Security Services Appliance

Security Services Appliance Technical Overview

I‐Assure

8/31/2009

This document contains the design, architecture and components that comprise the Security Services Appliance (SSA). ©2009 ‐ I‐Assure, LLC. All Rights Reserved

Revision Record

VERSION DATE AUTHOR CHANGE DESCRIPTION

1.0 8/28/09 I‐Assure, LLC Initial Document

Table of Contents

3.0 Security Services Appliance .............................................................................................................. 4

3.1 Security Services Appliance Subsystems ....................................................................................... 6

3.1.1 Host Based Security System (HBSS) ...................................................................................... 6

3.1.1.1 McAfee® ePolicy Orchestrator (ePO) ............................................................................... 6

3.1.1.2 McAfee® Host Intrusion ................................................................................................... 7

3.1.1.3 IPS Features ...................................................................................................................... 7

3.1.1.3.1 Firewall Feature ............................................................................................................ 8

3.1.1.3.2 Application Blocking Feature ........................................................................................ 8

3.1.1.4 General Feature............................................................................................................... 8

3.1.1.5 McAfee® Rogue System Detection ................................................................................... 8

3.1.1.6 McAfee® Policy Auditor.................................................................................................... 9

3.1.1.7 Device Control Module .................................................................................................. 10

3.1.2 Secure Configuration Compliance Validation Initiative (SCCVI) ......................................... 11

3.1.2.1 eEye Digital Security’s Retina® Network Security Scanner ............................................ 12

3.1.2.2 Remote Enterprise Manager (REM) ............................................................................... 12

3.1.2.3 REM Update Server ........................................................................................................ 13

3.1.3 Secure Configuration Remediation Initiative (SCRI) ........................................................... 13

3.1.3.1 Hercules FlashBox ....................................................................................................... 14

3.1.3.2 Hercules Remediation Manager ..................................................................................... 14

3.1.3.3 Hercules Clients .............................................................................................................. 14

3.1.4 Windows Server Update Services (WSUS) .......................................................................... 14

3.1.5 Enterprise Antivirus and Antispyware ................................................................................ 15

3.1.5.1 Antivirus Enterprise ........................................................................................................ 15

3.1.5.2 AntiSpyware Enterprise .................................................................................................. 15

3.2 Ports, Protocols and Services ...................................................................................................... 16

3.3 Accreditation Boundary .............................................................................................................. 17

3.4 External Interfaces and Data Flow .............................................................................................. 17

3.5 Hardware List .............................................................................................................................. 18

3.6 Software List ............................................................................................................................... 18

3.0 Security Services Appliance The Security Services Appliance (SSA) is a pre‐configured hardware appliance based on the Dell R710 2U

rack mounted platform that provides compliance with the following DoD required Enterprise

Information Assurance (IA) Tools:

Host Based Security System (HBSS), Section 3.1

Secure Configuration Compliance Validation Initiative (SCCVI), Section 3.2

Secure Configuration Remediation Initiative (SCRI), Section 3.3

Additionally, the SAA incorporates the following IA functions:

Windows Server Update Services (WSUS), Section 3.4

Enterprise Antivirus and Antispyware, Section 3.5

Enterprise Audit, Section 3.6

The SSA hardware platform provides the following features to support availability:

Dual, redundant power supplies to support failover

Dual, quad network interface cards for network load balancing and failover

RAID 1 hard drive configuration for full mirroring

Dual, six core processors

Dual ranked memory

The SSA utilizes VMWare ESX 3.5i or VSphere 4i as the underlying hypervisor to establish “Guest” virtual

machines to support the above IA functions. Virtualization allows multiple virtual machines on a single

physical machine, sharing the resources of that single computer across multiple environments. Different

virtual machines can run different operating systems and multiple applications on the same physical

computer. The SSA is configured to support the following four virtual machines:

Virtual Machine #1 – support HBSS and Enterprise Antivirus/Antispyware

Virtual Machine #2 – support SCCVI

Virtual Machine #3 – support SCRI and WSUS

Virtual Machine #4 – support Enterprise Audit

The following diagram depicts the virtual machine distribution:

Security Services Appliance

HBSSAntiVirus

AntiSpyware

SCRIWSUS

SCCVI Audit

Virtual Machines

Each virtual machine utilizes Windows 2003 R2 Enterprise as the base operating system. The base

operating system has been configured in accordance with the DISA Windows STIG. All backend

databases that are required to support the IA functions utilize Microsoft SQL 2005 Express and have

been configured to comply with the DISA Database STIG. All frontend web servers that are required to

support the IA functions utilize Microsoft IIS or Apache and have been configured to comply with the

DISA Web STIG. The below diagram depicts the high‐level architecture of the SSA:

3.1 Security Services Appliance Subsystems

3.1.1 Host Based Security System (HBSS) Host Based Security System (HBSS) is one of the Department of Defense’s countermeasures against the many threats and malicious attacks targeted against our networks. Although HBSS is known to be a powerful countermeasure tool against known threats, it is important to remember that HBSS can only protect your network to the extent of its configuration. This HBSS deployment was configured per the Defense Information Systems Agency (DISA) Field Security Operations (FSO) team HBSS 3.0 Configuration Guide. Currently, HBSS is operated under a Type Accreditation issued by the DISA CIO under DITPR ID 8642, expiring 2 December 2009. Site accreditation responsibilities have been incorporated into this effort. HBSS is comprised of the subsystems listed and described in the following sections.

3.1.1.1 McAfee® ePolicy Orchestrator (ePO) McAfee® ePO allows IT administrators to centrally manage McAfee® products that make up the HBSS suite of components. ePO provides integration within and between endpoints, networks, data, and compliance solutions reduces security gaps and management complexity. Centralized visibility highlights:

Single point of reference for enterprise security enables you to quickly identify and understand relationships between security events throughout the accreditation boundary.

Web interface provides flexibility to manage security enterprise‐wide.

Customizable dashboards, using the DISA provided templates, and user interface provide personalized views of the security status and trends.

Automated reports and dashboards provide clear, current role‐based visibility into security status across the accreditation boundary.

Role‐based permissions ensure appropriate access and control for all administrators.

The below picture presents a basic overview of the ePO console:

3.1.1.2 McAfee® Host Intrusion McAfee® Host Intrusion Prevention is a host‐based intrusion detection and prevention system that protects system resources and applications from external and internal attacks. Host Intrusion Prevention protects against unauthorized viewing, copying, modifying, and deleting of information and the compromising of system and network resources and applications that store and deliver information. It accomplishes this through a combination of host intrusion prevention system signatures (HIPS), network intrusion prevention system signatures (NIPS), behavioral rules, and firewall rules. Signatures and rule sets are provided by DISA. Host Intrusion Prevention clients are deployed to servers and desktops and function as independent protective units. They report their activity to ePO and retrieve updates for new attack definitions through DISA. Host Intrusion Prevention is fully integrated with ePO and uses the ePO framework for delivering and enforcing policies. The division of Host Intrusion Prevention functionality into IPS, Firewall, Application Blocking, and General features provides greater control in delivering policy protections and protection levels to the users.

3.1.1.3 IPS Features The IPS (Intrusion Prevention System) feature monitors all system and API calls and blocks those that might result in malicious activity. Host Intrusion Prevention determines which process is using a call, the security context in which the process runs, and the resource being accessed. A kernel‐level driver, which receives redirected entries in the user‐mode system call table, monitors the system call chain. When

calls are made, the driver compares the call request against a database of combined signatures and behavioral rules to determine whether to allow, block, or log an action.

3.1.1.3.1 Firewall Feature The Host Intrusion Prevention Firewall feature acts as a filter between a computer and the network or Internet it is connected to. The Firewall Rules policy uses static packet filtering with top‐down rule matching. When a packet is analyzed and matched to a firewall rule, with criteria such as IP address, port number, and packet type, the packet is allowed or blocked. If no matching rule is found, the packet is dropped. The current version Firewall Rules policy uses both stateful packet filtering and stateful packet inspection.

3.1.1.3.2 Application Blocking Feature The Application Blocking feature monitors applications being used and either allows or blocks them. Host Intrusion Prevention offers two types of application blocking:

Application creation

Application hooking

When Host Intrusion Prevention monitors application creation, it looks for programs that are trying to run. In most cases, there is no problem; but, there are some viruses, for example, that try to run programs that harm a system. This is prevented by creating application rules, similar to firewall rules, which only allow programs to run that are permitted for a user. When Host Intrusion Prevention monitors application hooking, it looks for programs that are trying to bind or “hook” themselves to other applications. Sometimes, this behavior is harmless, but sometimes this is suspicious behavior that can indicate a virus or other attack on your system.

3.1.1.4 General Feature The Host Intrusion Prevention General feature provides access to policies that are general in nature and not specific to IPS, Firewall, or Application Blocking features. This includes:

Enabling or disabling the enforcement of all policies.

Determining how the client interface appears and is accessed.

Creating and editing trusted network addresses and subnets.

Creating and editing trusted applications to prevent triggering false positive events.

3.1.1.5 McAfee® Rogue System Detection Rogue systems are systems that access the accreditation boundary, but are not managed by the ePolicy

Orchestrator server. A rogue system can be any device on the network that has a network interface card

(NIC).

Rogue System Detection provides real‐time detection of rogue systems through use of Rogue System

Sensors installed throughout the network. These sensors listen to network broadcast messages and

DHCP responses to detect systems connected to the network. When the sensor detects a system on the

network, it sends a message to the ePolicy Orchestrator server. The server then checks whether the

system has an active agent installed and managed. If the system is unknown to the ePO server, Rogue

System Detection provides information to ePolicy Orchestrator to allow you to take remediation steps,

including alerting network and anti‐virus administrators or automatically deploying a McAfee® Agent to

the system. The system is currently configured to automatically deploy the McAfee® Agent and notify

the systems administrator that additional actions may need to be performed.

The below diagram presents a basic overview of the Rogue System Detection reporting mechanism:

3.1.1.6 McAfee® Policy Auditor McAfee® Policy Auditor maps IT controls against predefined policy content and automates manual

audit processes and to accurately report against internal and external policies. McAfee® Policy Auditor

has been configured to use a custom created audit policy to verify the DISA Windows STIG requirements

as the baseline audit content. McAfee® Policy Auditor is configured to perform weekly scans of

identified systems to ensure compliance. McAfee® Policy Auditor results are then imported into the

DISA SCRI product, McAfee® Remediation Manager, for automated remediation of non‐compliant

systems

Additionally, McAfee® Policy Auditor has been extended to include basic file integrity monitoring

capabilities, including detection of changes to file and directory permissions and content through

scheduled scans.

The below diagram presents a basic overview of the McAfee® Policy Auditor reporting mechanism:

3.1.1.7 Device Control Module McAfee® Device Control protects critical data from leaving the accreditation boundary through

removable media, such as USB drives, iPods, Bluetooth devices, recordable CDs and DVDs. McAfee®

Device Control provides extremely granular control over sensitive data. Policies have been implemented

that specify which devices can and cannot be used and defines what data can and cannot be copied

onto allowed devices. In accordance with current DoD policy, access to removable has been restricted

and is only available on a case‐by‐case basis. The following features are available within this product:

Regulate how users copy data to USB drives, iPods, recordable CDs and DVDs, floppies,

Bluetooth and IrDA devices, imaging devices, COM and LPT ports.

Protect all data, formats, and derivatives even when data is modified, copied, pasted,

compressed, or encrypted.

Prevent data loss wherever users go, without disrupting legitimate day‐to‐day activities

Centralized management through McAfee® ePO.

Quickly and easily configure, deploy, and update policies and agents throughout the

environment from a centralized management console.

Set device and data policies by user, group, or department

Specify which devices can and cannot be used by any Windows device parameter, including

product ID, vendor ID, serial numbers, device class, device name.

Specify what content can or cannot be copied onto devices that are allowed access.

Support auditing and compliance needs with detailed user‐ and device‐level logging.

Gather incident details such as device, time stamp, data evidence, and more for prompt and

proper response, investigation, and audit.

The below diagram presents a basic overview of the Device Control interaction:

3.1.2 Secure Configuration Compliance Validation Initiative (SCCVI) The DoD has selected and approved the installation and utilization of the SCCVI suite software to enhance the security posture of both unclassified and classified networks within the DOD community, which composes part of the Defense Information Infrastructure (DII). This product supplements and complements DISA’s “Defense‐in‐Depth” (DID) approach to protect, detect, react, and respond to possible intruder attacks against DISA assets worldwide. Currently, SCCVI is operated under a Type Accreditation issued by the DISA CIO under DITPR ID 5956, expiring 15 November 2011. Site accreditation responsibilities have been incorporated into this effort.

This SCCVI deployment was configured per the Defense Information Systems Agency (DISA) Field Security Operations (FSO) team SCCVI Configuration Guide. The SCCVI suite software provides network administrators and security personnel the capability of verifying vulnerability compliance. The SCCVI suite software is comprised of the following subsystems:

eEye Digital Security’s Retina® Network Security Scanner

Remote Enterprise Manager (REM)

REM Update Server

3.1.2.1 eEye Digital Security’s Retina® Network Security Scanner eEye Digital Security’s Retina® Network Security Scanner is a vulnerability management network scanner. It discovers assets and identifies known security vulnerabilities on a number of different platforms and technologies including servers, databases, switches, routers and wireless access points. Retina helps secure networks by:

Accurately discovering all the assets in the network infrastructure including operating system platforms, networked devices, databases and third party or custom applications. Retina also discovers wireless devices and their configurations, ensuring these connections can be audited for the appropriate security settings. Additionally, Retina scans active ports and confirms the services associated with those ports.

Implementing corporate policy driven scans to audit internal security guidelines and ensure that configuration requirements are enforced and comply with defined standards. Retina is configured using the “All Audits” policy.

Remotely identifying system level vulnerabilities to mimic an attacker’s point of view, providing information that an outsider would see about your network.

Providing a workflow approach to vulnerability management. Retina’s user interface allows for multiple views and reporting options with which to analyze assessment data.

3.1.2.2 Remote Enterprise Manager (REM) The Remote Enterprise Manager (REM) allows multiple scanners to be managed from one centralized

location. It also provides the ability for scanners to report their findings to on centralized location.

From here reports can be generated based on data collected from all of the scanners reporting to the

REM. The below diagram presents a basic overview of the REM console:

3.1.2.3 REM Update Server The REM Update Server allows administrators to manage all of their eEye Digital Security application

and data updates from a central location. The main screen in the REM Update Server allows

administrators to easily check if updates are available for their applications and data. If updates are

available, administrators are provided with the option of downloading the updates to an intermediate

repository. The stored updates can then be downloaded from the repository and distributed to the

client machines through the organization's network.

3.1.3 Secure Configuration Remediation Initiative (SCRI) The SCRI software provides an enterprise‐wide automated standardized tool to audit and remediate

emerging and known Information Assurance (IA) vulnerabilities at the asset level for the DoD. The SCRI

tool leverages the scanned data provided by SCCVI to apply patches, upgrades, fixes, or custom changes

to a specific system or group of systems impacted by IAVM information to facilitate the automatic

vulnerability remediation of devices on a network. The SCRI tool provides a sequence of automatically

executable remediation steps known as ‘remedies’ that will correct each recognized vulnerability.

Currently, SCRI is operated under a Type Accreditation issued by the DISA CIO under DITPR ID 5957, expiring 29 June 2012. Site accreditation responsibilities have been incorporated into this effort.

This SCCVI deployment was configured per the Defense Information Systems Agency (DISA) Field Security Operations (FSO) team SCCVI Configuration Guide. The SCCVI suite software is comprised of the following subsystems:

Hercules FlashBox

Hercules Administrator

Hercules Clients

3.1.3.1 Hercules FlashBox The Hercules FlashBox is owned and managed by DISA. The FlashBox service allows the local SCRI

installation to receive patches and policy updates from DISA. The system is set to retrieve updates

nightly. Once patches are retrieved, they can be “pushed” to Hercules clients.

3.1.3.2 Hercules Remediation Manager Hercules Remediation Manager is the front‐end console that Hercules Administrators utilize to configure

the application. Remediation Manager controls client deployments and provides instructions and

commands to clients for patch installation, check patch status and vulnerability status and remediation.

The Remediation Manager includes the Hercules Download Server, which facilitates the downloading of

required patches from DISA and the Hercules Channel Manager which keeps a status of patch download

locations.

3.1.3.3 Hercules Clients Hercules clients are installed on managed clients to facilitate the patch installation process. The Hercules

Clients are controlled by Hercules Remediation Manager and respond to commands and instructions.

Clients check in with Remediation Manager at specified intervals, or the Remediation Manager can

directly schedule tasks with the clients.

3.1.4 Windows Server Update Services (WSUS) Windows Server Update Services (WSUS) enables information technology administrators to deploy the

latest Microsoft product updates to computers that are running the Windows operating system. By

using WSUS, administrators can fully manage the distribution of updates that are released through

Microsoft Update to computers in their network. This installation of WSUS utilizes the DISA‐managed

WSUS server to synchronize and download updates. The WSUS installation was performed utilizing the

DISA provided guidance by establishing a new IIS website, locating all updates on a separate partition

and configuring the installation to DISA STIG standards. A Group Policy Object (GPO) can be utilized in an

Active Directory environment to “push” the local WSUS settings to client machines to direct them to the

local WSUS server installation for patches and updates. For non Active Directory environments, clients

can be manually configured to point to the local WSUS installation.

3.1.5 Enterprise Antivirus and Antispyware VirusScan Enterprise and Antispyware are integrated into the HBSS ePO console to provide centralized

deployment, policy configuration and enforcement, and detailed reporting. This enterprise deployment

is configured to support Windows, Linux, Solaris and Macintosh clients.

3.1.5.1 Antivirus Enterprise McAfee® VirusScan Enterprise proactively stops and removes threats, extends coverage for new security

risks, and reduces the cost of managing outbreak responses. Virus security products are only as good as

their most recent updates. VirusScan Enterprise has been configured for automatic daily updates from

the ePO console to ensure that desktops and servers are always up‐to‐date with the latest McAfee DAT

files and engines – the ePO console receives its updates from the DISA managed update server.

Additionally, the ePO console has been configured to apply the required Desktop STIG settings for

VirusScan Enterprise and perform daily virus scans.

The below picture presents a basic overview of the VirusScan Enterprise console:

3.1.5.2 AntiSpyware Enterprise McAfee® Antispyware Enterprise ensures that Potentially Unwanted Programs (PUP) can be detected

and removed. PUPs include adware, cookies, dialers, key loggers and remote administration tools.

McAfee® Antispyware Enterprise quickly identifies, blocks and eliminates PuPs before they can cause

any damage. On‐access scanning is performed to catch problems prior to installation. Additionally, the

ePO console has been configured to apply the required Desktop STIG settings for AntiSpyware.

3.2 Ports, Protocols and Services The following table lists the internal port and protocol flow. All communication is internal and does not

cross the outer firewall boundary.

External System Name

External System IP Address

Internal System Name

Data Classification

Protocol Direction Other

HBSS TBD Internal Clients

Sensitive TCP/80 HTTP

Outbound Agent / Server communication

HBSS TBD ePO

Admins Sensitive

TCP/443HTTPS

Outbound ePO Console web browser


Sensitive TCP/8081

Outbound

SuperAgent to Agent Wakeup

Call


Sensitive UDP/8081 Outbound

UDP for the SuperAgent broadcast for Global updating


Sensitive TCP/8082 Outbound SuperAgent Wakeup Call, uses SPIPE


Sensitive TCP/8080 Outbound Event Parser to

TOMCAT Service


Sensitive TCP/8444 HTTPS

Outbound Rogue system detection

sensor default


Sensitive TCP/8445HTTPS

Outbound Notifications

port


Sensitive TCP/8801 HTTP

Outbound Security Threats

communication

SCRI TBD Internal Clients

Sensitive TCP/8530HTTP

Outbound WSUS Clients

SCRI TBD SCRI

Admins Sensitive

TCP/443HTTPS

Outbound Hercules

Administrator


Sensitive TCP/445 Both

Remediate Windows operating systems


Sensitive TCP/22 Both Remediate

Unix operating systems

SCCVI TBD SCCVIAdmins

Sensitive TCP/443HTTPS

Outbound REM web access

AUDIT TBD Internal Clients

Sensitive UDP/514SYSLOG

Outbound Security events

3.3 Accreditation Boundary

3.4 External Interfaces and Data Flow

External System Name

External System IP Address

Internal System IP Address

Data Classification

Protocol Direction Other

ocsp.disa.mil 164.235.5.70 HBSSSCRI SCCVI

Sensitive HTTP Outbound Certificate verification

mainepo.csd.disa.mil 164.235.73.253 HBSSx.x.x.x

Sensitive HTTP Outbound HBSS

updates

dodwsus.csd.disa.mil 164.235.43.251 SCRIx.x.x.x

Sensitive HTTP Outbound Microsoft updates

mainflash.csd.disa.mil 152.229.146.49 SCRIx.x.x.x

Sensitive HTTP Outbound SCRI

updates

3.5 Hardware List

Reference Manufacturer IA Enabled (Yes/No)

CC Eval Status

Device Name Model Number

Firmware

Virtual Server host

Dell No N/A VM R710

Virtual Server Guest

Virtual No N/A HBSS Virtual


Virtual No N/A SCRI Virtual


Virtual No N/A SCCVI Virtual


Virtual No N/A AUDIT Virtual

3.6 Software List

Application Version DADMS # FAM Status Purpose IA Enabled (Yes/No)

CC Eval Status

ActivClient 6.1 48585 Approved CAC logon No N/A

Adobe Reader 9.1.3 57392 Approved PDF viewer No N/A

eEye Digital Security REM Events Manager

3.6.7.1429 57184 New Add Vulnerability Assessment

Yes EAL 2

eEye Digital Security REM Events Server

3.6.6.1412 57184 New Add Vulnerability Assessment

Yes EAL 2

eEye Digital Security Retina

5.10.14.1728 56860 AWR Vulnerability Assessment

Yes EAL 2

McAfee Hercules Remediation Manager

4.5.0 53595 Approved Vulnerability Remediation

Yes EAL 3

McAfee Hercules Remediation Client for Windows

4.5.0 48131 Approved Vulnerability Remediation

Yes EAL 3

J2SE Runtime Environment 5.0 Update 20

1.5.0.200 57456 Approved Runtime No N/A

Java(TM) 6 Update 15

6.0.150 57454 Approved Runtime No N/A

McAfee Agent 4.0.0.1421 N/A N/A

Agent for HBSS

No N/A

McAfee AntiSpyware

8.7.0.129 N/A N/A Spyware No N/A

Application Version DADMS # FAM Status Purpose IA Enabled (Yes/No)

CC Eval Status

Enterprise Module

McAfee DLP Management Tools

2.2.300.7 N/A N/A Data

protection No N/A

McAfee ePolicy Orchestrator

4.0.0 49977 Approved HBSS console Yes EAL 3

McAfee Policy Auditor Agent

5.1.0.183 N/A N/A Policy auditing No N/A

McAfee Policy Auditor Server

5.1.0.183 N/A N/A Policy auditing Yes EAL 3

McAfee Rogue System Detection Server

2.0.0 N/A N/A Detect

unwanted systems

No N/A

McAfee VirusScan Enterprise

8.7i 53916 AWR Antivirus Yes EAL 2

Microsoft .NET Framework

2.0 SP 2 44328 Approved Runtime No N/A


3.0 SP 2 48529 AWR Runtime No N/A


3.5 SP1 50204 AWR Runtime No N/A

Microsoft Office Word Viewer

2003 45819 Waiver View MS Word documents

No N/A

Microsoft SQL Server Express

2005 51811 AWR Database Yes Not

Evaluated

Microsoft SQL Server Management Studio Express

2005 57498 Approved Database

management No N/A

Microsoft Windows Server Update Services

3.0 SP1 48353 Approved Microsoft patches

No N/A

Windows Internet Explorer

8 56523 Approved Internet browsing

No N/A

Windows Server Enterprise

2003 R2 48800 Approved Operating system

Yes EAL 4+

VMWare ESXi/VSphere

3.5/5.0 54797 Approved Operating system

Yes In

evaluation for EAL 4+

Documents

Security Services Appliance