...
Re:You've already violated protocol... (Score:2, Insightful)
Re:A few too many 's'-es (Score:2, Insightful)
>
> Oh, you meant "building secure computers".
In Soviet Russia, security clearance loses you!
Seriously. To the original poster, you are probably asking the wrong audience, and you are definitely risking your clearance by doing so.
Find the guidelines. Read the guidelines. Learn the guidelines. Think of things you would do in order to circumvent those guidelines.
And then, even if it's possible to do it yourself, do not do it yourself, but have a vendor do it. When you find a vendor that offers something that neither you, nor your fellow (cleared :) geeks can come up with a decent means of circumventing, you're probably on track to finding the right vendor.
Security is a process (umm, a process which you've probably broken by bringing this up here :), not a product. Avoid any vendor who appears to be in denial on this point.
As for you asking this in the wrong place, the only hint I can offer is to read the responses at "0" (or even -1). If there are vendors worth avoiding, some Anonymous Coward will probably be around help (or hinder :) you. Some folks with moderator points may choose to help you, but the people most qualified to help you with mod points may very well choose not to help you, if you catch my drift.
Good luck. Because if you're asking here, you'll need it. :)
Too strong a word. (Score:5, Insightful)
Dan East
Re:You cannot do it most likely (Score:1, Insightful)
When you purchase the pre-built equipment, you are purchasing a service--a service which you most likely could not perform at the same price.
Drop the Bomb (Score:5, Insightful)
If you think that advice means you'll get fired, resign. Better now, than after they blame you for the inevitable security breaches. That's probably their plan anyway, in whichever management layer thought that military security is just a buzzword to get an underqualified admin to comply with.
dod sec (Score:1, Insightful)
Environment is more important than hardware. (Score:3, Insightful)
None of those systems have removeable drives, though having them is a good idea. It makes securing them easier, something you must do in a government-approved container (i.e., a safe). The space in which the systems are located and used must be secure to the level of classified information (secret, in your case). At our site, this is a window-less room with a large vault-like steel door. The door can be secured with a combination lock and a push-button cypher lock, the latter of whch is in use at all times (the combination lock is secured after hours). All classified material (papers, discs, ect) must be stored when the space is unoccupied.
The system will probably need to meet DOD C2 requirements, which you'll likely read about. Windows NT was close to C2, and I believe Windows 2000 is as well. The system must have positive authentication for users, appropriate warnings that appear on login, an audit trail, and ways of neutraliziing memory and swap space. Windows has a setting that clears the virtual memory/swap file on each reboot.
As for networking, if you want to network internally within your spaces, you can set up a normal LAN, but outside access will require using a secure network like the SIPRNET. You won't have access to the outside world (i.e., the Internet). Most DOD components contract for SIPR connectivity through DISA.
As you already know, labeling the CPU is important. You'll also need to label media, and keeping a log of all storage media in use is a pretty good idea to CYA. In fact, some places require it. You might also want to find out about the need for secondary storage off-site. If this is going to be a requirement, you'll need to find a similarly-classified place that you trust to stow your backup materials.
You will need to follow the DOD rules on destruction of drives and disks no longer in use...you just can't toss old floppies or hard drives onto the 20-year pile in your office. Research the destruction procedures, and learn to store unused material until you can have it destroyed.
You can buy shredders that will eat CDs and diskettes, but they have to be classified for the security level. Don't use the $29 Office Max shredder on sale for this.
The real key is getting users to follow the rules. Users, as you know, are the biggest pain in the ass, and you'll always be on top of them to keep the spaces sanitized. Remind them that once they save any classified material to removable storage, that storage is now classified and cannot be used outside of the environment.
Aren't you glad you have to do this?
Re:Don't ask Slashdot, ask an SSO/SSR/IAM/ISSO/IAS (Score:5, Insightful)
This guys is a bonehead asking for advice on
And to you. Shame on you for replying on
Re:Not from dell (Score:3, Insightful)
(A few things have been slightly edited to either protect my client's identity and/or get past the
Keep in mind the following takes place over an hour after the initial call was placed and I've already been hung up on twice, once by the automated system and once during a transfer between operator and tech.
The session has been accepted.
NAZIM_KHAN 12:51:24 PM Thank you for contacting Dell Technical Chat Support for Notebooks. My name is Nazim Khan, May I have the initial shipping address and phone number so that I can pull up your account details ?
NAZIM_KHAN 12:52:10 PM Please let me know if you are receiving my message?
Not to rush you, are you still with me?
12:52:16 PM Name: E* S*
Contact Address:
Some Street
Small Town, NY 12345-
Phone: 123-456-7890
12:52:52 PM Name and address is for client who will be there until Monday. Can somebody get to her before then?
NAZIM_KHAN 12:53:56 PM I am afraid that we cannot proceed further without the initial verification, as the information you have given does not match with the records. Please provide with the telephone number and the address, as mentioned in the invoice (which you have used at the time of purchase).
12:54:54 PM Ah, sorry!
Address should be:
PO Box 123, Small Town, CA
Phone number I have no idea - that's her cell number.
I had initially given the current location of the client, who was travelling at the time
NAZIM_KHAN 12:55:38 PM E*, may be you have entered the wrong Service Tag, you have entered as AA0AA00
12:56:58 PM My name is actually M*. I provide IT services for them. E* gave me that as the tag over the phone and her laptop is indeed a 6000 series Inspiron. Additionally the purchase date is about when she got it, so I am fairly sure that's the correct tag...
12:57:53 PM Are we still connected?
NAZIM_KHAN 12:57:54 PM I understand your concern , This information is required for the security and privacy of your account. As the information given by you doesnâ(TM)t match with our records, I am unable to pull-out your account details. Hence, We canâ(TM)t proceed further with the chat. I would suggest you to contact Dell Customer Care at 800-624-9897, to get the system information.
NAZIM_KHAN 12:58:07 PM And feel free to contact us back, we would be more than happy to assist you. We assure you our best support all the time.
12:58:25 PM I've tried to call them twice and keep getting hung up on!
NAZIM_KHAN 12:59:51 PM I will suggest you to contact Dell Customer Care at 800-624-9897 and get the exact details and connect us back
1:01:13 PM Please read what I just typed.
NAZIM_KHAN 1:03:01 PM} I have read it and had suggested you to do some thing ( to contact customer care ) , As the information given by you doesnâ(TM)t match with our records, I am unable to pull-out your account details. Hence, As This information is required for the security and privacy of your account.
1:03:48 PM How about if you guys call her?
NAZIM_KHAN 1:04:45 PM For that I will give you the number its 800-624-9896
1:05:43 PM Promise they won't hang up? This is getting VERY frustrating!
NAZIM_KHAN 1:06:10 PM I understand your concern Believe me things will be fine, We are always here to help our valuable customer and make them happy
1:09:57 PM And this !@# automated system doesn't help!!
I was back on the phone at this point and not terribly happy that the second number he gave me appeared to lead to the same automated system
NAZIM_KHAN 1:10:17 PM Feel free to contact us back, we would be more than happy to assist you. We assure you our best support all the time.
1:10:26 PM (I'm trying to get through it right now, what does it take to get a live person?!?!?!?!)
Re:Don't ask Slashdot (Score:3, Insightful)
Re:Don't ask Slashdot (Score:2, Insightful)
Classified processing is more than just securing a box against the latest IE sploit. It's processes, policies, procedures, training, and a particular mindset, not the too-casually toss-about 'paranoia'.
Google NISPOM and do some reading.
RTFI (Score:2, Insightful)
For a DoD standard there is a governing instruction. It may reference other instructions. You need to have a copy of that and read. Read it again. Then take time to study it before you read it.
Your contracting officer can point you in the right direction and provide access to The Instruction
Once you have an idea of what your requirements are, draft a Project Plan, Statement of Work, Compliance Notice, whatever you call it, it details how your group will meet the standards specified in The Instruction. Get internal input and review.
Now that you have something on paper, talk to your manager and have the contracting officer or security authority review your plan. They will tell you're unsafe to entrust classified material to. Then they will produce a checklist of potential violations you must clear. This is their job and what they live for, don't annoy these people, you want their input. Review this list and clear it.
You now have a plan which will satisfy The Instruction.
Re:You won't like to hear this... (Score:2, Insightful)
Make sure to look into EMSEC (emmissions security) for power and if you need networking, go with fibre. To transfer data, floppy disks are best bcause when you are done, you pull out the "floppy" part and throw it through a GSA-approved Secret shredder.
SIPRNET (Secret-level Internet Protocol Network) style would probably be overkill for y'all, but I don't know what I can say regarding it.
Just think of Secret data as a virus (bio or tech) just don't do anything that could let it out of that machine or network.
Well, I don't want to say too much, so ganbatte.
14 year veteran and I have NEVER.... (Score:1, Insightful)
your current workplace. Also, some other guy posted
on here about using normal computers, this could be true, I have always seen computers purchased from normal vendors, even the ones connected to SIPR and NIPR networks and i'm no expert on this, but it IS all about policy.
The Zeroth and First Steps... (Score:3, Insightful)
Step 0:
You must get the proper briefings from your site's Information Systems Security Manager.
At a minimum, you will need to get a Software Validation briefing and possibly an ISSO briefing.
If you haven't completed an SV briefing, then you are not authorized to install ANY operating system on classified hardware.
You will need the ISSO briefing if you are responsible for creating user accounts or are responsible for maintaining the audit records for the system.
Step 1:
You must have a System Security Plan (SSP). This document tells you how your system must be configured, both in terms of physical security and system/network security.
Your SSP, and any systems created under it, need an Interim Approval To Operate (IATO) from the Defense Security Service before you can begin processing classified information.
If you have an existing (approved!) SSP, and your ISSM is authorized to self-certify the OS you are using, then things can happen relatively quickly.
If you do NOT have a pre-existing (approved!) SSP for this new system, then you could be looking at months before your new system is cleared for classified processing.
it's not just the hardware (Score:3, Insightful)
The certification process is all about controling access to the data and verifying that access was controled (and knowing who to arrest if it wasn't). People in a well-secured site that may only be accessed by persons with the same or higher clearance as the classification of the data being processed can just about get by with a sticker and be done: the facility is handling all of the physical and electronic access control, the unit will never be allowed to leave its room, and so the work is easy. If you are building this for an office where somebody just needs to "do some classified stuff", you have all that other stuff to handle.
In that situation, for example, you need removable hard drives, which will indeed be removed (all of them) between uses, and stored in a container like a safe that is certified for that kind of storage. You may need to make sure that there is no way to write data to a medium other than the hard disk or approved local printer, so you may need to remove or permanently disable the floppy drive, CD burner, and so on. And the machine cannot be on your LAN while it is being used for classified work. Even so, you'll need to pay attention to the selection of OS, turn on all of the auditing features. There will be a lot of process and procedures, check-lists that will need to be followed for each use.
Where you get your hardware is the least of your worries. Buy whatever you want that meets spec, and then expect to do substantial mods to the h/w, OS, etc. If the vendor is willing to remove stuff and do OS mods for you, less work for you.
Good luck. I've heard of groups taking over a year to get a machine certified for processing on their first time out.
Qualifications (Score:1, Insightful)
First of all, it depends on your budget. That will be your first constraint in designing and acquiring a system. If there is a large enough budget, go with a DoD contracting company that does it for a living. If not, go ahead and give a whirl at building your own.
Second, technical expertise. If you are not very technical (since you mentionted that you've been pushed towards being an administrator - probably because you know what an OS is), then you should highly consider a DoD contracting company that will provide technical assistance to you with the system. Take in consideration operational needs (24x7, etc).
Third, since you are probably belong to a contracting company to a DoD agency, contact them for assistance. Their security personnel will give you guidance since you will be processing classified information related to them.
Fourth, take some IT classes and get your company to pay for them. It can only help you out since you have been "growing into the job of a system administrator". Consider getting a degree.
Fifth, don't be a moron and tell the whole world how inept you are at your job and maybe get fired because someone from your company or your coresponding DoD agency reads your post and figures out who you are.
Sixth, don't tell everyone in the world that you are building a classified network (especially the level of classification - definitely not what anyone else outside of your company needs to know) when what you really want to know is pros and cons of using a system vendor versus building your own and giving away unclassified but sensitive information that an opponent of the U.S. can use against you.
Hope that helps you out.
Re:You won't like to hear this... (Score:3, Insightful)
Let a brit teach you yanks how to make a secure WS.
Ok dropping the gump, I work for the British MoD and my job is exactaly yours, apart from I oversee (and do) the making of all WS (Work Stations) within the Defence Procurement Agency of the MoD.
When I started making WS for the DPA they were a little less secure than the ones that Eil is suggesting. However I soon made one improvement, the inroduction of a "Magic Card", a device which returns the HDD (boot sector, fat (and no i dont mean NTFS as im talking about the actual F System), etc) to a predefined image each time the WS reboots. A rebot is demanded by the system each time a user logs off. This ensures that when a idiot user, saves data to the HDD it is deleted. This also ensures that any Temp Files (intRAnet or otherwise) are deleted.
Otherwise we use a basic Nakard-Dell (Packard) machine, no outside lan, but access to the Defence Secured EVA System. Data is imported on a removeable drive via a second machine, which needs not be clasified (it is as the av software is, but that dosnt matter). The second machine simpaly boots to CD and runs a full virus sweep of the removeable drive, then shuts down. It has no HDD of its own, so can not actually access the clasified data. When not in use this removable HDD is kept in a SecNoFoN safe (Secret No Forign Nationals). Oh and to ensure a VScan has been run, the second machine sets a flag at the end of the storage drive, when the main pc boots it checks for this flag if it is not present it demands a VScan and shuts down (if it is present it is deleted, and the machine boots).
As for entry into the room, it is controled by a rifid card (swipe will serve for you), which all members of the base hold (their ID Cards) and only the authorised rifid cards are granted entry to the room. The room contains a shreader and nothing more.
I hope that this has been of some use!
Damingo C
p.s. The machines run a modded version of Win 2k (i have the source woot woot)/.
Re:Don't ask Slashdot, ask an SSO/SSR/IAM/ISSO/IAS (Score:1, Insightful)
Hell, just the fact that his particular company just got a contract on a project like this tells me a lot. It can definitely tie into OPSEC, but basically it's a blatant security violation at the least. Not that I'm complaining, I'm eating this up.
You have to love that engineers (techies, geeks, nerds, etc.), who just love to share information about their implementation of technology, are simultaneously one's biggest adversary and one's easiest source of information for defeating them.
The original poster skirted an OPSEC violation, depending on how much information I can get about identifying his company or the kind of work they do, but the comments combined built quite an interesting picture.
Anyways, back to work. Just wanted to let you know.
Re:Don't ask Slashdot, ask an SSO/SSR/IAM/ISSO/IAS (Score:3, Insightful)
I'm asking
Standardized equipment has become pretty common place for secure deployments. Essentially your customer security representative should provide requirements for securing AIS systems as these differ from customer to customer and project to project. Generally though, this involves disabling some physical devices (external drives and ports), disabling/securing services, detailed logging, etc.... Certainly if you are required to secure hard disk, I'd recommend an enclosure that allows easy access for that, but you may not find that option in standard equipment. This may not be the case in all environments, especially if operated 24/7 but each customer may have their own requirements that you'll have to follow.
I guess the overall message is that you really need to work with your customer rather than any public forum for the general information. My thought on the specific question for vendor vs. custom systems is that approval will likely be easier for a vendor built system but certainly a custom system can be approved for use, you may just have more security work on your hands.