Trusted Internet Connections

Background

• Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact on federal systems and operations.

• Reports of widespread and coordinated attacks over the course of several days have targeted Web sites operated by major government agencies, including the Departments of Homeland Security and Defense, the Federal Aviation Administration, and the Federal Trade Commission.

• The Director of National Intelligence testified in February 2009 that foreign nations and criminals had targeted government and private-sector networks to gain a competitive advantage or potentially disrupt or destroy them, and that terrorist groups had expressed a desire to use cyber attacks as a means to target the United States.

Background• Estimations of more than 8000 Internet connections

– Every Internet Access Point is a potential open door for malicious activity – Levels of protection vary, e.g., Firewalls, Rule sets, Intrusion Detection – The entire set of Government Internet Access Points is not well defined and

controlled

• In July 2009, GAO reported that almost all 24 major federal agencies had weaknesses in information security controls.

• No event correlation or monitoring across Internet connections. Distributed Attacks could go unnoticed for long periods of time.

• The current cyber threat is much more prevalent, persistent, and covert than previously considered and requires immediate action

The Solution – Trusted Internet Connections

• In November 2007, the Office of Management and Budget announced the Trusted Internet Connection (TIC) Initiative in Memorandum M-08-05.

• Intended to improve the federal government’s security posture and incident response capability by:

– reducing and consolidating external network connections to 100 total– centrally monitoring the traffic passing through Internet connections for

potentially malicious activity.

• All federal agencies in the executive branch, except for the Department of Defense, are required to implement the initiative.

Trusted Internet Connections

• Similar to a Shared Service Provider

• 2 types of TICAPS– Single Service Provider– Multi Agency Service Provider

Example TIC Configuration

TIC Security and Configuration Impact

• All External Connections must be terminated in the TIC• Internet and External facing hosts must be moved to a TIC• VLANs can no longer be used as a security mechanism• Mail and User Internet access must transverse a TIC• Multiple levels of inspection required• Continuous monitoring by Einstein and GSOC

What is an “External Connection?”

A physical or logical connection between information systems, networks, or components of information systems & networks that are, respectively, inside and outside of specific Department or Agency’s (D/A) certification and accreditation (C&A) boundaries established by the D/A, for which:

• 3.1.1. the D/A has no direct control over the application of required security controls or the assessment of security control effectiveness on the outside information system, network, or components of information systems & networks; or

• 3.1.2. the D/A, notwithstanding any direct or indirect control over the application of required security controls or the assessment of security control effectiveness, has specific reason to believe that the external system1 has a substantially reduced set of security controls or an increased threat posture relative to the internal system.

NIST SP 800-39

What is an “External Connection?”

The following types of connections will be considered “external connections”:– 4.1.1. Connections between a D/A information system,

network, or components of information systems and networks and the globally-addressable internet.

– 4.1.2. Connections between a D/A information system, network, or components of information systems and networks and a remote information system, network, or components of information systems and networks located on foreign soil or where a foreign entity may have any level of physical or logical access to your internal systems.

TIC – A VLAN is not a Security Mechanism

What is Public Debt Doing?

• Completed request to become two of the four Treasury Trusted Internet Connection Access Providers. ( two of 17 government wide )

• TIC equipment has been deployed at both Primary and Secondary datacenters.

• DHS has recently completed the Treasury TIC TVC with a 100% score• Public Debt is currently migrating all external connectivity and hosts to the

Public Debt TIC

Public Debt TIC Features• Content Filtering• Proxy Services• IDS/IPS (multiple vendors)• Firewalls (multiple vendors)• Remote Access• Layer 2 – 7 Inspection devices • Virus Scanning Appliances• Load Balancing• Full Packet Capture

TNet

Network andSecurity Devices

TIC

Bureau

TIC

Business Partner

TreasuryApplicationTIC

InternetInternet

BureauBureau

Network andSecurity Devices

High Level TIC

Questions?

References:

OMB Memo M-08-05, Implementing the Trusted Internet Connections (TIC)

HSPD 23, Cybersecurity Policy

NIST Special Publication 800-39, Managing Risk from Information Systems – An Organizational Perspective

NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems

FIPS 140-2 Publication, Security Requirements for Cryptographic Modules

OMB Memorandum M-08-05, November 2007 (Reduce total number of Government external internet connections to 50)

TD P 85 01 Appendix F, May 2008 ( Requirements for Creating Secure Internet Access Points )TIC Connection Policy per OMB & OCIO