afitc rogue devices final › wp-content › uploads › omg-what-are-… · rogue devices 3...
TRANSCRIPT
Cryptologic and Cyber Systems Division
Providing the Warfighter’s Edge
AFLCMC… Providing the Warfighter’s Edge
Rogue Devices:OMG! What are All These
Rogue Devices on My Network?
Arlyne Shelton
AFLCMC/HNCDI
UNCLASSIFIED
OVERALL BRIEFING IS UNCLASSIFIED
Distro A: for Public Release
AFLCMC… Providing the Warfighter’s Edge
Overview
2
• Rogue Devices• Rogue Devices Effects and Solutions• DOD PKI as a Solution • DoD NPE Portal• Path Forward• Summary• Next Steps• Questions
UNCLASSIFIED
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
Rogue Devices
3
• Department Home Land Security Strategy 16 May 18 – Current cyber threat – increased more than ten-
fold in last 5 years– Cyber security strategy – 60% focused on
reducing or mitigating vulnerabilities
• What are rogue devices?– Unidentified access point– Unauthenticated computer equipment
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
• Rogue device effects– Cyber attacks on government agencies
• Equifax and Anthem breaches • AFCEA, The Cyber Edge 20 Sept 2017
– Federal cybersecurity survey• July 2017 Market Connections, INC SolarWinds World
Wide, LLC • 30% increase in external hacking and denial of service• 60% of respondents felt confidence
• What solutions can be used to prevent?– Shared Secret, Port Security, Internet Protocol Security
(IPSEC), Domain Name System Security Extensions (DNSSEC)
– Public Key Infrastructure (PKI)
Rogue Device Effects and Solutions
4
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
DOD PKI as a Solution
5
• What is an NPE certificate?– Credential granted to an authorized device – Ensures ownership and use in accordance with guidance and directives
• DOD PKI not more widely used due to– Lack of awareness– Degrades the user experience– Familiarity with legacy processes– Current PKI issuance method is a manual process
• DOD PKI benefits – Facilitates Integrity of Data Transfer– Eliminate Simple Passwords for Authentication
• Legacy certificate issuance (manual process)– Not responsive to the needs of the customer– Requires several Out Of Band Steps
• Is there a more streamlined method?
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
DoD NPE Portal
6
• DoD NPE Portal (Next Gen)
– Replacing manual process
– Expands issuance methods
– Trusted roles
• DoD NPE is an automated enterprise capability
– SIPRNet and NIPRNet
– Available for devices not connected to Active Directory
• Issuance method
– Web enrollment – Automates device certificate issuance
– Bulk enrollment – No daily limit for requesting and issuing
device certificates
– Device Enrollment over Secure Transport (EST) and Simple
Certificate Enrollment Protocol (SCEP) Protocols
• Edge Router, DMZ, etc.
• Protocols to auto enrollment
• Reduce Validity Period on issued certificates
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
DoD NPE Capability Comparison
7
LEGACY NEXT Generation
100% manual process Automatic issuance portal
Submit DD Form 2842-2 (<10) Unlimited amount of certificaterequests
AF RA approval required AF RA approval not required
Must monitor and renew prior to expiration
Automatic renewal of certificates (EST)
Could take 1-5 days for certificate approval
Approval in seconds
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
DoD NPE Portal Roles
8
PKI Sponsors Capability Approval FunctionalityUnregistered Sponsor
(any CAC holder) Web, Bulk RA Same As Legacy
Registered Sponsor Web, Bulk, SCEP, EST Automatic Next Generation
Administrator Web, Bulk, SCEP, EST Automatic Next Generation
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
DoD NPE Path Forward
9
• Current projections– Operational Assessment – Fall 2018• AF participating• Sufficient participation sites for Web & Bulk• Need CISCO & Juniper devices for EST & SCEP
– FOT&E – Spring 2019 • AF Participating• More sites and devices will be needed
– Full Deployment Decision – Spring 2019
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
Summary
10
• Rogue Devices– Risk to the network– PKI as a solution
• Legacy NPE vs. NPE Portal– Manual process
• Several out of band steps• Approval in days
– Automated process • Streamlined and scalable• Approval in seconds
• NPE path forward– Current schedule projections– Requirement for more participation
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
Next Steps for YOU
11
• Assess your environment
– How are your devices authenticating?
– Verify need for NPE certificates
– Identify devices eligible for auto-enrollment with EST/SCEP
• Complete the NPE Portal Training (https://powhatan.iiie.disa.mil/pki-
pke/training/NPE/FOUO_index.html)
• Verify you can reach the portal (https://npe-
portal.csd.disa.mil/NPEPortal)
• Identify and request roles for your personnel
• Request being part of Operational Assessment
– Visit the AF PKI SPO booth for more info
– Contact AF RA org box ([email protected])
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED
AF PKI SPO POCs
12
• AF PKI [email protected]
• AF PKI Registration Authority [email protected]
AFLCMC… Providing the Warfighter’s Edge
UNCLASSIFIED 13
Questions