Embed Size (px)
Citation preview
HQ U.S. Air Force Academy
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
1
Rich Mock
USAFA CIO
8 Apr 2008
Academic Freedom vs
Network Security
HQ U.S. Air Force Academy
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
2
or…
Can You Have Too Much Security?
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 3
Overview
AF Mission – Air Force BaseUSAF Academy Mission IT EnvironmentsConflictSolutionsUSAF vs Academy Approach IssuesExamplesConclusion
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 4
Air Force Mission
Deliver sovereign options for the defense of the United States of America and its global interests -- to fly and fight in Air, Space, and Cyberspace.
Vision: Global Vigilance, Reach and Power.
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 5
Fairchild AFB, Washington
Air Mobility Command 92nd Air Refueling Wing (35 KC-135s) Operations Group Maintenance Group Medical Group Mission Support Group
Civil Engineer Squadron Communications Squadron
Park University, SIUC, Webster
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 6
USAF Academy Mission
To educate, train and inspire young men and women to become officers of character motivated to lead the United States Air Force in service to the nation.
Academics (4 year university) Athletics (NCAA Div I) Military (active duty USAF)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 7
USAFA Organizations
President – Superintendent Provost - Vice Superintendent Student Body - Cadet Wing (4400) Commandant of Cadets – military training Dean of Faculty Athletic Department Prep School Research Centers Support Organizations Medical + Hospital Flying Training
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
AF Base IT Environment
Locked down desktop computers Boundary protection
Firewalls, proxy servers, anti-virus Software Patches & Scans Policies & Procedures System Certification & Accreditation Authentication (CAC and strong password) No entertainment (work environment only) Network Control: Base, Intermediate, AF
8
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 9
USAF Academy IT Environment
Students issued desktop PCs (1986) High speed network installed, all academic
buildings & dorms (1993) Cadet notebooks (2001) Wireless network (2002)
Tablet computers (2006) No commercial ISP for cadets
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Natural “Enemies”
Cops vs Robbers Cobra vs Mongoose Security vs Academics
Stability Innovation
Few changes Experimental
Less access More exchange of information
Proven solutions Research new ideas
10
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 11
The Problem
MIL network has become too restrictive Cadet computers are a security risk Faculty – restrictions prevent doing job Long software approval process No access for cadets away from USAFA DOD blocks ‘bad actor’ countries Poor access for International researchers
and cadets AF prohibits commercial e-mail and IM Cadets use computers for non-duty activities Integrated NOSC removed local control
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
“Green Banner” Strong Passwords Blocking unused ports Patches Wireless security Proxy filter too restrictive Long software approval process No default HTML view in email Standard Desktop Configuration (SDC)
Specific Examples
12
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 13
AF. EDU
Air Education and Training Command Establish and maintain one “af.edu”
domain. … without exposing the af.mil network to security risks.
Members are students and faculty at the United States Air Force Academy, the Air Force Institute of Technology, and the Air University system.
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
AF.EDU Solution
The collaboration infrastructure: MS Office SharePoint Service 2007 Enterprise MS Live Communications Server MS Exchange 2007
20 TB 36 TB storage Primary data location is in San Antonio, Texas
Backup data location is in Missouri Multiple redundant backups
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 15
USAFA Approach
Use DREN as service provider for EDU Request policy relief
SDC exception Software approval process DREN firewall exceptions Collaborative tools
Separate EDU (DREN) & MIL (NIPRnet)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 16
Before (1992-2006)
Admin Exchange Domain CtrlsFile Servers
Faculty
Athletics
Cadets
Medical
Staff
Finance
USAFAnet
DREN NIPRnet
Internet .mil
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 17
During (2006-2007)
Admin Exchange Domain CtrlsFile Servers
Faculty
AthleticsCadets
Medical
Staff
Finance
DREN NIPRnet
Internet .mil
USAFAnet
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 18
After (July 2007)
Faculty
AthleticsCadets
Medical
Staff
Finance
DREN NIPRnet
Internet .mil
USAFA.EDU USAFA.MIL
ExchangeAdminExchangeFile Servers File ServersDomain Ctrls Domain Ctrls
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
The Good, Bad & Ugly
EDU is physically separate! (24 Jul 07) AF is more secure
Teamwork-- One Team, One Fight! Migration took 30+ minutes per user X 6000 Still many problems: Global Address List… Kiosks as interim solution AF Transformation reducing manning External DoD changes
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Password Progression
Username only Simple passwords – user created Weak password rules – e.g. 8 characters Expiration times – e.g. 60 – 180 days Computer generated Strong passwords with symbol combinations Time and place restrictions Biometric or Smartcard
20
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Smart Card Implementation
AF Common Access Cards (CAC) - PKIExpense of cards ($ and manpower)Certificate Authority Implementation Problems:
Bad cards Bad card readers Middleware Locked accounts Lost cards
21
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Software Approval
Defense Information Assurance Certification & Accreditation Program (DIACAP)
Designated Accreditation Authority Certification Authority Information Assurance Manager Information System Owner 4-6 months
22
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Collaborative Tools
AF Prohibition Instant Messaging VoIP (Skype)
Desktop Video-conferencing Blogs and Chats DoD Solution
IBM Same Time Adobe Connect
23
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Internet Blocking
MIL & EDU both block Porn, Gambling, Hate Crimes, Criminal Skills
MIL blocks, but EDU allows Chat, Games, Lifestyle, Mature, Medical, MP3 IM, Facebook, YouTube
Problem areas Anonymizer, P2P, File Sharing, Games, Skype MySpace, YouTube – malware problems
24
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Network Access Control
Comply & Connect at least a year away Host Based Security System SMS System Center Config Manager National Institute of Standards and
Technology Tools Learn from civilian institutions
Required antivirus Updated patches
25
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Conclusion
Can you have too much security? YES!
How do you know when you to stop? When the “pain exceeds the gain” Users work around it to get job done
Sell the change – communicate w/ users! Incremental changes are easier to sellConvey the threat and risk
If you can’t sell it, then drop it.26
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 27
Questions
