HQ U S Air Force Academy Integrity Service
- Slides: 27
HQ U. S. Air Force Academy Integrity - Service - Excellence Academic Freedom vs Network Security Rich Mock USAFA CIO 8 Apr 2008 1
HQ U. S. Air Force Academy Integrity - Service - Excellence or… Can You Have Too Much Security? 2
Overview n AF Mission – Air Force Base n USAF Academy Mission n IT Environments n Conflict n Solutions n USAF vs Academy Approach n Issues n Examples n Conclusion Integrity - Service - Excellence 3
Air Force Mission n Deliver sovereign options for the defense of the United States of America and its global interests -- to fly and fight in Air, Space, and Cyberspace. n Vision: Global Vigilance, Reach and Power. Integrity - Service - Excellence 4
Fairchild AFB, Washington n Air Mobility Command n 92 nd Air Refueling Wing (35 KC-135 s) n Operations Group n Maintenance Group n Medical Group n Mission Support Group Civil Engineer Squadron n Communications Squadron n n Park University, SIUC, Webster Integrity - Service - Excellence 5
USAF Academy Mission n To educate, train and inspire young men and women to become officers of character motivated to lead the United States Air Force in service to the nation. n Academics (4 year university) n Athletics (NCAA Div I) n Military (active duty USAF) Integrity - Service - Excellence 6
USAFA Organizations n n n President – Superintendent Provost - Vice Superintendent Student Body - Cadet Wing (4400) Commandant of Cadets – military training Dean of Faculty Athletic Department Prep School Research Centers Support Organizations Medical + Hospital Flying Training Integrity - Service - Excellence 7
AF Base IT Environment n Locked down desktop computers n Boundary protection n Firewalls, proxy servers, anti-virus n Software Patches & Scans n Policies & Procedures n System Certification & Accreditation n Authentication (CAC and strong password) n No entertainment (work environment only) n Network Control: Base, Intermediate, AF Integrity - Service - Excellence 8
USAF Academy IT Environment n Students issued desktop PCs (1986) n High speed network installed, all academic buildings & dorms (1993) n Cadet notebooks (2001) n Wireless network (2002) Tablet computers (2006) n No commercial ISP for cadets n Integrity - Service - Excellence 9
Natural “Enemies” Cops n Cobra n Security n vs vs vs Stability Few changes Less access Proven solutions Robbers Mongoose Academics Innovation Experimental More exchange of information Research new ideas Integrity - Service - Excellence 10
The Problem n MIL network has become too restrictive n Cadet computers are a security risk n Faculty – restrictions prevent doing job n Long software approval process n No access for cadets away from USAFA n DOD blocks ‘bad actor’ countries n Poor access for International researchers and cadets n AF prohibits commercial e-mail and IM n Cadets use computers for non-duty activities n Integrated NOSC removed local control Integrity - Service - Excellence 11
Specific Examples n “Green Banner” n Strong Passwords n Blocking unused ports n Patches n Wireless security n Proxy filter too restrictive n Long software approval process n No default HTML view in email n Standard Desktop Configuration (SDC) Integrity - Service - Excellence 12
AF. EDU n Air Education and Training Command n Establish and maintain one “af. edu” domain. … without exposing the af. mil network to security risks. n Members are students and faculty at the United States Air Force Academy, the Air Force Institute of Technology, and the Air University system. Integrity - Service - Excellence 13
AF. EDU Solution n The collaboration infrastructure: n MS Office Share. Point Service 2007 Enterprise n MS Live Communications Server n MS Exchange 2007 n 20 TB 36 TB storage n Primary data location is in San Antonio, Texas n Backup data location is in Missouri n Multiple redundant backups Integrity - Service - Excellence
USAFA Approach n Use DREN as service provider for EDU n Request policy relief n SDC exception n Software approval process n DREN firewall exceptions n Collaborative tools n Separate EDU (DREN) & MIL (NIPRnet) Integrity - Service - Excellence 15
Before (1992 -2006) Admin Faculty Cadets Domain Ctrls File Servers Exchange Finance USAFAnet Athletics DREN Internet Staff Medical NIPRnet . mil Integrity - Service - Excellence 16
During (2006 -2007) Admin Faculty Cadets Domain Ctrls File Servers Exchange Medical Finance USAFAnet Staff Athletics DREN Internet NIPRnet . mil Integrity - Service - Excellence 17
After (July 2007) Admin Exchange File Servers Domain Ctrls Faculty Domain Ctrls Medical Finance USAFA. MIL USAFA. EDU Cadets File Servers Exchange Staff Athletics DREN Internet NIPRnet . mil Integrity - Service - Excellence 18
The Good, Bad & Ugly n EDU is physically separate! (24 Jul 07) n AF is more secure n Teamwork-- One Team, One Fight! n Migration took 30+ minutes per user X 6000 n Still many problems: Global Address List… n Kiosks as interim solution n AF Transformation reducing manning n External Do. D changes Integrity - Service - Excellence
Password Progression n Username only n Simple passwords – user created n Weak password rules – e. g. 8 characters n Expiration times – e. g. 60 – 180 days n Computer generated n Strong passwords with symbol combinations n Time and place restrictions n Biometric or Smartcard Integrity - Service - Excellence 20
Smart Card Implementation n AF Common Access Cards (CAC) - PKI n Expense of cards ($ and manpower) n Certificate Authority n Implementation Problems: n Bad cards n Bad card readers n Middleware n Locked accounts n Lost cards Integrity - Service - Excellence 21
Software Approval n Defense Information Assurance Certification & Accreditation Program (DIACAP) n Designated Accreditation Authority n Certification Authority n Information Assurance Manager n Information System Owner n 4 -6 months Integrity - Service - Excellence 22
Collaborative Tools n AF Prohibition n Instant Messaging n Vo. IP (Skype) n Desktop Video-conferencing n Blogs and Chats n Do. D Solution n IBM Same Time n Adobe Connect Integrity - Service - Excellence 23
Internet Blocking n MIL & EDU both block n Porn, Gambling, Hate Crimes, Criminal Skills n MIL blocks, but EDU allows Chat, Games, Lifestyle, Mature, Medical, MP 3 n IM, Facebook, You. Tube n n Problem areas Anonymizer, P 2 P, File Sharing, Games, Skype n My. Space, You. Tube – malware problems n Integrity - Service - Excellence 24
Network Access Control n Comply & Connect at least a year away n Host Based Security System n SMS System Center Config Manager n National Institute of Standards and Technology Tools n Learn from civilian institutions n Required antivirus n Updated patches Integrity - Service - Excellence 25
Conclusion n Can you have too much security? n YES! n How do you know when you to stop? n When the “pain exceeds the gain” n Users work around it to get job done n Sell the change – communicate w/ users! n Incremental changes are easier to sell n Convey the threat and risk n If you can’t sell it, then drop it. Integrity - Service - Excellence 26
Questions Integrity - Service - Excellence 27