security services appliance
TRANSCRIPT
Security Services Appliance Technical Overview
I‐Assure
8/31/2009
This document contains the design, architecture and components that comprise the Security Services Appliance (SSA). ©2009 ‐ I‐Assure, LLC. All Rights Reserved
Revision Record
VERSION DATE AUTHOR CHANGE DESCRIPTION
1.0 8/28/09 I‐Assure, LLC Initial Document
Table of Contents
3.0 Security Services Appliance .............................................................................................................. 4
3.1 Security Services Appliance Subsystems ....................................................................................... 6
3.1.1 Host Based Security System (HBSS) ...................................................................................... 6
3.1.1.1 McAfee® ePolicy Orchestrator (ePO) ............................................................................... 6
3.1.1.2 McAfee® Host Intrusion ................................................................................................... 7
3.1.1.3 IPS Features ...................................................................................................................... 7
3.1.1.3.1 Firewall Feature ............................................................................................................ 8
3.1.1.3.2 Application Blocking Feature ........................................................................................ 8
3.1.1.4 General Feature............................................................................................................... 8
3.1.1.5 McAfee® Rogue System Detection ................................................................................... 8
3.1.1.6 McAfee® Policy Auditor.................................................................................................... 9
3.1.1.7 Device Control Module .................................................................................................. 10
3.1.2 Secure Configuration Compliance Validation Initiative (SCCVI) ......................................... 11
3.1.2.1 eEye Digital Security’s Retina® Network Security Scanner ............................................ 12
3.1.2.2 Remote Enterprise Manager (REM) ............................................................................... 12
3.1.2.3 REM Update Server ........................................................................................................ 13
3.1.3 Secure Configuration Remediation Initiative (SCRI) ........................................................... 13
3.1.3.1 Hercules FlashBox ....................................................................................................... 14
3.1.3.2 Hercules Remediation Manager ..................................................................................... 14
3.1.3.3 Hercules Clients .............................................................................................................. 14
3.1.4 Windows Server Update Services (WSUS) .......................................................................... 14
3.1.5 Enterprise Antivirus and Antispyware ................................................................................ 15
3.1.5.1 Antivirus Enterprise ........................................................................................................ 15
3.1.5.2 AntiSpyware Enterprise .................................................................................................. 15
3.2 Ports, Protocols and Services ...................................................................................................... 16
3.3 Accreditation Boundary .............................................................................................................. 17
3.4 External Interfaces and Data Flow .............................................................................................. 17
3.5 Hardware List .............................................................................................................................. 18
3.6 Software List ............................................................................................................................... 18
3.0 Security Services Appliance The Security Services Appliance (SSA) is a pre‐configured hardware appliance based on the Dell R710 2U
rack mounted platform that provides compliance with the following DoD required Enterprise
Information Assurance (IA) Tools:
Host Based Security System (HBSS), Section 3.1
Secure Configuration Compliance Validation Initiative (SCCVI), Section 3.2
Secure Configuration Remediation Initiative (SCRI), Section 3.3
Additionally, the SAA incorporates the following IA functions:
Windows Server Update Services (WSUS), Section 3.4
Enterprise Antivirus and Antispyware, Section 3.5
Enterprise Audit, Section 3.6
The SSA hardware platform provides the following features to support availability:
Dual, redundant power supplies to support failover
Dual, quad network interface cards for network load balancing and failover
RAID 1 hard drive configuration for full mirroring
Dual, six core processors
Dual ranked memory
The SSA utilizes VMWare ESX 3.5i or VSphere 4i as the underlying hypervisor to establish “Guest” virtual
machines to support the above IA functions. Virtualization allows multiple virtual machines on a single
physical machine, sharing the resources of that single computer across multiple environments. Different
virtual machines can run different operating systems and multiple applications on the same physical
computer. The SSA is configured to support the following four virtual machines:
Virtual Machine #1 – support HBSS and Enterprise Antivirus/Antispyware
Virtual Machine #2 – support SCCVI
Virtual Machine #3 – support SCRI and WSUS
Virtual Machine #4 – support Enterprise Audit
The following diagram depicts the virtual machine distribution:
Security Services Appliance
HBSSAntiVirus
AntiSpyware
SCRIWSUS
SCCVI Audit
Virtual Machines
Each virtual machine utilizes Windows 2003 R2 Enterprise as the base operating system. The base
operating system has been configured in accordance with the DISA Windows STIG. All backend
databases that are required to support the IA functions utilize Microsoft SQL 2005 Express and have
been configured to comply with the DISA Database STIG. All frontend web servers that are required to
support the IA functions utilize Microsoft IIS or Apache and have been configured to comply with the
DISA Web STIG. The below diagram depicts the high‐level architecture of the SSA:
3.1 Security Services Appliance Subsystems
3.1.1 Host Based Security System (HBSS) Host Based Security System (HBSS) is one of the Department of Defense’s countermeasures against the many threats and malicious attacks targeted against our networks. Although HBSS is known to be a powerful countermeasure tool against known threats, it is important to remember that HBSS can only protect your network to the extent of its configuration. This HBSS deployment was configured per the Defense Information Systems Agency (DISA) Field Security Operations (FSO) team HBSS 3.0 Configuration Guide. Currently, HBSS is operated under a Type Accreditation issued by the DISA CIO under DITPR ID 8642, expiring 2 December 2009. Site accreditation responsibilities have been incorporated into this effort. HBSS is comprised of the subsystems listed and described in the following sections.
3.1.1.1 McAfee® ePolicy Orchestrator (ePO) McAfee® ePO allows IT administrators to centrally manage McAfee® products that make up the HBSS suite of components. ePO provides integration within and between endpoints, networks, data, and compliance solutions reduces security gaps and management complexity. Centralized visibility highlights:
Single point of reference for enterprise security enables you to quickly identify and understand relationships between security events throughout the accreditation boundary.
Web interface provides flexibility to manage security enterprise‐wide.
Customizable dashboards, using the DISA provided templates, and user interface provide personalized views of the security status and trends.
Automated reports and dashboards provide clear, current role‐based visibility into security status across the accreditation boundary.
Role‐based permissions ensure appropriate access and control for all administrators.
The below picture presents a basic overview of the ePO console:
3.1.1.2 McAfee® Host Intrusion McAfee® Host Intrusion Prevention is a host‐based intrusion detection and prevention system that protects system resources and applications from external and internal attacks. Host Intrusion Prevention protects against unauthorized viewing, copying, modifying, and deleting of information and the compromising of system and network resources and applications that store and deliver information. It accomplishes this through a combination of host intrusion prevention system signatures (HIPS), network intrusion prevention system signatures (NIPS), behavioral rules, and firewall rules. Signatures and rule sets are provided by DISA. Host Intrusion Prevention clients are deployed to servers and desktops and function as independent protective units. They report their activity to ePO and retrieve updates for new attack definitions through DISA. Host Intrusion Prevention is fully integrated with ePO and uses the ePO framework for delivering and enforcing policies. The division of Host Intrusion Prevention functionality into IPS, Firewall, Application Blocking, and General features provides greater control in delivering policy protections and protection levels to the users.
3.1.1.3 IPS Features The IPS (Intrusion Prevention System) feature monitors all system and API calls and blocks those that might result in malicious activity. Host Intrusion Prevention determines which process is using a call, the security context in which the process runs, and the resource being accessed. A kernel‐level driver, which receives redirected entries in the user‐mode system call table, monitors the system call chain. When
calls are made, the driver compares the call request against a database of combined signatures and behavioral rules to determine whether to allow, block, or log an action.
3.1.1.3.1 Firewall Feature The Host Intrusion Prevention Firewall feature acts as a filter between a computer and the network or Internet it is connected to. The Firewall Rules policy uses static packet filtering with top‐down rule matching. When a packet is analyzed and matched to a firewall rule, with criteria such as IP address, port number, and packet type, the packet is allowed or blocked. If no matching rule is found, the packet is dropped. The current version Firewall Rules policy uses both stateful packet filtering and stateful packet inspection.
3.1.1.3.2 Application Blocking Feature The Application Blocking feature monitors applications being used and either allows or blocks them. Host Intrusion Prevention offers two types of application blocking:
Application creation
Application hooking
When Host Intrusion Prevention monitors application creation, it looks for programs that are trying to run. In most cases, there is no problem; but, there are some viruses, for example, that try to run programs that harm a system. This is prevented by creating application rules, similar to firewall rules, which only allow programs to run that are permitted for a user. When Host Intrusion Prevention monitors application hooking, it looks for programs that are trying to bind or “hook” themselves to other applications. Sometimes, this behavior is harmless, but sometimes this is suspicious behavior that can indicate a virus or other attack on your system.
3.1.1.4 General Feature The Host Intrusion Prevention General feature provides access to policies that are general in nature and not specific to IPS, Firewall, or Application Blocking features. This includes:
Enabling or disabling the enforcement of all policies.
Determining how the client interface appears and is accessed.
Creating and editing trusted network addresses and subnets.
Creating and editing trusted applications to prevent triggering false positive events.
3.1.1.5 McAfee® Rogue System Detection Rogue systems are systems that access the accreditation boundary, but are not managed by the ePolicy
Orchestrator server. A rogue system can be any device on the network that has a network interface card
(NIC).
Rogue System Detection provides real‐time detection of rogue systems through use of Rogue System
Sensors installed throughout the network. These sensors listen to network broadcast messages and
DHCP responses to detect systems connected to the network. When the sensor detects a system on the
network, it sends a message to the ePolicy Orchestrator server. The server then checks whether the
system has an active agent installed and managed. If the system is unknown to the ePO server, Rogue
System Detection provides information to ePolicy Orchestrator to allow you to take remediation steps,
including alerting network and anti‐virus administrators or automatically deploying a McAfee® Agent to
the system. The system is currently configured to automatically deploy the McAfee® Agent and notify
the systems administrator that additional actions may need to be performed.
The below diagram presents a basic overview of the Rogue System Detection reporting mechanism:
3.1.1.6 McAfee® Policy Auditor McAfee® Policy Auditor maps IT controls against predefined policy content and automates manual
audit processes and to accurately report against internal and external policies. McAfee® Policy Auditor
has been configured to use a custom created audit policy to verify the DISA Windows STIG requirements
as the baseline audit content. McAfee® Policy Auditor is configured to perform weekly scans of
identified systems to ensure compliance. McAfee® Policy Auditor results are then imported into the
DISA SCRI product, McAfee® Remediation Manager, for automated remediation of non‐compliant
systems
Additionally, McAfee® Policy Auditor has been extended to include basic file integrity monitoring
capabilities, including detection of changes to file and directory permissions and content through
scheduled scans.
The below diagram presents a basic overview of the McAfee® Policy Auditor reporting mechanism:
3.1.1.7 Device Control Module McAfee® Device Control protects critical data from leaving the accreditation boundary through
removable media, such as USB drives, iPods, Bluetooth devices, recordable CDs and DVDs. McAfee®
Device Control provides extremely granular control over sensitive data. Policies have been implemented
that specify which devices can and cannot be used and defines what data can and cannot be copied
onto allowed devices. In accordance with current DoD policy, access to removable has been restricted
and is only available on a case‐by‐case basis. The following features are available within this product:
Regulate how users copy data to USB drives, iPods, recordable CDs and DVDs, floppies,
Bluetooth and IrDA devices, imaging devices, COM and LPT ports.
Protect all data, formats, and derivatives even when data is modified, copied, pasted,
compressed, or encrypted.
Prevent data loss wherever users go, without disrupting legitimate day‐to‐day activities
Centralized management through McAfee® ePO.
Quickly and easily configure, deploy, and update policies and agents throughout the
environment from a centralized management console.
Set device and data policies by user, group, or department
Specify which devices can and cannot be used by any Windows device parameter, including
product ID, vendor ID, serial numbers, device class, device name.
Specify what content can or cannot be copied onto devices that are allowed access.
Support auditing and compliance needs with detailed user‐ and device‐level logging.
Gather incident details such as device, time stamp, data evidence, and more for prompt and
proper response, investigation, and audit.
The below diagram presents a basic overview of the Device Control interaction:
3.1.2 Secure Configuration Compliance Validation Initiative (SCCVI) The DoD has selected and approved the installation and utilization of the SCCVI suite software to enhance the security posture of both unclassified and classified networks within the DOD community, which composes part of the Defense Information Infrastructure (DII). This product supplements and complements DISA’s “Defense‐in‐Depth” (DID) approach to protect, detect, react, and respond to possible intruder attacks against DISA assets worldwide. Currently, SCCVI is operated under a Type Accreditation issued by the DISA CIO under DITPR ID 5956, expiring 15 November 2011. Site accreditation responsibilities have been incorporated into this effort.
This SCCVI deployment was configured per the Defense Information Systems Agency (DISA) Field Security Operations (FSO) team SCCVI Configuration Guide. The SCCVI suite software provides network administrators and security personnel the capability of verifying vulnerability compliance. The SCCVI suite software is comprised of the following subsystems:
eEye Digital Security’s Retina® Network Security Scanner
Remote Enterprise Manager (REM)
REM Update Server
3.1.2.1 eEye Digital Security’s Retina® Network Security Scanner eEye Digital Security’s Retina® Network Security Scanner is a vulnerability management network scanner. It discovers assets and identifies known security vulnerabilities on a number of different platforms and technologies including servers, databases, switches, routers and wireless access points. Retina helps secure networks by:
Accurately discovering all the assets in the network infrastructure including operating system platforms, networked devices, databases and third party or custom applications. Retina also discovers wireless devices and their configurations, ensuring these connections can be audited for the appropriate security settings. Additionally, Retina scans active ports and confirms the services associated with those ports.
Implementing corporate policy driven scans to audit internal security guidelines and ensure that configuration requirements are enforced and comply with defined standards. Retina is configured using the “All Audits” policy.
Remotely identifying system level vulnerabilities to mimic an attacker’s point of view, providing information that an outsider would see about your network.
Providing a workflow approach to vulnerability management. Retina’s user interface allows for multiple views and reporting options with which to analyze assessment data.
3.1.2.2 Remote Enterprise Manager (REM) The Remote Enterprise Manager (REM) allows multiple scanners to be managed from one centralized
location. It also provides the ability for scanners to report their findings to on centralized location.
From here reports can be generated based on data collected from all of the scanners reporting to the
REM. The below diagram presents a basic overview of the REM console:
3.1.2.3 REM Update Server The REM Update Server allows administrators to manage all of their eEye Digital Security application
and data updates from a central location. The main screen in the REM Update Server allows
administrators to easily check if updates are available for their applications and data. If updates are
available, administrators are provided with the option of downloading the updates to an intermediate
repository. The stored updates can then be downloaded from the repository and distributed to the
client machines through the organization's network.
3.1.3 Secure Configuration Remediation Initiative (SCRI) The SCRI software provides an enterprise‐wide automated standardized tool to audit and remediate
emerging and known Information Assurance (IA) vulnerabilities at the asset level for the DoD. The SCRI
tool leverages the scanned data provided by SCCVI to apply patches, upgrades, fixes, or custom changes
to a specific system or group of systems impacted by IAVM information to facilitate the automatic
vulnerability remediation of devices on a network. The SCRI tool provides a sequence of automatically
executable remediation steps known as ‘remedies’ that will correct each recognized vulnerability.
Currently, SCRI is operated under a Type Accreditation issued by the DISA CIO under DITPR ID 5957, expiring 29 June 2012. Site accreditation responsibilities have been incorporated into this effort.
This SCCVI deployment was configured per the Defense Information Systems Agency (DISA) Field Security Operations (FSO) team SCCVI Configuration Guide. The SCCVI suite software is comprised of the following subsystems:
Hercules FlashBox
Hercules Administrator
Hercules Clients
3.1.3.1 Hercules FlashBox The Hercules FlashBox is owned and managed by DISA. The FlashBox service allows the local SCRI
installation to receive patches and policy updates from DISA. The system is set to retrieve updates
nightly. Once patches are retrieved, they can be “pushed” to Hercules clients.
3.1.3.2 Hercules Remediation Manager Hercules Remediation Manager is the front‐end console that Hercules Administrators utilize to configure
the application. Remediation Manager controls client deployments and provides instructions and
commands to clients for patch installation, check patch status and vulnerability status and remediation.
The Remediation Manager includes the Hercules Download Server, which facilitates the downloading of
required patches from DISA and the Hercules Channel Manager which keeps a status of patch download
locations.
3.1.3.3 Hercules Clients Hercules clients are installed on managed clients to facilitate the patch installation process. The Hercules
Clients are controlled by Hercules Remediation Manager and respond to commands and instructions.
Clients check in with Remediation Manager at specified intervals, or the Remediation Manager can
directly schedule tasks with the clients.
3.1.4 Windows Server Update Services (WSUS) Windows Server Update Services (WSUS) enables information technology administrators to deploy the
latest Microsoft product updates to computers that are running the Windows operating system. By
using WSUS, administrators can fully manage the distribution of updates that are released through
Microsoft Update to computers in their network. This installation of WSUS utilizes the DISA‐managed
WSUS server to synchronize and download updates. The WSUS installation was performed utilizing the
DISA provided guidance by establishing a new IIS website, locating all updates on a separate partition
and configuring the installation to DISA STIG standards. A Group Policy Object (GPO) can be utilized in an
Active Directory environment to “push” the local WSUS settings to client machines to direct them to the
local WSUS server installation for patches and updates. For non Active Directory environments, clients
can be manually configured to point to the local WSUS installation.
3.1.5 Enterprise Antivirus and Antispyware VirusScan Enterprise and Antispyware are integrated into the HBSS ePO console to provide centralized
deployment, policy configuration and enforcement, and detailed reporting. This enterprise deployment
is configured to support Windows, Linux, Solaris and Macintosh clients.
3.1.5.1 Antivirus Enterprise McAfee® VirusScan Enterprise proactively stops and removes threats, extends coverage for new security
risks, and reduces the cost of managing outbreak responses. Virus security products are only as good as
their most recent updates. VirusScan Enterprise has been configured for automatic daily updates from
the ePO console to ensure that desktops and servers are always up‐to‐date with the latest McAfee DAT
files and engines – the ePO console receives its updates from the DISA managed update server.
Additionally, the ePO console has been configured to apply the required Desktop STIG settings for
VirusScan Enterprise and perform daily virus scans.
The below picture presents a basic overview of the VirusScan Enterprise console:
3.1.5.2 AntiSpyware Enterprise McAfee® Antispyware Enterprise ensures that Potentially Unwanted Programs (PUP) can be detected
and removed. PUPs include adware, cookies, dialers, key loggers and remote administration tools.
McAfee® Antispyware Enterprise quickly identifies, blocks and eliminates PuPs before they can cause
any damage. On‐access scanning is performed to catch problems prior to installation. Additionally, the
ePO console has been configured to apply the required Desktop STIG settings for AntiSpyware.
3.2 Ports, Protocols and Services The following table lists the internal port and protocol flow. All communication is internal and does not
cross the outer firewall boundary.
External System Name
External System IP Address
Internal System Name
Data Classification
Protocol Direction Other
HBSS TBD Internal Clients
Sensitive TCP/80 HTTP
Outbound Agent / Server communication
HBSS TBD ePO
Admins Sensitive
TCP/443HTTPS
Outbound ePO Console web browser
HBSS TBD Internal Clients
Sensitive TCP/8081
Outbound
SuperAgent to Agent Wakeup
Call
HBSS TBD Internal Clients
Sensitive UDP/8081 Outbound
UDP for the SuperAgent broadcast for Global updating
HBSS TBD Internal Clients
Sensitive TCP/8082 Outbound SuperAgent Wakeup Call, uses SPIPE
HBSS TBD Internal Clients
Sensitive TCP/8080 Outbound Event Parser to
TOMCAT Service
HBSS TBD Internal Clients
Sensitive TCP/8444 HTTPS
Outbound Rogue system detection
sensor default
HBSS TBD Internal Clients
Sensitive TCP/8445HTTPS
Outbound Notifications
port
HBSS TBD Internal Clients
Sensitive TCP/8801 HTTP
Outbound Security Threats
communication
SCRI TBD Internal Clients
Sensitive TCP/8530HTTP
Outbound WSUS Clients
SCRI TBD SCRI
Admins Sensitive
TCP/443HTTPS
Outbound Hercules
Administrator
SCRI TBD Internal Clients
Sensitive TCP/445 Both
Remediate Windows operating systems
SCRI TBD Internal Clients
Sensitive TCP/22 Both Remediate
Unix operating systems
SCCVI TBD SCCVIAdmins
Sensitive TCP/443HTTPS
Outbound REM web access
AUDIT TBD Internal Clients
Sensitive UDP/514SYSLOG
Outbound Security events
3.3 Accreditation Boundary
3.4 External Interfaces and Data Flow
External System Name
External System IP Address
Internal System IP Address
Data Classification
Protocol Direction Other
ocsp.disa.mil 164.235.5.70 HBSSSCRI SCCVI
Sensitive HTTP Outbound Certificate verification
mainepo.csd.disa.mil 164.235.73.253 HBSSx.x.x.x
Sensitive HTTP Outbound HBSS
updates
dodwsus.csd.disa.mil 164.235.43.251 SCRIx.x.x.x
Sensitive HTTP Outbound Microsoft updates
mainflash.csd.disa.mil 152.229.146.49 SCRIx.x.x.x
Sensitive HTTP Outbound SCRI
updates
3.5 Hardware List
Reference Manufacturer IA Enabled (Yes/No)
CC Eval Status
Device Name Model Number
Firmware
Virtual Server host
Dell No N/A VM R710
Virtual Server Guest
Virtual No N/A HBSS Virtual
Virtual Server Guest
Virtual No N/A SCRI Virtual
Virtual Server Guest
Virtual No N/A SCCVI Virtual
Virtual Server Guest
Virtual No N/A AUDIT Virtual
3.6 Software List
Application Version DADMS # FAM Status Purpose IA Enabled (Yes/No)
CC Eval Status
ActivClient 6.1 48585 Approved CAC logon No N/A
Adobe Reader 9.1.3 57392 Approved PDF viewer No N/A
eEye Digital Security REM Events Manager
3.6.7.1429 57184 New Add Vulnerability Assessment
Yes EAL 2
eEye Digital Security REM Events Server
3.6.6.1412 57184 New Add Vulnerability Assessment
Yes EAL 2
eEye Digital Security Retina
5.10.14.1728 56860 AWR Vulnerability Assessment
Yes EAL 2
McAfee Hercules Remediation Manager
4.5.0 53595 Approved Vulnerability Remediation
Yes EAL 3
McAfee Hercules Remediation Client for Windows
4.5.0 48131 Approved Vulnerability Remediation
Yes EAL 3
J2SE Runtime Environment 5.0 Update 20
1.5.0.200 57456 Approved Runtime No N/A
Java(TM) 6 Update 15
6.0.150 57454 Approved Runtime No N/A
McAfee Agent 4.0.0.1421 N/A N/A
Agent for HBSS
No N/A
McAfee AntiSpyware
8.7.0.129 N/A N/A Spyware No N/A
Application Version DADMS # FAM Status Purpose IA Enabled (Yes/No)
CC Eval Status
Enterprise Module
McAfee DLP Management Tools
2.2.300.7 N/A N/A Data
protection No N/A
McAfee ePolicy Orchestrator
4.0.0 49977 Approved HBSS console Yes EAL 3
McAfee Policy Auditor Agent
5.1.0.183 N/A N/A Policy auditing No N/A
McAfee Policy Auditor Server
5.1.0.183 N/A N/A Policy auditing Yes EAL 3
McAfee Rogue System Detection Server
2.0.0 N/A N/A Detect
unwanted systems
No N/A
McAfee VirusScan Enterprise
8.7i 53916 AWR Antivirus Yes EAL 2
Microsoft .NET Framework
2.0 SP 2 44328 Approved Runtime No N/A
Microsoft .NET Framework
3.0 SP 2 48529 AWR Runtime No N/A
Microsoft .NET Framework
3.5 SP1 50204 AWR Runtime No N/A
Microsoft Office Word Viewer
2003 45819 Waiver View MS Word documents
No N/A
Microsoft SQL Server Express
2005 51811 AWR Database Yes Not
Evaluated
Microsoft SQL Server Management Studio Express
2005 57498 Approved Database
management No N/A
Microsoft Windows Server Update Services
3.0 SP1 48353 Approved Microsoft patches
No N/A
Windows Internet Explorer
8 56523 Approved Internet browsing
No N/A
Windows Server Enterprise
2003 R2 48800 Approved Operating system
Yes EAL 4+
VMWare ESXi/VSphere
3.5/5.0 54797 Approved Operating system
Yes In
evaluation for EAL 4+