Trusted Internet Connections

Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact on federal systems and operations. Reports of widespread and coordinated attacks over the course of several days have targeted Web sites operated by major government agencies, including the Departments of Homeland Security and Defense, the Federal Aviation Administration, and the Federal Trade Commission. The Director of National Intelligence testified in February 2009 that foreign nations and criminals had targeted government and private-sector networks to gain a competitive advantage or potentially disrupt or destroy them, and that terrorist groups had expressed a desire to use cyber attacks as a means to target the United States.

Background Estimations of more than 8000 Internet connections –Every Internet Access Point is a potential open door for malicious activity –Levels of protection vary, e.g., Firewalls, Rule sets, Intrusion Detection –The entire set of Government Internet Access Points is not well defined and controlled In July 2009, GAO reported that almost all 24 major federal agencies had weaknesses in information security controls. No event correlation or monitoring across Internet connections. Distributed Attacks could go unnoticed for long periods of time. The current cyber threat is much more prevalent, persistent, and covert than previously considered and requires immediate action

The Solution – Trusted Internet Connections In November 2007, the Office of Management and Budget announced the Trusted Internet Connection (TIC) Initiative in Memorandum M Intended to improve the federal government’s security posture and incident response capability by: –reducing and consolidating external network connections to 100 total –centrally monitoring the traffic passing through Internet connections for potentially malicious activity. All federal agencies in the executive branch, except for the Department of Defense, are required to implement the initiative.

Trusted Internet Connections Similar to a Shared Service Provider 2 types of TICAPS –Single Service Provider –Multi Agency Service Provider

Example TIC Configuration

TIC Security and Configuration Impact All External Connections must be terminated in the TIC Internet and External facing hosts must be moved to a TIC VLANs can no longer be used as a security mechanism Mail and User Internet access must transverse a TIC Multiple levels of inspection required Continuous monitoring by Einstein and GSOC

What is an “External Connection?” A physical or logical connection between information systems, networks, or components of information systems & networks that are, respectively, inside and outside of specific Department or Agency’s (D/A) certification and accreditation (C&A) boundaries established by the D/A, for which: the D/A has no direct control over the application of required security controls or the assessment of security control effectiveness on the outside information system, network, or components of information systems & networks; or the D/A, notwithstanding any direct or indirect control over the application of required security controls or the assessment of security control effectiveness, has specific reason to believe that the external system1 has a substantially reduced set of security controls or an increased threat posture relative to the internal system. NIST SP

What is an “External Connection?” The following types of connections will be considered “external connections”: – Connections between a D/A information system, network, or components of information systems and networks and the globally- addressable internet. – Connections between a D/A information system, network, or components of information systems and networks and a remote information system, network, or components of information systems and networks located on foreign soil or where a foreign entity may have any level of physical or logical access to your internal systems.

TIC – A VLAN is not a Security Mechanism

What is Public Debt Doing? Completed request to become two of the four Treasury Trusted Internet Connection Access Providers. ( two of 17 government wide ) TIC equipment has been deployed at both Primary and Secondary datacenters. DHS has recently completed the Treasury TIC TVC with a 100% score Public Debt is currently migrating all external connectivity and hosts to the Public Debt TIC

Public Debt TIC Features Content Filtering Proxy Services IDS/IPS (multiple vendors) Firewalls (multiple vendors) Remote Access Layer 2 – 7 Inspection devices Virus Scanning Appliances Load Balancing Full Packet Capture

TNet Network and Security Devices TIC Bureau TIC Business Partner Treasury Application TIC Internet Bureau Network and Security Devices High Level TIC

Questions?

References: OMB Memo M-08-05, Implementing the Trusted Internet Connections (TIC) HSPD 23, Cybersecurity Policy NIST Special Publication , Managing Risk from Information Systems – An Organizational Perspective NIST Special Publication , Recommended Security Controls for Federal Information Systems FIPS Publication, Security Requirements for Cryptographic Modules OMB Memorandum M-08-05, November 2007 (Reduce total number of Government external internet connections to 50) TD P Appendix F, May 2008 ( Requirements for Creating Secure Internet Access Points ) TIC Connection Policy per OMB & OCIO