Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Unix security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Wide Area Network Approvals Memorandum of Understanding SIPRNET JSAC Dallas – Fort Worth 16 – 17 April 2008 JD Springer There are essentially two types of WAN connections Those where some other Agency is the DAA of the WAN. Such as: a contractor node certified and accredited by DSS connecting to a WAN which has been certified and accredited by another CSA such as DISA, Navy, Army etc. When DSS is not the DAA for the WAN, DSS will defer connection authority to the DAA of the WAN though the drafting and approval by all involved DAAs of a Memorandum or Agreement (MOA) or Memorandum of Understanding (MOU). The MOA or MOU must be completed prior to any connection to the non-DSS controlled WAN. Those where DSS is the DAA of the WAN. Example: a contractor node certified and accredited by DSS connecting to another contractor node also certified and accredited by DSS. Interim vs Approval IATO vs ATO Interim Approval to Operate (IATO) and Approval to Operate (ATO) IATOs and ATOs will only permit the operation of the system or LAN. They will not permit connection to a WAN where DSS is the DAA. • IATO - Some period of time - normally 180 days may be granted twice • SIPRNET does not receive an IATO IATC vs ATC Interim Approval to Connect (IATC) and Approval to Connect (ATC) Two additional documents have been created to support the WAN process. These documents are used when DSS is the CSA of the WAN. While many other government agencies employ similar documents, non-DSS DAAs for WANs will ultimately determine their own method of connection approval notification. IATC – Allows a temporary connection to a WAN for no longer than 180 days with the possibility of a single 180 day extension. IATC are issued when connection of a node with an IATO is approved or when the node has an ATO but the WAN has an IATO. ATC - Allows connection to a WAN for three years or less if a security relevant change is determined by the DAA to acquire reaccreditation. Given when connection of a node with an ATO is approved and when the WAN has an ATO. Wide Area Networks Government (controlled) Networks (SDREN or SIPRNET); Mixed (Contractor & Government); Contractor based (Contractor to Contractor); Depending on the type of network connection may help in deciding what kind of network: Unified or Interconnected. Unified A unified network is a connected collection of systems or networks that are accredited: (1) under a single SSP, (2) as a single entity, and (3) by a single CSA. Such a network can be as simple as a small stand-alone LAN operating at Protection Level 1, following a single security policy, accredited as a single entity, and administered by a single ISSO. Conversely, it can be as complex as a collection of hundreds of LANs separated over a wide area but still following a single security policy, accredited as a single entity by a single CSA. The perimeter of each network encompasses all its hardware, software, and attached devices. Its boundary extends to all of its users. Interconnected An interconnected network is comprised of two or more separately accredited systems and/or networks. Each separately accredited system or network maintains its own intra-system services and controls, protects its own resources, and retains its individual accreditation. Each participating system or network has its own ISSO. The interconnected network shall have a controlled interface capable of adjudicating the different security policy implementations of the participating systems or unified networks. An interconnected network also requires accreditation as a unit. NETWORK WORK SECURITY PLAN A Network Security Plan (NSP) should cover the following information for the WAN: 1. ODAA UID and IS name. 2. Facility address. 3. POC information. 4. Protection level and the highest classification of data with any caveats or formal access requirements identified. 5. Minimum clearance level of users. 6. Description with an accompanying diagram showing all connections. 7. Encryption method and devices in use. 8. Responsibilities. 9. Network connection rules. This should include a statement from the ISSM on whether or not full accreditation will be required for connection. 10. Signed and dated statement from the ISSM attesting that there are no additional connections to the WAN other than those identified in the NSP. 11. An ISSM signed network participation sheet for each node which includes requirements 1-8 above and a description of the node system. 12. For any node not given an ODAA UID an accreditation letter or a signed MOU/MOA included. If the node is under an MSSP, the protection profile associated with the node must also be identified. Network Security Plan (Contractor and Government Facilities Only) Date: Network ID # Contractor facility name: 1 Revision # 2 CAGE Code : Facility Address: Contact Information 3 CSA/DAA: Phone Number: Network Security Manager: Phone Number: Network Identification High-level description and usage of overall network: Contract Number(s): 4 Protection, Sensitivity Level, and User Information Network Protection Level: PL1 PL2 PL3 P L4 Highest classification level of data: CONFIDENTIAL SECRET TOP SECRET Category(s): NONE COMSEC RD FRD FGI Other: Non-SCI Formal access approvals: No Yes. If yes, indicate NATO CNWDI CRYPTO Minimum clearance level of user: CONFIDENTIAL SECRET TOP SECRET Interim SECRET Interim TOP SECRET 6 Network Type and Data Transmission Protections Network Type: Unified or Interconnected, Refer to Figure 1, Overall Network Diagram Encryption method: NSA/Type 1 5 7 Need-to-Know Methodology for Network 1. All users must have a minimum of an Interim / Final Secret clearance, a XXXX Program briefing, XXXX WAN SSP briefing and possess a need-to-know in order to be granted access to the XXXX WAN. NSM Responsibilities 8 1. Is the focal point for the network and the individual Information System Security Mangers (ISSMs). 2. Generate & achieve and maintain approval for the Network Security Plan. 3. Ensure all ISs on the network have an accredited System Security Plan (SSP) 4. Assure proper network security procedures are developed and implemented, and will monitor the Network Security Plan for compliance. 5. Evaluate the impact of IS and network changes and apply for re-approval of the Network Security Plan if necessary. 6. Must notify all parties and rescind the Network Security Plan whenever circumstances may impede the security of any network member. Notes: NOTE: Access to COMSEC, CNWDI, RD or FRD information require at a minimum: Final Secret. Access to NATO, CNWDI, COMSEC or CRYPTO require a: Formal Briefing Statement Overall Network Security Profile Contractor to Contractor Facilities Only Network Identifier: Network Host Facility: Network Connection Rules 9 1.The interconnection between remote ISs will be controlled by National Security Agency (NSA) endorsed Type 1 encryption devices. 2.Clearance levels, contractual relationship with need-to-know and Formal Access Approval determinations at all locations must be established prior to connecting to the wide area network. 3.All ISs on the network shall have an accredited System Security Plan (SSP) – Interim Approval of the remote SSP is the minimum necessary to connect to the WAN. 4.Passwords will be provided by a classification level appropriate secure means. 5.Users must be knowledgeable of the Network Security Plan requirements for which they are responsible. 6.Each connecting site's ISSM shall coordinate any changes to the network with the Network Security Officer/Network Security Manager and shall gain approval by the appropriate cognizant security officials in advance. 7.The NSO/NSM and connecting sites will report immediately any security-related incident to the appropriate local cognizant security official. Signature 10 By signing, I hereby certify that there are no additional connections to the wide area network other than those identified in this NSP. NSO/NSM Signature: Date: 11 IS # Network Participant Data Sheet Date: 1 Contractor facility name: 2 Facility Address: CAGE Code: IS Contact Information CSA/DAA: Phone Number: Network Security Manager: Phone Number: 3 ISSM: Phone Number: Contracts Supported: (Contract Numbers): Description of Network: The XXXX WAN will be used for used data manipulation, computation, sorting comparison, reduction, transfer and other data related operations in support of XXXX. IS Protection, Sensitivity Level, and User Information Accredited Protection Level: PL1 PL2 PL3 PL4 Highest classification level of IS data: CONFIDENTIAL SECRET TOP SECRET Category(s): None COMSEC RD FRD FGI Other: Formal access approvals: No Yes. 4 5 Minimum clearance level of user: CONFIDENTIAL SECRET TOP SECRET Interim SECRET Interim TOP SECRET 7 Need-to-Know Methodology for Network 1. The network encryption system will be a NSA Type One encryption device. (REMOVE) Suggest you DO NOT identify the type of encryption 2. Unclassified configuration disks will be utilized with groups and accounts set up on systems at each location. ISSM Responsibilities for Connection to WAN All remote participant sites will operate in the PL1 mode accredited by their local DSS office. 1.Notify the Network Security Manager (NSM) of any proposed external connections or system changes effecting security. 2.Notify NSM of any local SSP or protection profile changes effecting the security of the WAN. 3.Ensure no changes are made to the network without proper review and approval by the NSM and cognizant DAAs. 4.Notify NSM of IS reaccreditation. 5.Brief personnel on the use of the network. Users are not authorized to share User IDs or passwords. 6.Ensure audit trails associated with the network are reviewed on weekly basis. 7.Report any security incidents or violations to the NSM. 8.Provide Network Participant Datasheet and DSS signed Accreditation Letter to the NSM. Interim accreditation will be accepted as long as it does not affect the integrity and confidentiality of the XXXX WAN. 9.Back-sided connections will not be authorized without the approval of the NSM 8 ISSM Signature: Date: NETWORK SECURITY PLAN In addition to the Host and Node Network Participant Data Sheets you will need a: • Configuration diagram or Topology • IATO, ATO for each node or MOU (Government) Memorandum of Understanding Government - Contractor - Government Memorandum of Agreement (Not as simple as the name would imply) Government - Contractor - Government Memorandum of Agreement Government - Contractor - Government KEY POINTS When must you write a Network Security Plan? • When you are the Host. If you are not the Host, can your WAN be part of the Security Profile? • Yes, include it as an Enclosure or Attachment Can you approve a Node to connect to the WAN or the WAN NSP? • No According to DSS, WANs (Host or Node) must be inspected each year. SECRET Internet Protocol Router Network (SIPRNET) The attached documents comprise the documents needed in the DSS SIPRNET process. SECRET Internet Protocol Router Network (SIPRNET) The attached document is an example of the DISA request document. Ensure you send all the documents identified as Enclosures. Bonus Material