hq u.s. air force academy i n t e g r i t y - s e r v i c e - e x c e l l e n c e 1 rich mock usafa...
TRANSCRIPT
![Page 1: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/1.jpg)
HQ U.S. Air Force Academy
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
1
Rich Mock
USAFA CIO
8 Apr 2008
Academic Freedom vs
Network Security
![Page 2: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/2.jpg)
HQ U.S. Air Force Academy
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
2
or…
Can You Have Too Much Security?
![Page 3: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/3.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 3
Overview
AF Mission – Air Force BaseUSAF Academy Mission IT EnvironmentsConflictSolutionsUSAF vs Academy Approach IssuesExamplesConclusion
![Page 4: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/4.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 4
Air Force Mission
Deliver sovereign options for the defense of the United States of America and its global interests -- to fly and fight in Air, Space, and Cyberspace.
Vision: Global Vigilance, Reach and Power.
![Page 5: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/5.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 5
Fairchild AFB, Washington
Air Mobility Command 92nd Air Refueling Wing (35 KC-135s) Operations Group Maintenance Group Medical Group Mission Support Group
Civil Engineer Squadron Communications Squadron
Park University, SIUC, Webster
![Page 6: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/6.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 6
USAF Academy Mission
To educate, train and inspire young men and women to become officers of character motivated to lead the United States Air Force in service to the nation.
Academics (4 year university) Athletics (NCAA Div I) Military (active duty USAF)
![Page 7: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/7.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 7
USAFA Organizations
President – Superintendent Provost - Vice Superintendent Student Body - Cadet Wing (4400) Commandant of Cadets – military training Dean of Faculty Athletic Department Prep School Research Centers Support Organizations Medical + Hospital Flying Training
![Page 8: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/8.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
AF Base IT Environment
Locked down desktop computers Boundary protection
Firewalls, proxy servers, anti-virus Software Patches & Scans Policies & Procedures System Certification & Accreditation Authentication (CAC and strong password) No entertainment (work environment only) Network Control: Base, Intermediate, AF
8
![Page 9: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/9.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 9
USAF Academy IT Environment
Students issued desktop PCs (1986) High speed network installed, all academic
buildings & dorms (1993) Cadet notebooks (2001) Wireless network (2002)
Tablet computers (2006) No commercial ISP for cadets
![Page 10: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/10.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Natural “Enemies”
Cops vs Robbers Cobra vs Mongoose Security vs Academics
Stability Innovation
Few changes Experimental
Less access More exchange of information
Proven solutions Research new ideas
10
![Page 11: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/11.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 11
The Problem
MIL network has become too restrictive Cadet computers are a security risk Faculty – restrictions prevent doing job Long software approval process No access for cadets away from USAFA DOD blocks ‘bad actor’ countries Poor access for International researchers
and cadets AF prohibits commercial e-mail and IM Cadets use computers for non-duty activities Integrated NOSC removed local control
![Page 12: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/12.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
“Green Banner” Strong Passwords Blocking unused ports Patches Wireless security Proxy filter too restrictive Long software approval process No default HTML view in email Standard Desktop Configuration (SDC)
Specific Examples
12
![Page 13: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/13.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 13
AF. EDU
Air Education and Training Command Establish and maintain one “af.edu”
domain. … without exposing the af.mil network to security risks.
Members are students and faculty at the United States Air Force Academy, the Air Force Institute of Technology, and the Air University system.
![Page 14: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/14.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
AF.EDU Solution
The collaboration infrastructure: MS Office SharePoint Service 2007 Enterprise MS Live Communications Server MS Exchange 2007
20 TB 36 TB storage Primary data location is in San Antonio, Texas
Backup data location is in Missouri Multiple redundant backups
![Page 15: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/15.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 15
USAFA Approach
Use DREN as service provider for EDU Request policy relief
SDC exception Software approval process DREN firewall exceptions Collaborative tools
Separate EDU (DREN) & MIL (NIPRnet)
![Page 16: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/16.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 16
Before (1992-2006)
Admin Exchange Domain CtrlsFile Servers
Faculty
Athletics
Cadets
Medical
Staff
Finance
USAFAnet
DREN NIPRnet
Internet .mil
![Page 17: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/17.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 17
During (2006-2007)
Admin Exchange Domain CtrlsFile Servers
Faculty
AthleticsCadets
Medical
Staff
Finance
DREN NIPRnet
Internet .mil
USAFAnet
![Page 18: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/18.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 18
After (July 2007)
Faculty
AthleticsCadets
Medical
Staff
Finance
DREN NIPRnet
Internet .mil
USAFA.EDU USAFA.MIL
ExchangeAdminExchangeFile Servers File ServersDomain Ctrls Domain Ctrls
![Page 19: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/19.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
The Good, Bad & Ugly
EDU is physically separate! (24 Jul 07) AF is more secure
Teamwork-- One Team, One Fight! Migration took 30+ minutes per user X 6000 Still many problems: Global Address List… Kiosks as interim solution AF Transformation reducing manning External DoD changes
![Page 20: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/20.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Password Progression
Username only Simple passwords – user created Weak password rules – e.g. 8 characters Expiration times – e.g. 60 – 180 days Computer generated Strong passwords with symbol combinations Time and place restrictions Biometric or Smartcard
20
![Page 21: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/21.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Smart Card Implementation
AF Common Access Cards (CAC) - PKIExpense of cards ($ and manpower)Certificate Authority Implementation Problems:
Bad cards Bad card readers Middleware Locked accounts Lost cards
21
![Page 22: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/22.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Software Approval
Defense Information Assurance Certification & Accreditation Program (DIACAP)
Designated Accreditation Authority Certification Authority Information Assurance Manager Information System Owner 4-6 months
22
![Page 23: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/23.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Collaborative Tools
AF Prohibition Instant Messaging VoIP (Skype)
Desktop Video-conferencing Blogs and Chats DoD Solution
IBM Same Time Adobe Connect
23
![Page 24: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/24.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Internet Blocking
MIL & EDU both block Porn, Gambling, Hate Crimes, Criminal Skills
MIL blocks, but EDU allows Chat, Games, Lifestyle, Mature, Medical, MP3 IM, Facebook, YouTube
Problem areas Anonymizer, P2P, File Sharing, Games, Skype MySpace, YouTube – malware problems
24
![Page 25: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/25.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Network Access Control
Comply & Connect at least a year away Host Based Security System SMS System Center Config Manager National Institute of Standards and
Technology Tools Learn from civilian institutions
Required antivirus Updated patches
25
![Page 26: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/26.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Conclusion
Can you have too much security? YES!
How do you know when you to stop? When the “pain exceeds the gain” Users work around it to get job done
Sell the change – communicate w/ users! Incremental changes are easier to sellConvey the threat and risk
If you can’t sell it, then drop it.26
![Page 27: HQ U.S. Air Force Academy I n t e g r i t y - S e r v i c e - E x c e l l e n c e 1 Rich Mock USAFA CIO 8 Apr 2008 Academic Freedom vs Network Security](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e205503460f94b0b395/html5/thumbnails/27.jpg)
I n t e g r i t y - S e r v i c e - E x c e l l e n c e 27
Questions