Tag Archive for: JRSS

JIE-READY STEP 4: Develop artifacts for IA and ATO

The design and implementation phases of JRSS and JIE will, very likely, receive a significant amount of scrutiny from Information Assurance (IA) to ensure that numerous standards and guidelines are followed. The goal of this scrutiny is to obtain an Authorization to Operate (ATO). There are many different components of the IA process and developing artifacts to support the ATO effort (unfinished sentence?). RedSeal will provide some unique analysis artifacts that without RedSeal would be extremely cumbersome and time-consuming to obtain. At a high level these items include STIG checking for devices, segment access validation, validation of configuration against standard or gold build, and logical zone compliance.

jiestep4RedSeal’s model of the network will allow for faster artifact development and the development of these artifacts BEFORE deployment. The RedSeal platform has the capability to combine any components of the model (hosts, devices, subnets, etc.) into logical groups. These are referred to as zones (sometimes also called segments or enclaves). Because RedSeal understands all the access in the network, the platform is capable of presenting and measuring all access into and out of the zone and between all other zones or the network at large. It is also possible to write business or policy decisions against those access paths and track those decisions for compliance purposes. This RedSeal use case will assist JRSS and JIE with meeting or exceeding the Department of Defense Ports, Protocols, and Services Management (PPSM) guidelines. These guidelines will be applied to the Joint Regional Security Stack (JRSS) and the components that comprise the stack.

Assessing network access by logically zoning or grouping is one piece of the puzzle. RedSeal will also be assessing the components of the JRSS for compliance with other standards of configuration as mentioned earlier, such as STIGs and gold builds. These device level checks are somewhat customizable as well. Certain components of STIGs require modification to meet the environment, and RedSeal allows for that customization within STIG specific checks. It also allows for full customization or creation of device-level checks in the event a new verification check is needed. Within the RedSeal platform, not only is the security of the network analyzed, the security of the component stack providing the security services is analyzed and verified as well.

The Department of Defense has already begun building JRSS and assessing legacy networks. Understanding that legacy infrastructure, ensuring it is effective and efficient, assessing security and meeting compliance during design and migration and beyond, are critical steps. Are you ready for JIE? RedSeal Networks is.

JIE-READY STEP 3: Visualize before migration

The phase between design and implementation for JRSS and JIE is critical. During this phase the most important thing is to have full visibility of the entire JIE infrastructure, even before it is migrated. RedSeal provides the bridge mechanism needed during this critical assessment phase.

Visualization can lead to deeper understanding of the current behavior of segmentation and the effectiveness of controlling access to these segments or enclaves, which in turn helps in reducing redundancy and increasing efficacy.

 

jiestep3

Visualization, identification and measurement allows you to identify and measure all the avenues of access, understanding them visually and through technical reports. RedSeal provides identification and measurement that are not restricted to live networks or devices. The model can be created using proposed configurations or design considerations and present what the network and controls will look like before deployment or in between deployment and cut over. This distinct capability will provide the bridge mechanism needed during critical assessment phases between design and implementation for JRSS and JIE.

Another benefit of the RedSeal network model is faster artifact development, as we will discuss in the next post.

JIE-READY STEP 2: Defense in depth

Defense in depth is a term and idea that is not new to the information technology world. A classic implementation at the network level of defense in depth is segmentation, or building enclaves. In certain cases, segmentation was taken to an extreme level, resulting in massive decentralization of computing environments. Unfortunately this decentralization does not remove the need for these segments or enclaves to communicate with other information assets. Thus the segments or enclaves are connected to the network from which they may have originally been divested. This does not mean that security controls restricting or monitoring access to these enclaves was removed. What it does mean is that there is a very high likelihood of major redundancy implemented while attempting to secure or control these segments.

jiestep2The RedSeal model can be leveraged to not only identify these redundancies visually, but to also identify the efficacy of these controls by measuring access across and through the entire network. Investigating one segment of the network and the control mechanisms related to the segment is not sufficient. The network must be measured as a whole operating entity or system to effectively identify all possible access and points of control. Through these means, RedSeal will be providing another unique benefit to JRSS and enhancing the preparedness for JIE.

Understanding the current behavior of segmentation and the effectiveness of controlling access to these segments or enclaves will assist with reducing redundancy in the current operational system while increasing efficacy. There may be too many rules in a firewall creating overly-restrictive access and operational bog to the system. There may be too many routers providing similar or identical access to systems, between systems, or across network boundaries. Perhaps there are too many layers of load balancing performing additional address translations and VIP presentations that are not only difficult to manage but not really providing any more security. RedSeal will identify and measure all the avenues of access and represent it visually and via a myriad of reporting techniques in technical depth.

Our next blog will discuss Step 3 – Visualization before Migration.

JIE-READY STEP 1: Know what you have

The first and arguably most critical step in any data center consolidation or migration is to first understand what you have. Most complex or large-scale networks have grown so rapidly over the years or decades that there is no clear picture of the functioning system. As the opportunity to refresh large-scale global infrastructure becomes available today, experts are building security in on the front end. The challenge is understanding what exists today, how it is (or isn’t) being secured, and then designing the security requirements in tandem with the new system/network. RedSeal Networks provides a unique perspective on what is happening today on the network, how the network is actually connected, and the efficacy of security controls deployed in the network.

jie-step-1RedSeal Networks can provide this unique perspective by aggregating the configurations of core components that comprise the network, more specifically routers, firewalls, load balancers and switches. The RedSeal platform then analyzes these configurations and creates a model of the network. This is a visual representation of the network itself, but it is also a full model of all possible access based on the devices and the configurations of those devices. This model is a critical first step in understanding the DoD infrastructure today and will be the foundation upon which RedSeal will continue to provide unique data for the success of JRSS and JIE.

The model of networked infrastructure that RedSeal is providing to the JRSS project will not only help understand access at a high level. This model allows the capability to drill down into specific access areas, enclaves, single path analysis, and even model access that doesn’t yet exist. It is this flexibility that will allow architects and design experts to understand, from a high level down to fine detail, what is working today and what is not, so the new infrastructure can be designed effectively and efficiently.

Our next blog post will address Step 2 – Defense in Depth.

JIE-READY: A roadmap

The United States Department of Defense Joint Information Environment (JIE) began to take shape in 2010, as part of efficiency initiatives to consolidate Defense IT infrastructure and generate savings, provide full situational awareness across all defense networks, and improve the Department’s ability to share information between the services and with its industry partners and other government agencies.  While full capabilities are not expected to be realized until the 2016-2020 timeframe, DoD is already hard at work with industry to procure and configure IT in a more secure fashion and the first demonstration of JIE will take place in Europe this year, hosted by the U.S. European Command. Many organizations are asking themselves if they are JIE-ready, yet what exactly does this mean?

jieintro1 RedSeal Networks is playing a key part in the security component of the JIE program. Part of the JIE program is to migrate to a Single Security Architecture (SSA). The deployment of this SSA will be realized through what is commonly referred to as Joint Regional Security Stacks (JRSS). Within these stacks are integrated technology components that will provide comprehensive security to the JIE environment. The development and deployment of JRSS along with the overall JIE program will take a significant effort of consolidation and migration to realize the financial and organizational benefits. RedSeal’s role in this effort is recognized through four key use cases of the RedSeal Networks platform.

The four key areas where the RedSeal platform will have impact with respect to JIE are aligned with the phases of JRSS development and can be seen as:

  • Model and visualize the current state of your complex legacy networks and security infrastructure including calculating every possible internal and external attack path
  • Ensure defense in depth with tiers/enclaves are efficient and effective
  • Visualize the completed JIE infrastructure before migration even begins
  • Create artifacts for JIE ATO and IA certifications

Our next blog post will discuss how to model and visualize legacy environments.