Protection of MAGTF information systems is essential and COMPUSEC is the means of pro- viding it. This protection includes knowledge of the threat and employing operating procedures, equipment, and personnel training to counter that threat. It also includes putting measures in place to detect intrusion early, plan for immediate action to counter attacks, and, if necessary, restore lost data and service.
Chief Information Security Officer Responsibilities
A command responsibility, COMPUSEC must be understood and practiced by all MAGTF infor- mation system users. However, overall network and information systems security responsibility belongs to the communications officer. Responsi- bilities include the following:
• Establish policy and procedures for LAN, WAN, and information systems management. Procedures include managing user iden- tification and assigning passwords.
• Maintain visibility and control of the operation and use of network services.
• Coordinate network management functions, including security, with the individual LAN managers and information systems coordinators. • Provide for training and education in threat capabilities and COMPUSEC procedures, with assistance from the unit security man- ager, G-2/S-2, and G-3/S-3 in coordination with all LAN managers and functional in- formation systems coordinators.
The communications officer provides overall COMPUSEC management through policies, directives, plans, and training. The communica- tions officer guides LAN managers, information systems coordinators, and information systems users in implementing procedures necessary to maintain reliable and secure information sys- tems. Much of the security for information sys- tems is provided at the individual workstation through operating systems and application-spe- cific access mechanisms. However, for net- worked applications and services, a well-devised network security plan is necessary to manage the various accesses and privileges that control read and write access to files and data. Monitoring the network is required to document activity and detect intruders. The COMPUSEC procedures must be integrated with and complement the overall communications information systems plan to ensure responsive service to authorized users while protecting against unauthorized access.
Implementation
The DODD 8500.01E, Information Assurance (IA), and DOD Instruction 8500.2, Information Assurance (IA) Implementation, establish and define mandatory, minimum standards for auto- mated information systems security. These docu- ments promote using computer-based security features that emphasize the personal responsibil- ity of system users. Current procedures rely on standalone workstations and system high net- works, which require dedicated routers and switches, making system security management
difficult. There are many ongoing programs to provide improved security services for individual workstations, LANs, and the overall defense infor- mation infrastructure. Multilevel Information Sys- tems Security Initiative (MISSI) products and services are being fielded incrementally as tech- nology matures. They include cryptographic cards, firewalls, high assurance guards, in-line network encryptors, and security management services.
Cryptographic Cards
Personal computer-configured cryptographic cards are gradually being introduced to provide different levels of INFOSEC protection, includ- ing confidentiality, data integrity, identification/ authentication, and nonrepudiation.
Firewalls
The Institute for Science and International Secu- rity defines a firewall as a system or group of sys- tems that enforce an access control policy between two networks.
There are many different firewall types, but the industry-accepted monikers for these are “packet filtering firewalls” and “proxying firewalls.” Packet filtering firewalls can be either static or dynamic in nature. Proxying firewalls can proxy traffic at the circuit level or application level and can provide “store and forward” type capabilities. Firewalls are one layer of defense used to pro- tect a network’s critical information, informa- tion systems, and applications. If used correctly, they can prevent unauthorized ingress and egress of the network and unauthorized disclosure of the network.
Current firewall technology can provide standard firewall capability sets, such as blocking and log- ging of nefarious traffic; anti-spam, URL [Uni- form Resource Locator] filtration, such as white listing and blacklisting; and antivirus functionality.
High Assurance Guards
High assurance guards, such as the secure net- work server with standard mail guard, are used to
protect against unauthorized release of classified information from a classified facility while allow- ing the release of unclassified information. High assurance means that the guard has been verified by the National Security Agency to be highly- resistant to penetration based on the application of rigorous security software engineering methods, extensive penetration testing, and security analy- sis during its development, production, and field- ing. The guard is required for information processing and exchange between facilities or sys- tems operating at different levels. The guard also ensures that external requests for access to the “guarded” higher security level locations are approved before allowing that access.
In-Line Network Encryptor
In-line network encryptors provide data confiden- tiality and integrity across LANs and WANs. They employ encryption and access control through cryptographic key management. Some in- line network encryptors can also provide traffic flow security services. In-line network encryptors operate with IP routers, packet switches, synchro- nous optical networks, and asynchronous transfer mode networks. Some of the in-line network encryptors offer combinations of these capabili- ties to allow for the future growth of networks based on synchronous optical network and asyn- chronous transfer mode technologies. A key fea- ture of in-line network encryptors is that they encrypt only the data, not the address information. This enables the transmission of classified data on unclassified networks or SCI data on secret net- works. In-line network encryptors, through soft- ware configuration and appropriate keying material, are used to link multiple sites.
Security Management Services
Security management services include security measures such as cryptographic keying, access control, authentication, and the use of pass- words. These services are needed to implement effective information systems security programs
within the MAGTF. Key security management services include—
• Local authority workstations that reside on the LAN and provide security capabilities such as digital signatures, cryptographic keys, and access control permissions.
• Rekey managers that work in conjunction with electronic key management systems to provide cryptographic rekey support for MISSI products.
• Audit managers that provide support for the collection and analysis of security-relevant
events that can be audited and are associated with MISSI products. Repeated failed user login is an example of a security-relevant event that can be audited.
• Directories that provide a repository for public security information essential for effective global message addressing. The public part of a user’s digital signature is an example of this type of public security information.
• Mail list agents that are used by messaging systems to add security for messages that are sent to many recipients.