cross domain guards to support all missions - … domain guards to support all missions jason...
Post on 30-May-2018
218 Views
Preview:
TRANSCRIPT
Copyright © 2015 Raytheon Company. All rights reserved.
Cross Domain Guards
to Support All Missions
Jason Ostermann
Chief Engineer, Transfer Solutions
No export controlled data - IIS2015-536
Cross Domain and Need To Share
Cross Domain Solutions provide secure mechanisms to transmit data across security boundaries– Between networks at different classifications, compartments, or under different
authorities
Many missions are now dependent on using data from across a boundary and/or providing data across a boundary– Stove-pipes are no longer effective
The need to share must be balanced against the need to protect– What risk does the connection introduce to the environment?
– How is that risk captured and monitored?
11/11/2015 2
Cross Domain Trends
11/11/2015 3
Dissolving Security Perimeter
Evolving Security ControlsAdvancements in Data Driven
Attacks
More Advanced Integrations
Increasing
Connectivity
More Dangerous
Threat Landscape
Evolving
Requirements
Mobility and Cloud Computing
Increasing Data Mobility Increasing Data Volume
Persistent Adversaries
Increasing Data Complexity
From Machine-to-Machine
– Fully automated, predictable
interactions
To person-to-machine
– Typically complex unstructured data,
on-demand processing
To person-to-person
– Immediate collaboration, complex data
sharing
From well structured messages
– Simple formats posing little risk
To semi-structured files
– More opportunities for data hiding
To highly complex data
– Difficult to evaluate in an automated
fashion
11/11/2015 4
Breadth of Cross Domain Missions
Cross Domain Requirements Take Many Forms
Traditional guidance: use multiple solutions,each targeted at one requirement
Increasing Cross Domain Complexity
Ever increasing capabilities exert pressure on cross domain
systems
Once upon a time, basic file transfers were sufficient– Timelines were flexible, data was relatively basic
Modern systems require more advanced interfaces– Enterprise integrations, real time messaging systems, strict latency
requirements, standards based interfaces
Adapting enterprise systems to accommodate the CDS is no
longer acceptable
11/11/2015 5
Raytheon|Websense at a Glance
11/11/2015 6
San Antonio
Garland
San
FranciscoSalt Lake City
American ForkChampaign
Dayton Herndon
Annapolis
Junction
Frederick
Boston
New York/New Jersey
Overview
Recent integration between Raytheon Cyber
Products and Websense
400 employees focused on Government and
advanced Commercial products
Headquarters: Austin, Texas and Herndon,
Virginia
Broad portfolio of Commercial and Government
security products
Government Product Portfolio
Cross Domain Products
Government Market Focused
Trusted Thin Client®
Trusted Access Mobile
High Speed Guard™
Small Format Guard™
Locations Enterprise Experience
Trusted Gateway System™
Trusted Print Delivery™
Trusted Mail System™
WebShield
SimShield™
Commercial Product Portfolio
SureView® and TRITON®Products
Enterprise Market Focused
SureView® Analytics
SureView® Threat Protection
SureView® Insider Threat
SureView® Memory Integrity
TRITON APX
AP-WEB
AP-DATA
AP-EMAIL
SureView® Family of Products
11/11/2015 7
Provides end-to-end visibility, context, and protection across enterprise
SureView Threat Protection:
Detects zero-day attacks across
web, email, and endpoints
SureView Insider Threat:
Complete visibility into and
context around end user activity
and behavior
SureView Memory Integrity:
Detect live malware on Linux
SureView Analytics:
Rapid search, analysis, and
visualization
Cross Domain Product Line
11/11/2015 8
Access and Transfer Solutions
Trusted Thin Client®
Trusted Gateway System™
A C C E S S
T R A N S F E R
SimShield™ T R A N S F E R
Small Format Guard™ T R A N S F E R
Trusted Print Delivery™ T R A N S F E R
Trusted Mail System™ T R A N S F E R
High Speed Guard™
WebShield T R A N S F E R
T R A N S F E R
Access to multiple networks at multiple levels
from a single workstation
Highly flexible automated machine-to-machine
transfer system for structured data. “Back office”
Manual inspection for sensitive high to low
transfer of unstructured data. “Front office”.
Tactical/embedded systems with little to no
administration
Web browsing of lower trust networks from
higher trust networks. “Browse down”
Live/Virtual/Constructive training and
simulation low latency messaging.
Cross domain printing to consolidate and
simplify print resources
Cross domain email for collaboration
High Speed Guard™
Secure transfer of real-time and bandwidth
intensive information such as data feeds, live video
streams, network monitoring and data ingest
Extensive support for highly complex automated
transfer requirements of big data between multiple
sensitive networks or clouds
Fully end-user maintainable
Sustains the industry’s fastest bi-directional
transfer rates: 9Gb/s on a 2 CPU platform
Flexible data inspection engine for a wide variety of
data formats and security requirements
Multiple application protocols, adaptable to custom
interfaces for file transfer, messaging11/11/2015 9
Flexibility for real-world requirements
High Speed GuardTotal Economic Impact Study (TEI)
11/11/2015 10
Full report available @ raytheoncyber.com/resources
Small Format Guard™
Tactical, mobile missions (air, ground, sea)
involving ongoing data collection (manned /
unmanned)
Messaging, file transfer, video streaming in one
system
Pre-configured mission profiles for rapid mission
adaptation
Simplified operations and maintenance procedures
Custom hardware integration for mission-specific
requirements
High Speed Guard™ reuse for A&A experience
Flexible data inspection engine
11/11/2015 11
Enterprise-grade CDS for Tactical systems
Transfer Mechanisms
11/11/2015 12
Flexible integration for how to move data
File Drop Boxes – Automated Secure Transfer
• Easy to integrate Secure Copy/SSH based
transfers
Cross Domain SNMP – Scorpion
• Consolidated network management and
operations for enterprise operations centers
Ultra High Data Rate UDP – Banshee
• Performance oriented capability for UDP
messaging
Web Services, HTTP – Hunchback
• Flexible support for SOAP and REST over
HTTP(S) and other HTTP services
Streaming Video – Hydra
• Live MPEG Transport Streams
High Performance File Transfer – JAS/DTP
• Unique protocol specifically to maximize system
performance
Lightweight Adaptable Messaging – Gargoyle
• Support for custom TCP and UDP messaging
protocols
Security Policies and Data Inspections
HSG/SFG focus on inspection policy rather than data types
Each deployment utilizes an inspection policy tailored to its
requirements and risks
Data inspection policy language can evaluate almost any data type– Capabilities within rule language and plugins determine level of effort to support
Operational systems inspect imagery (multiple formats), XML
(multiple formats), DEM, imagery support files, inter-system
messaging, GMTI, MPEG video, multiple proprietary formats– Instantiations perform both low to high and high to low
Demonstrated capability for Cursor On Target, OTH-Gold, USMTF11/11/2015 13
Flexible inspections of what data to move
Rule Engine
Data inspections are executed by the rule engine
Same engine for all transfer methods– Rules written in a plain-text command file
– Engine uses its own language with support for flow control, sequencing, native data types, comparisons, text evaluations and basic math statements
– Plugins available for enhanced data evaluations
– Provides detailed audit logging
– Training provided for the maintenance and update of rule sets
– Several deployments utilize over 50,000 logical lines of code
Rule language is similar to C– Very easy learning curve for Unix system administrators
Highly adaptable to automate high to low policies
11/11/2015 14
Flexible and extendable for emerging requirements
XML Support
XML parsing plugin provides native support for XML payloads– Utilizes Xerces (C++) to provide a full compliment of XML support
Rule engine supports partial-XML payloads– i.e., XML header on large binary data files
Also supports extracting/parsing embedded XML– i.e., dreaded CDATA escapes
Standard rule features support correlating disparate parts of the XML stream for complicated policies
Full support for XML namespaces Operationally support excessively complicated XML schema sets
– Example: 200+ schemas required to define a service, with 40+ schemas required for each message
Raytheon|Websense can assist with evaluating and hardening XML schemas
11/11/2015 15
Comprehensive support for all features of XML
HSG Consolidated Enterprise Administration
Physically separates graphical administration tasks from operational data flows– Further reduces guard software size
Single admin supports ten or more guards, depending on log volume
Multiple guards administered by consolidated admin system– Configuration Management
– Audit Log Reduction
– Real Time Alerting
– Backups
– Restoration
– Administrator Accounts
11/11/2015 16
SFG Operations and Maintenance
Tactical deployments typically cannot support traditional CDS O&M requirements– Distinct lack of specialized UNIX® administrators, monitoring
Simplified depot workstation applications perform day-to-day maintenance
SFG adopts the “mission profile” construct– A mission profile is selected before the mission that defines data flows, policies and
configurations
– Profile is loaded onto the SFG during platform initialization
– Audit data is extracted from SFG post-mission or in-mission as appropriate
Mission Profiles are evaluated as part of the A&A process– Minimizes anti-tamper and handling restrictions
11/11/2015 17
Designed for tactical environments
Audit Monitoring with ALERT
Audit Log Examination and Reduction Tool (ALERT),
deployed since 2002
Provides a simple operator interface for reviewing significant
events, plotting occurrences and reviewing raw logs
Enterprise-capable audit tool
Automated log parsing/reduction
Immediate notification via SNMP
Multi-platform– Windows, Solaris, Red Hat Enterprise
Linux
11/11/2015 18
Assessment & Authorization (A&A)
Our experts ensure that the assessment and authorization of the system proceeds smoothly
A&A Professional Services
Professional Services Offerings
A&A Processes & Facilitation
• Guidance on best practices for each community and process
Tailored A&A Documents
• Deployment-specific documentation with reuse from common
body of evidence
Assessment support
• Test plan/procedure development, dry run and formal
execution
Authorization support
• Briefings to authorizing official(s), generation of Plan Of Action
and Milestones (POAMs)
Trusted Agent
• Certifying Authority Services on behalf of Government
customers
Testing Standards
NIST 800-37 (RMF) Based processes
• Selection and tailoring of NIST 800-53 controls and overlays
• Tailoring of System Security Plan (SSP) and related
documentation
• Formal test event execution
Legacy Secret And Below Interoperability process
• Development of Cross Domain Appendix
• Support community briefings
• Deliver, train and support certification testing
• Support site test and evaluation including final reports
Community-specific processes
• Experience with wide variety of more unique processes utilized
in specific scenarios
International authorization processes
• Facilitate information sharing between U.S. and partner nations
11/11/2015 19
Summary
Performance – From high throughput dissemination to low latency messaging
– Large data transfers - up to 9Gb/s sustained throughput
– Small message transfers – operational @ 96,000 messages/sec
– < 10ms messaging latency
– Over 50 simultaneous HD video streams
– File transfers from 600 GB/day to 97TB/day
Interface – One solution for many requirements
– Web services, JMS messaging, streaming video, SNMP, custom protocols, file drop box, and file
steaming protocols
Management – Comprehensive control and awareness
– Maintain operational relevancy without re-engineering
– Administer multiple enterprise units from a single point – dramatically reduced TCO
– Tailored to operate in a tactical environment
11/11/2015 20
HSG and SFG provide unmatched flexibility
Questions?
Thank you for your time!
Jason Ostermann
Chief Engineer, Transfer Solutions
josterm@raytheon.com
+1-972-205-5332
Jamie Hall
Director, International Sales
jamie.hall@raytheon.com
+1-703-615-7071
11/11/2015 21
top related