Network Defense Strategies

NETWORK DEFENSE: DEFENSE IN DEPTH 1
Network Defense: Defense in Depth as it
Relates to the US Army Enterprise in Southwest Asia
Alen S. Schulze - G00027048
Grantham University
March 15, 2011
Author Note
Correspondence concerning this article should be addressed to MSG Alen S. Schulze,
United States Army, Headquarters and Headquarters Company, 160th
Signal Brigade, Southwest
Asia Theater Network Operations and Security Center, APO AE 09366
Contact: alen.schulze@us.army.mil

Table of Contents
Table of Figures----------------------------------------------------------------------------------------------4
Introduction --------------------------------------------------------------------------------------------------6
Research Questions to Consider ---------------------------------------------------------------------------7
Research Plan ------------------------------------------------------------------------------------------------9
Abstract -----------------------------------------------------------------------------------------------------10
Network Architecture and Design -----------------------------------------------------------------------11
Threats to the Enterprise ----------------------------------------------------------------------------------14
Unauthorized Access -----------------------------------------------------------------------------15
Unauthorized Probe-------------------------------------------------------------------------------16
Denial of Service----------------------------------------------------------------------------------19
Malicious Logic-----------------------------------------------------------------------------------22
Insider Threat--------------------------------------------------------------------------------------25
Vulnerabilities-------------------------------------------------------------------------------------27
Enterprise Defense in Depth
Tier 0 - Tools, Techniques and Processes-----------------------------------------------------29
CENTAUR-------------------------------------------------------------------------------30
IPSonar®---------------------------------------------------------------------------------31
Deep Packet Inspection-----------------------------------------------------------------32
Aggregate Security Router-------------------------------------------------------------33
Access Control Lists/DAPE------------------------------------------------------------33
Cisco Secure Intrusion Detection System (CSIDS) --------------------------------34
Stateful Firewalls------------------------------------------------------------------------35
Network Address Translation (NAT) ------------------------------------------------35
ArcSight ESM --------------------------------------------------------------------------38
Intrusion Prevention System ----------------------------------------------------------38
BlueCoat Proxy Server ----------------------------------------------------------------40
Brightmail--------------------------------------------------------------------------------41

Host Based Security System -----------------------------------------------------------41
System Center Configuration Manager ----------------------------------------------43
Tier 3 Tools, Techniques and Processes-------------------------------------------------------44
Public Key Infrastructure (PKI) -------------------------------------------------------44
Information Assurance Vulnerability Management Program ---------------------45
Information Assurance and Computer Network Defense --------------------------46
Conclusion--------------------------------------------------------------------------------------------------47

Table of Figures
Figure 1, Tiered Enterprise Architecture ---------------------------------------------------------12
Figure 2, Example of relationship between Tier 3 and network defense programs--------13
Figure 3, Nmap scan results -----------------------------------------------------------------------18
Table 1, Common Denial of Service Attacks ---------------------------------------------------20
Figure 4, Distributed Denial of Service Attack -------------------------------------------------21
Figure 5, Number of Vulnerabilities in Network, OS and Applications --------------------28
Figure 6, Tier 0 Defense ---------------------------------------------------------------------------24
Figure 8, How NAT works ------------------------------------------------------------------------36
Figure 10, BlueCoat Proxy Server ----------------------------------------------------------------40
Figure 11, HBSS Configuration -------------------------------------------------------------------42

THIS PAGE INTENTIONALLY LEFT BLANK

Introduction
This project will describe the architecture of the US Army Enterprise Network and the
threats that the enterprise encounters daily. The research will indentify numerous tools and
programs that the Army Enterprise uses to mitigate these threats or to slow the threat so the
administrators can respond in an organized manner. Today in our Military, there is an ever
growing dependency on computer networks. This topic was chosen because I currently work as
an Incident Manager and Project Manager for the Army Enterprise that is providing support to
over 300,000 War fighters, Peacekeepers and Contractors throughout Southwest Asia. I feel
comfortable with the subject and have extensive knowledge of the tools, programs and have
reference materials for the items the research will identify. My course of study has been in
Information Management Technologies; the tools I will describe are management tools for
Information Technologies so the subject of this project and degree program has a direct
correlation. Further, I have a great professional interest in Network Engineering and Information
Assurance/Computer Network Defense; the research will also show that the tools and programs
that the Army Enterprise uses are the same systems and tools that can and are used in large
Corporate Enterprise Networks. The decision was made to create a project about the Army
Enterprise vice a Corporate Enterprise due to my familiarity with the structure and protective
measures in use by the Army Enterprise and Department of Defense.
This project is dedicated to my beautiful and loving wife Melissa Jimenez Schulze. You
are the most amazing woman in the world, and I am the luckiest man in the world to have you in
my life.

Research Questions to consider
1. How do I discuss the tiered structure of the Enterprise and the equipment that resides at
each tier?
a. Explain the tiered structure (Tier 1, Tier 2, Tier 3 down to the hosts connected to
the LAN) and accompany that discussion with a diagram that shows the different
Tiers and tools in each.
2. What are the major threats to the Enterprise Network that are going to be addressed in the
research?
a. These threats will be discussed in depth, Unauthorized Access, Denial of Service,
Data Compromise, Unauthorized Probe, Malicious Logic, Explained Anomaly and
Insider Threat
3. What are the vulnerabilities that would allow the threats to be successful in an attack in
each of the tiers?
a. Systems not being properly patched, firewalls not being properly configured, lack
of authentication (i.e. Exchange, SharePoint, and Network Access Control).
4. What are the tools, equipment and programs that address these issues?
a. The following systems will be discussed; Sensor Network/Grid, ArcSight ESM,
ArcSight Logger, Bluecoat Proxy, BrightMail, Host Based Security System (Device
Control Module (DCM), Common Access Cards/Private Key Infrastructure, Intrusion
Prevention System (with IDS on board) Cisco Security Intrusion Detection System
(CSIDS).
5. What are the Processes that are used to take a proactive approach to network defense?

a. The following processes will be discussed; Router Access Control Lists, IP
Blocks, Domain Name Poisons or Black holing, Deep Packet Inspection, and scripts
that are programmed into Blue Coat proxies, and Policies such as Authorized
Software Lists and Acceptable Use Agreements.

Research Plan and Assets
I currently have a handicap in regards to research and key sources of information due to
my location in Afghanistan. I am limited to the internet and some military publications although
the products, programs and tools that will be described and discussed in the project are used
across the world and for many Fortune 500 companies as well as the Army. There are many
white papers and technical documents on the manufacturers’ web sites that I will use as
references, so there is definitely no shortage of reference material. I have also referred to the
National Security Agency (NSA) web page which discusses the concept of Defense in Depth
which was conceived by the NSA as a comprehensive approach to information and electronic
security. I will utilize some open source military doctrine to assist in describing the Enterprise
Architecture. In this project I may be required to frame some of the discussion to more of a
business setting due to the classification of some of the details in regards to the security
procedures the administrators use. This project will be required to undergo numerous reviews by
my Security Operations team to ensure I am not crossing the line and the project remains devoid
of any classified information. I have acquired some books to utilize for this project, Parker, Donn
B. (1998). Fighting Computer Crime and Bosworth, Seymour; Kabay, M. E. The Computer
Security Handbook which will assist in my research and discussion about Information Assurance
Vulnerabilities.

Abstract
Defense in Depth is a practical strategy for achieving Information Assurance in today’s
highly networked environments. It is a “best practices” strategy in that it relies on the intelligent
application of techniques and technologies that exist today. The strategy recommends a balance
between the protection capability and cost, performance, and operational considerations (Defense
in Depth, 2010). This project provides an overview of the major elements of the strategy. To
effectively resist attacks against its information and information systems, an organization needs
to characterize its adversaries, their potential motivations, and their classes of attack. It is
imperative that the administrators and users protect our networks and the information stored on
them from these threats. The defense in depth strategy is the Department of Defense’s “best
business practices” and is a military strategy that was conceived by the National Security
Agency. The strategy seeks to delay the advance of an attacker, buying time and causing
additional casualties by yielding space. Rather than defeating an attacker with a single, strong
defensive line, defense in depth relies on the tendency of an attack to lose momentum over a
period of time or as it covers a larger area (www.nsa.gov). The idea of defense in depth is now
widely used to describe non-military strategies and is commonly used to defend, protect and
secure Corporate Enterprises of many Fortune 500 Companies and Corporations worldwide.
Managers must be vigilant and understand all the possible threats to these networks due to the
relative free flow of information, availability in these networks and the sensitivity of the
information within. Knowing which portion of the Enterprise is the most vulnerable or
susceptible to attacks is definitely useful but having a defense in depth to either stop the attack,
or at a minimum slow the attack is paramount.

Network Architecture and Design
The US Army Enterprise Network that is supporting the War fighters, Peacekeepers and
Contractors that are engaged in combat and peacekeeping operations in Afghanistan, Iraq and
numerous other countries in Southwest Asia was designed and built with a Tiered Structure in
mind to facilitate the ability to follow the National Security Agency’s best business practices to
defend in depth. The Tiered Network design also facilitates the redundancy of communications
links that are providing services to the Force. The interpretations of the tiers in the Enterprise
Network vary depending on the organization and their role in the administration of the Enterprise
Network. In the broadest terms, the Enterprise consists of Tier 0 through Tier 3.
The Tier 0 includes all strategic links, fiber optic links and Satellite links that connect the
Enterprise Network to the Global Information Grid (GIG). These links serve as the high speed
transport for all Enterprise traffic to flow out to the internet, make phone calls worldwide and
connect to Department of Defense Information Systems in the Continental United States or
various other locations throughout the world. Due to the fact that the Enterprise Network
connects to the Global Information Grid and traffic can flow out, it is imperative that the
administrators and users defend, protect and secure the Enterprise Network from intrusions.
Tier 1 links are much like the Tier 0 links in that they are predominately fiber optic,
satellite and Microwave Line of Sight (MLoS) links. The Tier 1 links interconnect the locations
throughout the theater of operation so they can communicate and share information. Tier 1
circuits also provide the bandwidth and redundancy that the Enterprise Network requires to
support the customers. They act much like the Tier 0 links but instead of connecting directly to
the Global Information Grid, the Tier 1 circuits transport the services from the Global
Information Grid to different regions that are being supported by the Enterprise.

As discussed previously, the Tier 0 and Tier 1 are mostly transport circuits that provide
the customer’s connectivity to the GIG. The Tier 2 of the network is where most of the services
are provided to the customer. There are numerous servers, programs and processes that reside at
the Tier 2. Some of the services provided at this level are Active Directory and Exchange for e-
mail services; shared drives, SharePoint® servers as well as the Switched Local Area Network
(LAN). The research for this project will show that the majority of the services and security will
be provided at the Tier 2 level as illustrated in Figure 1.
Figure 1, Tiered Enterprise Architecture

The Tier 3 is where the end user physically connects to the Tier 2 hub or switch,
essentially connecting their workstation to the Enterprise which provides all the Enterprise
services required to Command, Control, Communicate, share data via connected Computers, use
Combat System, gather Intelligence, and conduct Surveillance and Reconnaissance. In the Army
leaders refer to these capabilities as C5ISR (www.kratosdefense.com). There are many programs
that are used to defend and secure the Enterprise that reside on hosts or workstations that are
connected to the Tier 3 as we will see later in the project, which is also illustrated in Figure 2.
Figure 2, Example of the relationship between Tier 3 and network defense programs and equipment

Threats to the Enterprise
Today, there is an ever growing dependency on computer networks for business
transactions, military support and various government agencies just to name a few. With the free
flow of information and the high availability of many resources, Enterprise Managers and
Administrators must understand the possible threats to their networks (Cisco Systems, 2005).
They also need to know the ramifications if a vulnerability is found and exploited by the threat.
Defending the Enterprise is a very challenging task, Network Managers need to be successful in
defending the network 100% of the time; the people trying to get into the Enterprise only need to
be successful once. These threats take many forms, but all of them will result in the loss of
privacy to some degree or the malicious destruction of information or resources that will
inevitably lead to the loss of money, information or competitive edge; in terms of the Army, it
could lead to the spillage of classified information which can and will cost lives.
Knowing what areas of the Enterprise are more susceptible to network intruders and who
is a common attacker is helpful but these days, not very effective. The past trend was to trust
internal users and to distrust external connections by using Virtual Private Networks. In the
Army Enterprise, keeping with the defense in depth strategy, the network engineers use firewalls
as well as Virtual Private Networks. It is important to be able to trust users that are internal to the
network, it is also important to trust users that are using the resources of the internal network
from outside of the Enterprise. However, the trust must be weighed with reality and the risk must
be assessed. According to a survey conducted by CSO Magazine with help from the U.S. Secret
Service, Carnegie Mellon Software Engineering Institute (CERT) and Deloitte’s Center for
Security and Privacy Solutions (Shead, 2010), 60 percent or more attacks are perpetrated by

insiders, and there is an increasing trend to deny all access and permit by exception as well as
other more strict security measures.
Not all threats are meant to be malicious, but they can exhibit the same behavior and
cause just as much harm whether they are intended or not (Cisco Systems, 2005). The Army
Enterprise has to constantly battle the increasing issue of viruses and malware that can be found
on compromised computer systems and servers and pose an unintentional security threat from
unsuspecting users. Many times, this happens from transferring data from unsecure and dirty
home systems to the Army Enterprise without conducting a thorough virus and malware scan.
This makes it even more important to have measures and policies in place to prevent this threat
and to have hosts on the network patched and updated for any known vulnerabilities. Next the
research will discuss some of the known threats that the Army Enterprise faces daily, these are
the same threats that any corporate enterprise faces and the same threats that users face on their
home networks.
Unauthorized Access
Unauthorized access is when an unauthorized actor gains access to an asset, whether it is
a server that hosts SharePoint, Exchange, Active Directory, a network drive or a host itself. If
unauthorized access is gained it is usually the result of intercepting some information over an
insecure channel or exploiting a weakness in the enterprise, equipment or software
(http://www.deepnines.com, 2010). This makes the practice of using defense in depth important
to slow the actor before damage can be done. Unauthorized access generally will take
reconnaissance usually conducted from the internet, wiretapping or through a wireless network.
Another common component to reconnaissance is social engineering. Social engineering
threatens every user, whether it is a phishing e-mail or a phone call pretending to be from your

local help desk or IT Department. If the help desk or IT person asks an ignorant user for their
username and password over the phone, the impersonator can now access possible confidential
information or steal credentials (Pearson Education, 2005). That being said, it is important to
have policies in place and educate users to prevent this type of incident.
With regards to the Army Enterprise supporting operations in Southwest Asia, if an
intruder is going to gain unauthorized access to the Enterprise, it will need to be done from the
internet. The actor will be required to conduct a lot of research and information gathering to first
find out what networks or network resources are susceptible to vulnerabilities. Some of the more
common techniques for this are reachability checks or port scanning. A reachability check uses
tools to verify that a network or device exists and is reachable. A Domain Name Service query is
a good way to verify who owns a particular domain and what addresses are assigned to that
domain; this can be followed by the ping command to verify that the target is reachable. Some of
the more common methods for obtaining unauthorized access are establishing false identity with
false credentials, physical access to network devices, eavesdropping on shared media networks
and reachability checks. Other commands and tools are Telnet and NSLOOKUP (Teo, 2000).
Unauthorized Probe
Port scanning is an example of an Unauthorized Probe and is likely the most popular
network probe. Essentially, an unauthorized probe is scanning an IP range looking for
vulnerabilities such as open ports or other services that are available for exploitation (Cisco
Systems, 2005). A port scan is a method used by intruders to discover the services running on a
target machine. The intruder can then plan an attack on any vulnerable service that they find. For
example, if the intruder finds that port 143, which is known to be the IMAP port, is open; they
may proceed to find out what version of IMAP is running on the target machine. If the version is

vulnerable, they may be able to gain “super user” access to the machine using an “exploit” (a
program that exploits a security hole) (Teo, 2000). An example of a service that is exploitable is
a program we all know and love, Skype. Because all Skype users are logged into the same
“cloud,” any Skype user can usually discover if any other Skype user is logged on at a given
instant. It appears that Skype attempts to send packets directly over the Internet between
participants in a conversation, but if a direct path is not possible, Skype will instead send the
packets through other computers running Skype. These intermediate computers are called “super
nodes.” This is an issue because Skype uses any available port to communicate, so the use of a
port scan can identify these vulnerable ports and can lead to exploitation (Garfinkel, 2005). A
port scan is actually very simple to perform. All the hacker has to do is attempt to connect to a
series of ports on the machine and find out which ports respond and which don't. A simple port
scanner can be written in under 15 minutes by a good programmer in a language such as Java or
Perl. However, this kind of port scan is easily detectable by the operating system of the target
machine and therefore most intruders will not run this kind of port scan against a machine these
days. Nevertheless, the Enterprise needs to be protected against this action whether it occurs
often or not. The Army Enterprise in Southwest Asia is probed tens of thousands of times per
day. Some of these probes are malicious, some are network mapping tools or authorized scans by
tools on the network.
Another kind of port scan is called the “half-open” SYN scan. In this scan, the port
scanner connects to the port but shuts down the connection right before a full connection occurs
(hence the name “half-open”). Since a full connection never happens, the operating system of the
target machine usually does not log the scan. This concept will be clearer if you're familiar with
the inner workings of TCP/IP. In a normal TCP/IP connection, two devices need to complete a

three-way handshake before initiating transmission. In a “half-open” SYN scan, the three-way
handshake is never completed, the port scanner judges whether the port is open by the response
given by the target machine (Teo, 2000). Now that the research has covered the basic concepts of
port scanning, let's talk about the most popular and powerful network probing tool available
today, Nmap (Network Mapper). Nmap is capable of conducting both types of port scans that the
research as shown so far. Figure 3 shows a typical Nmap scan against a machine.
Figure 3, Nmap scan results
Nmap is a free and open source utility for network exploration or security auditing. Many
systems and network administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP

packets in new and different ways to determine what hosts are available on the network, what
services consisting of the version and application name, those hosts are offering, what version of
operating systems they are running, what type of packet filters/firewalls are in use, and dozens of
other characteristics. It was designed to rapidly scan large networks, but works fine against
single hosts. As you can see from the scan results in Figure 3, it is relatively easy to find open
ports on a system to exploit.
Denial of Service
A denial of service (DoS) attack is exactly that, an interruption of service either because a
system is destroyed or because it is temporarily unavailable (Cisco Systems, 2005). Some ways
to conduct a denial of service attack are by destroying the system hard drive, severing the
physical infrastructure, or using all of the available memory of a system or server to a point
where it cannot process any more commands or processes. In this day in age, corporations are
heavily dependent on information systems, and time is money, so the loss of the ability to
network can mean the loss of money, command and control or the effectiveness of the civil
services. Many common DoS attacks originate from network protocols such as Internet Protocol
(IP). Some DoS attacks can be prevented by ensuring systems are patched with vendor provided
patches and security updates for affected software; some DoS attacks cannot be stopped but they
can be constrained to minimize the affected IP scope. Some common denial of service attacks are
TCP Synch Attack, Ping of Death, Land.c Attack, Teardrop.c Attack, Smurf Attack and Fraggle
Attack, see table 1.

Name of DoS Attack Vulnerability Exploited
TCP Synch Attack Memory is allocated for TCP connections such that not enough
memory is left for other functions
Ping of Death Attack Fragmentation implementation of IP whereby large packets are
reassembled and can cause machines to crash
Land.c Attack Transmission Control Protocol (TCP) connection established
Teardrop.c Attack Fragmentation implementation of IP whereby reassembly problems can
cause machines to crash
Smurf Attack Flooding networks with broadcast traffic (Internet Control Message
Protocol (ICMP) echo requests) such that the network is congested
Fraggle Attack Flooding networks with broadcast traffic (User Datagram Protocol
(UDP) echo requests) such that the network is congested
Table 1, “note. Common Denial of Service Attacks. Reprinted from “Threats in an Enterprise Network, “Pearson
Education, Inc, page 253, copyright year by Pearson Education, 2005

In recent years, a variant of a DoS attack has cause even more problems. Distributed
Denial of Service (DDoS) attacks consists of multiple computers on a network that are used to
launch a Denial of Service attack. The DDoS client is used by the person who coordinates the
attack as the initial starting point (DDoS Attacker). The handler is a compromised host with a
special program running on it. Each handler is capable of controlling multiple agents. An agent is
another compromised host that also has special software running on it, each agent is responsible
for generating streams of packets that are directed toward the intended victim. See figure 4.
Figure 4, Distributed Denial of Service Attack

Other modes of attack are possible, but increasingly, most DDoS attacks have one thing
in common: the rise of botnets. In this context, a botnet is a collection of computers that can be
remotely controlled by an attacker, whether directly or via peer-to-peer connections. Typically
this control is accomplished through the use of malware installed on each individual machine.
The individual computers are sometimes called "zombies" because they can be controlled
remotely without the knowledge of their owners (Department of Homeland Security, 2011). Such
computers are often used to send spam. It's estimated that the majority of spam originates from
compromised zombie machines. A recent example of a botnet was the collection of computers
compromised by the Conficker worm, first detected in 2008. The estimated number of infected
computers varied widely, but was as high as 15 million at one point. Such a collection of
machines could be used to instigate a DDoS attack. In fact, some hackers even "rent out" botnets,
offering them for use by others for a fee per machine (Webbmedia Group, LLC, 2009).
Malicious Logic
Malicious logic is a very broad term that can include viruses, logic bomb, worms, and
Trojan horses just to name a few. With research, one could write a 100 page project about the
various types of malicious logic, but for the sake of this project I am going to research and
explain the aforementioned types of malicious logic. According to the Institute for
Telecommunications Science (Institute for Telecommunications Science, 2010), malicious logic
is defined as: 1. A program implemented in hardware, firmware, or software, and whose purpose
is to perform some unauthorized or harmful action; 2. Hardware, software, or firmware capable
of performing an unauthorized function on an information system.
Viruses show us how vulnerable our networks are -- a properly engineered virus can have
a devastating effect, disrupting productivity and doing billions of dollars in damages. On the

other hand, they show us how sophisticated and interconnected human beings have become. For
example, experts estimate that the Mydoom worm infected approximately a quarter-million
computers in a single day in January 2004. The Melissa virus was so powerful that it forced
Microsoft and a number of large corporations to shut down their Enterprise e-mail services until
the virus could be contained, this occurred in January of 1999; technology has come a long way
in terms of computing and programming since then so you can imagine the havoc a virus can
cause now. Experts believed up to 50 million computers were infected by a worm called Storm
in October 2007 (www.howstuffworks.com, 2011). That is very impressive if you take into
account that a virus is very simple and can be created by a novice programmer with little
research. A virus is nothing more that small piece of software that piggybacks on real programs.
A virus might attach itself to a program like Power Point, when the Power Point presentation
runs the virus runs too, at which time it is likely to reproduce and attach itself to other programs
or e-mail and can wreak havoc. E-mail viruses are extremely dangerous because they attach the
virus to e-mail messages which can cause a lot of problems when you take into account a lot of
Enterprises use distribution list that can include dozens or hundreds of users.
The Trojan horse is a very tricky type of virus; named after the mythological Trojan
horse from the tale of the Trojan War as told in Virgil's Latin epic poem The Aeneid. The Trojan
horse is a computer program that appears to be useful software until it is executed; which is why
it is referred to as Trojan horse; unsuspecting users think it is a legitimate program from a
legitimate source until the program is executed. The Trojan horse can cause much damage to
include the destruction of the hard drive of a system. Fortunately, the Trojan horse does not have
the capability to replicate or transmit itself to other systems. Trojans are also known to create a
backdoor on your computer that gives malicious users access to your system, possibly allowing

confidential or personal information to be compromised (www.symantec.com/security_response,
2011).
A worm is a small piece of software that uses computer networks and security holes to
replicate itself. A copy of the worm scans the network for another machine that has a specific
security hole. It copies itself to the new machine using the security hole, and then starts
replicating from there, as well. A worm is similar to a virus by design and is considered to be a
sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the
capability to travel without any human action. A worm takes advantage of file or information
transport features on your system, which is what allows it to travel unaided. The greatest danger
with a worm is the ability to replicate itself on a system, so instead of a computer sending out a
single worm, it could send out hundreds or thousands of copies of the worm, creating a huge
devastating effect. One technique would be for a worm to send a copy of itself to everyone listed
in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in
each of the receiver's address book, and the manifest continues. Due to the copying nature of a
worm and its capability to travel across networks, the end result in most cases is that the worm
consumes too much system memory or network bandwidth, causing Web servers, network
servers and individual computers to stop responding (http://www.symantec.com, 2011). In recent
worm attacks such as the much-talked-about Blaster Worm, the worm has been designed to
tunnel into your system and allow malicious users to control your computer remotely. The result
of this could be a distributed denial of service attack that could be originating from your
computer and the subsequent legal ramifications.
A logic bomb is piece of software that sits dormant until a predetermined event occurs.
This could be the execution of a certain program that will trigger the logic bomb. The most

common trigger used is the date and/or time because it can be planned for a definite time. The
most dangerous type of trigger is when something does not happen. An example of this would be
an Network or System Administrator that sets a logic bomb to trigger if he/she does not log on to
the system for 30 days, assuming after 30 days that the Administrator was fired, the logic bomb
will trigger and wipe everything that is on a server, share drive or system (http://www.tech-
faq.com). This action from a disgruntled former employee can cost a Corporation millions of
dollars or cause them to lose their competitive edge. In terms of the Army Enterprise, it will cost
lives and the loss of critical classified information. In March 2002, a logic bomb deleted 10
billion files in the computer systems of an international financial services company. The incident
affected over 1300 of the company’s servers throughout the United States. The company
sustained losses of approximately $3 million, the amount required to repair damage and
reconstruct deleted files. Investigations by law enforcement professionals and computer forensic
professionals revealed the logic bomb had been planted by a disgruntled employee who had
recently quit the company because of a dispute over the amount of his annual bonus (U.S. Secret
Service and CERT Coordination Center/SEI, 2004). This situation is also an outstanding
example of our next subject, the insider threat.
Insider Threat
It is my opinion that this is the greatest threat to an Organizational Enterprise which
makes it exceptionally difficult to trust the users and exceedingly important to ensure that there
are policies and processes in place to protect the Enterprise. There is no way to tell who will be a
potential insider threat according to a study conducted by the U.S. Secret Service and CERT
Coordination Center/SEI entitled Insider Threat Study: Illicit Cyber Activity in the Banking and
Finance Sector (U.S. Secret Service and CERT Coordination Center/SEI, 2004). The study

showed some staggering demographics providing evidence that a wide variety of individuals
perpetrated insider incidents. Most of the insiders did not hold a technical position within their
organization, did not have a history of engaging in technical attacks or “hacking,” and were not
necessarily perceived as problem employees. Insiders ranged from 18 to 59 years of age; 42% of
the insiders were female. Insiders came from a variety of racial and ethnic backgrounds, and
were in a range of family situations, with 54% single and 31% married. Insiders were employed
in a variety of positions within their organizations, including service 31%, administrative/clerical
23%, professional 19% and technical 23% (U.S. Secret Service and CERT Coordination
Center/SEI, 2004). The insider threat does not have to be disgruntled employees that want to
cause harm to the Enterprise. Just as many insider threats are employees or users that are
perfectly content with their currently employment, they are just honest mistakes that
unfortunately put the Enterprise or Corporation at risk. The Army Enterprise is a perfect example
of this. The Army Enterprise provides three different networks to the War fighters, Peacekeepers,
Contractors and Coalition partners. The Networks are Secure Internet Protocol Routing Network
(SIPRnet), Non-secure Internet Protocol Routing Network (NIPRnet) and Combined Enterprise
Regional Information Exchange System (CENTRIXS) ((USCENTCOM), 2001). CENTRIXS
comes in two different forms, ISAF to support our coalition partners that are part of the
International Security Assistance Force used in Afghanistan, and the Global Counter-Terrorism
Force or GCTF that is predominantly use to support operations in Iraq. I bring up these networks
because of the different classifications. SIPRnet is Secret, NIPRnet is Unclassified and
CENTRIXS is classified, releasable to our Coalition partners. These networks are totally separate
and don’t communicate with each other. The point is, it’s a common occurrence for a War fighter
to print something from a SIPRnet computer and digitally send it to an unclassified system or

CENTRIXS account, whether intentional or not. This is referred to as spillage or Negligent
Discharge of Classified Information (NDCI) and can be punishable under the Uniformed Code of
Military Justice or have your network privileges revoked; for a contractor this could include
immediate termination. This is an example of the insider threat that the Army Enterprise faces
daily. If that classified information gets in the hands of the enemy, they could learn our troop
movements, details about operations and will inevitably cost the lives of Soldiers, Sailors,
Airmen, Marines and our Coalition partners. The insider threat includes more than just the loss
or disposition of classified material. The insider threat also includes the introduction of viruses to
the Enterprise. This occurs because Service members take unclassified work home to complete
after hours on their personal computers. Commonly, the home computer is not the most secure,
being in a combat zone it becomes more difficult to ensure the antivirus (AV) software is up to
date and the operating system is patched. This makes the system more vulnerable to viruses and
other malicious logic. Then a CD is burned or the information is put on a thumb drive and then
introduced to the Army Enterprise therefore infecting the enterprise.
Vulnerabilities
There many different types of vulnerabilities that stem from the network architecture, the
transport layer of operating systems, operating system libraries and applications. Enterprise
Network vulnerabilities are caused by loose security at Aggregate or Army Security Routers
(ASR) or Firewalls. The ASR is the initial entry point into the enterprise and final exit point out
of the enterprise. It is imperative that this router is secured using Access Control Lists (ACLs);
the use of an ACL will assist in protecting against known threats. Firewalls are the next line of
defense; it is a good practice to use DAPE (security model) which stands for Deny All Permit
Exception; the use of DAPE will not only protect the Enterprise from known threats, it will also

protect against future threats. The most common types of vulnerabilities as depicted in Figure 5
are vulnerabilities to application; the most susceptible of which are Client-side software.
There are many common applications that are exploited daily; this is why it is so important to
ensure that your applications are patched with vendor provided patches. Many actors direct
targeted email attacks, often called spear phishing, that are exploiting client-side vulnerabilities
in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and
Microsoft Office. This is used as the initial infection vector used to compromise computers that
have Internet access. Those same client-side vulnerabilities are exploited by attackers when users
visit infected web sites (The SANS Institute, 2010). Attacks against web applications constitute

more than 60% of the total attack attempts observed on the Internet (The SANS Institute, 2010).
These vulnerabilities are being exploited widely to convert trusted web sites into malicious
websites serving content that contains client-side exploits. The operating system has become less
of a concern these days with the exception of the Conficker/Downadup; besides these two
worms, no new major worms for OSs were seen in the wild during the last year. According to the
SysAdmin, Audit, Network, Security (SANS) Institute, the number of attacks against buffer
overflow vulnerabilities in Windows tripled over the last year and constituted over 90% of
attacks seen against the Windows operating systems.
Enterprise Defense in Depth
Tier 0 - Tools, Techniques and Processes
The Enterprise Defense in Depth begins before traffic even enters the enterprise, at the
Tier 0 where the Enterprise connects to the Global Information Grid. There are a few programs
and processes that are utilized at this level beginning with Threat Analysis and Incident
Figure 6, Tier 0 Defense

Handling.
The Tier 0 is provided by the Defense Information Systems Agency (DISA) with
assistance from the United States Cyber Command (USCC) and the National Security Agency
(NSA). There are collaborative efforts between the agencies to share intelligence and threat
information. As discussed earlier in the project, it is a great help to know what threats are out
there so the administrators can proactively defend the Enterprise. Through this sharing of
intelligence, processes can be implemented that will safeguard the Enterprise from such threats
as Malicious Domains. An example would be that a Service member or Coalition partner
receives an e-mail with a hyperlink that points them to a malicious domain, when they click on
it, they will not be able to resolve to the domain. This technique is referred to as DNS poisoning
or DNS black holing. This is one of the benefits of sharing intelligence. There are also several
tools like CENTAUR; this is a DISA funded program that began in 2000. Due to the sensitivity
of the program there is little to no public knowledge about the program.
CENTAUR/Honeynets
CENTAUR is a data-mining and pattern discovery program to identify attack trends,
scopes and methods used against the DISA networks. The use of CENTAUR allows pattern
discovery and attack trends to automatically correlate the location of sophisticated network
attacks, determine the scope and scale of the intrusions, and coordinate response actions. This is
part of the threat analysis that was just discussed. The technique also allows for the collection of
intelligence by pointing the known attackers to a fielded diversion network called honeynets,
keeping intruders away from operational networks (Defense Information Systems Agency,
2011). When the intruder enters the honeynets, they are under the impression that they have
accessed an actual Department of Defense network; all the while the network defense team

members are able to identify source IP addresses and correlate that with what country they are
from. This way the network defense team members can determine if the attackers are Nation-
State actors, which can be other countries trying to collect intelligence information on the United
States, or if they are some kid horsing-around in his basement. The findings are literally from
one extreme to the other.
IPsonar ®
IPsonar is another tool that allows for DISA to manage and secure the tier 0; IPsonar is
designed to be run on a three tier network such as the Army Enterprise as the research has
shown. IPsonar will provide global network visibility and measures the risk from a network
perspective. IPsonar maps every asset on a network, including assets not currently under
management, to visually analyze the connectivity between assets and networks, uncovering risk
patterns and policy weaknesses. In regards to the policy weaknesses, this isn’t to mean the actual
memo type of policies that are in place by management. These policies are applied to routers,
firewalls, smart switches and network defense tools and programs. Uncovering the risk patterns
and policy weakness is conducted by an IPsonar feature called “leak discovery”. Leaks are
devices with unauthorized inbound or outbound connectivity to the Internet or sub-networks
(e.g., unsecured routers exposed to the Internet).The more complex a network, the more likely it
is that leaks exist. IPsonar is crucial in the proactive fight against leaks, revealing all
unauthorized connections and identifying whether access is outbound, inbound, or both
(www.lumeta.com/ipsonar, 2011). IPsonar’s multi-tier architecture allows users to conduct
multiple simultaneous scans across a complex network. Portable entry points, known as IPsonar
sensors, can be flexibly deployed at various points on the network to facilitate efficient network
discovery. These sensors forward network information to IPsonar scan servers, which synthesize

distributed scan data for reporting. The IPsonar report server correlates scan data for presentation
to the end user on a graphical user interface (GUI) (www.lumeta.com/ipsonar, 2011).
Deep Packet Inspection
Deep Packet Inspection (DPI) hardware is used for traffic analysis and can analyze
headers and data protocol structures as well as the actual payload of a message. This is a huge
advance in defending the Enterprise because the analysis of the packets can determine if the
traffic is malicious or if it is a DoS attack or brute force attack. In the past, there was only one
quality way to defend the enterprise, and that is with a stateful firewall which is known as a
perimeter discipline. DPI combines the capabilities of a stateful firewall with and Intrusion
Detection System (IDS) and Intrusion Prevention System (IPS); it also allows the analysis of
level 2-7 of the OSI. Using Deep Packet Inspection to analyze traffic will allow for the traffic to
be classified and be redirected, marked or tagged to determine the Quality of Service (QoS),
blocked, rate limited and reported to a reporting agent in the network like Arcsight®. In this way,
HTTP errors of different classifications may be identified and forwarded for analysis.
Telecommunication service providers are estimated to spend $1.5 billion between now and 2015
on DPI. Primarily to prevent users from bogging down cellular communications networks with
undesired peer-to-peer traffic (Anderson, 2010). The United States Government’s spending is
projecting a compound annual growth rate of $1.8 billion per year from now to 2015 on DPI due
to the fact that U.S. government-related IP traffic will quintuple (5x) from 2010 to 2015. US-
China cyber confrontation is nothing new but Chinese hacking attacks and Obama’s new
hardball policy shift with China is definitely not going away anytime soon and will add to the
intensity of the cyber-war. Deep Packet Inspection is the only currently available technology
capable to provide security of IP traffic at ever growing rates that has inherent traffic

management capabilities. Recently massive growth in data processing power and new cyber
threats has spurred the deployment of DPI technologies in the U.S. Government agencies
(http://www.marketresearchmedia.com, 2011). As this research show, there are multiple
processes and programs that are used at the tier 0 before traffic even enters the Army Enterprise;
this is just the first level or the three tiered defense in depth strategy.
As the research discussed previously, the Tier 1 is mostly transport but doesn’t lack
defensive measures. The top of the Tier 1 hierarchy contains a Cisco® router; this router is called
an Aggregate or Army Security router (ASR) and it sits at the Tier 1.1 (Tier one one) The Tier 1
is broken down into different entities because as you can see in Figure 7, there are two routers in
the Tier 1, so it is imperative to have them broken out for the ease of reference and configuration.
This router has a couple of purposes besides just routing traffic. The ASR is configured
with two Access Control Lists (ACL). Basically, an ACL filters traffic that is allowed or

disallowed through or out of the ASR. Access lists should be used in ASRs, which are often
positioned between your internal network and an external network such as the Internet. You can
also use access lists on a router positioned between two parts of your network, to control traffic
entering or exiting a specific part of your internal network. To provide the security benefits of
access lists, you should at a minimum configure access lists on border routers—routers situated
at the edges of your networks. This provides a basic buffer from the outside network, or from a
less controlled area of your own network into a more sensitive area of your network. On these
routers, you should configure access lists for each network protocol configured on the router
interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are
filtered on an interface (Cisco Systems Inc, 2011). It is Army Enterprise policy that all Security
Routers and Firewall use DAPE, which stands for Deny All Permit by Exception. What this
means is that at the end of the Access Control List, the command “deny all traffic” is entered,
this is considered a criteria statement. What it does is denies all traffic that that do not fit in the
criteria, in this case, the ACL is the criteria. The ACL is telling the router what to ALLOW
through it, and the DAPE statement is blocking everything else.
Cisco Secure Intrusion Detection System
The next piece of equipment is in between the T 1.1 and the Tier 1.2 (Tier half), see
Figure 7, and this is known as CSIDS or Cisco Secure Intrusion Detection System (IDS). The
CSIDS is a proprietary piece of Cisco equipment but not much different than other Intrusion
Detection Systems or sensors. This is not managed by the Army; it is managed by the Air Force
Central Command so their configurations are slightly different than Army policy. This is a good
thing because it ensures there is more integrity in the Enterprise and no one administrator can be
an inside threat. CSIDS is not just a detection device, it has a built in management station.

Basically, the IDS monitor network traffic that goes through the CSIDS for malicious activity or
policy violations and alerts the management station. The disadvantage of using an IDS is that it
requires administrative intervention meaning that the Administrator has to take the action. This
information is correlated by the administrator and used to implement IP blocks or Domain Name
Poisons or Black holing. The IP blocks can be implemented at all routers and firewalls (and
implemented in the ACLs) and can also be implemented at the proxy server which will be
covered later.
Stateful Firewall
At the Tier 1.2, there is another Cisco router which was discussed previously. If you
remember, you can also use access lists on a router positioned between two parts of your
network, to control traffic entering or exiting a specific part of your internal network. That is the
sole purpose of this router. Next just beneath the router are the Stateful Firewalls. In the
configuration depicted in Figure 7, there are two firewalls, the primary and the failover. In the
firewall templates there are “enable 1” accounts. This account is used to ensure that the
configurations in each of the firewalls are the same. In the event that the primary firewall goes
down, you do not want the configurations to be different because some users will be blocked
from services they need, and others, to include hackers, will have access to information that they
should not. This is a best practice when firewalls are configured like this on the Army Enterprise.
As discussed with the ASR, the firewall also has ACLs and it is policy that the firewall is
programmed with DAPE.
Network Address Translation
When Internet Protocol (IP) first came out, there were so many public IP addresses that
no one thought they would all be used. IP including all the classes has 4,294,967,296 unique

addresses; needless to say this isn’t enough considering that the Internet is doubling in size each
year. To save IP addresses, Network Address Translation (NAT) was developed by Cisco to be
used on firewalls, routers or computers that sits between an internal network and the rest of the
world. NAT has many forms and can work in several ways but basically, Network Address
Translation allows a single device, such as a router, to act as agent between a public network,
and a local or private network. This means that only a single unique IP address is required to
represent an entire group of computers to anything outside their network.
Implementing dynamic NAT essentially creates a firewall between your internal network
Figure 8, How NAT works

and outside networks or the Internet, see Figure 8. Dynamic NAT allows only connections that
originate inside the stub domain. Basically, this means that a computer on an external network
cannot connect to your computer unless your computer has initiated the contact. So you can
browse the Internet and connect to a site, even download a file. But somebody else can't simply
latch onto your IP address and use it to connect to a port on your computer (www.cisco.com,
2011).
There are many tools, techniques and processes that reside on the Tier 2; there are also
many tools that reside on the Tier 2 and 3 so for the sake of this discussion, the research will
discuss the tools on the Tier 2 and the Host or workstation defense on the Tier 3.

ArcSight Enterprise Service Manager
Connected to the Tier 2 switch there are Intrusion Detection Systems that are also used as
sensors, see Figure 9. The SNORT Sensor is an IDS that has SNORT® software loaded on it.
This snort sensor is used to feed traffic information into ArcSight Enterprise Security Manager.
ArcSight is a security event manager that analyzes and correlates every event that occurs across
the Tier 2 of the Enterprise – every login, logoff, file access, database query and all data traffic.
ArcSight delivers an accurate prioritization of security risks and compliance violations. The
correlation engine of ArcSight sifts through millions of log records to find the critical incidents
that matter. These incidents are then presented through real-time dashboards, notifications or
reports to the security administrator providing a common operating picture (COP) of events. The
ArcSight dashboard displays the source IP address and destination IP address allowing the
information to be used to defend the network using IP blocks or Domain Name Poisons as well
as identifying malicious logic, port scans, or brute force attacks. ArcSight can be used with the
Logger appliance which provides the capability to unify searching, reporting, alerting and
analysis across any type of enterprise log data, making it unique in its ability to collect, analyze
and store massive amounts of data generated by the Enterprise (www.arcsight.com, 2011).
Intrusion Prevention System
The next security system is the McAfee Intrusion Prevention System (IPS). The McAfee
IPS is much like IDS but on steroids. The IPS uses a sensor that monitors the traffic moving
across the Tier 2 much like the IDS. The main difference is that the IDS provides information to
an administrator to take defensive action, the IPS can take action automatically based on the
presets that the administrator programs the IPS with. The advances of the IPS have long eclipsed
the “detect only” capabilities of the IDS, which are more commonly used now to feed data to a

program that will correlate the data. The network IPS operates in line at wire speed allowing
automatic blocking and mitigation of attacks. A couple of newer features are that IPS adds
“block attacks – let everything else through” security enforcement to the “deny everything which
is not specifically allowed”. This last feature is very similar to DAPE that is programmed on
Firewalls, routers and switches. The IPS can be installed out of the box with the addition of an IP
address that is in the network range. If the IPS is run like this without any tuning, it provides a
blocking mode called “prepatched shield”. This mode will block all McAfee known malicious
activity (Young G, 2010). Administrator can also install the IPS and program it to conduct a deep
inspection of the traffic based on vendor provided signatures, custom signatures, policies and
rules. In the Army Enterprise these IPS are fine-tuned as much as possible with numerous
signatures. The “tighter” you tune the security of the IPS, the more false positive will be
received. A false positive is when the system detects and prevents a perceived threat, which turns
out not to be a threat after investigation. Since the Army Enterprise is dealing with classified
information, even the sensitive unclassified information can be used against the force, the
administrators and network defense team would rather have a false positive to investigate than
allow an unknown threat to enter the Enterprise.

BlueCoat Proxy Server
BlueCoat Proxy provides web traffic filtering for the Enterprise and provides
administrators with complete control over web traffic by using stronger user authentication,
web filtering deep inspection of content to prevent data loss, security checks, preventing
spyware and other malicious mobile code, scanning for viruses, inspecting encrypted SSL
traffic, and controlling IM, VoIP, P2P, and streaming traffic (BlueCoat, 2011).
The BlueCoat allows the administrators to limit what web sites users are allowed to
access, like Web Sense but with more options. With the proxy you can block domain names or
block anything that contains a keyword or dirty work; the most common blocking feature
Figure 10, BlueCoat Proxy Server

the information assurance uses on the enterprise is by the website category. BlueCoat also
blocks any type of instant messenger or peer-to-peer traffic because it opens vulnerabilities that
can be exploited; this is done by stripping and replacing Web content P2P file sharing controls
which allow the logging and blocking of P2P traffic such as Bit Torrent, eDonkey, Gnutella, and
FastTrack which are known for containing malicious logic.
Brightmail
Brightmail is an e-mail filtering and scanning tool which is instrumental in our constant
battle against spam e-mail. Brightmail is owned by one of the leading malware protection
companies, Symantec. Brightmail allows for e-mail to be scanned for spam and malware with no
operator intervention and uses over 20 different spam filtering and protection technology which
are continuously updated via the Symantec Global Intelligence Network to protect against the
latest emerging threats (www.symantec.com, 2011). Brightmail offers both inbound and
outbound protection. The inbound protection will protect against any Zero-day exploits using the
Symantec Bloodhound technology; outbound protection can protect against data loss. In the
Army Enterprise we use Brightmail to assist in containing any Negligent Discharge of Classified
Information by scanning all e-mail traffic for Subject, Attachment, Sender; then correlating this
data and automatically stripping all content out of the e-mail except for a message that refers to a
policy violation. This is instrumental in protecting a reputation or competitive advantage.
Host Based Site Security
The Host Based Security System (HBSS) is a flexible, commercial-off-the-shelf (COTS)
application. It monitors, detects, and counters against known cyber-threats to the Army
Enterprise. HBSS is attached to each host (server, desktop, and laptop) in the Army Enterprise
and is being implemented in all DoD Enterprise Networks. The system is managed by local

administrators and configured to identify known exploit traffic using an Intrusion Prevention
System (IPS) and host firewall. HBSS is a software based program that is installed on a host (on
the Tier 3); the host interfaces with an ePolicy Orchestrator (ePO) Server which resides on the
Tier 2. The ePO server interfaces with a download server, patch repository and a super-agent
distribution repository to provide four main functions, Policy Auditor, Malware Protection,
Antivirus, Host Intrusion Prevention, see Figure 11.
The policy auditor provides the ability to validate the integrity of a system by scanning
the system for configuration setting and options. The malware protection provides real time
protection against the installation of malicious software on the host workstations. The Antivirus
will detect, prevent and remove and computer virus, worm or Trojan horse; no different than any
other antivirus suite (www.intelink.gov, 2010). The Host Intrusion Prevention (HIPs) is an IPS
that monitors the host’s activities for malicious activity. The main functions of host intrusion
Figure 11, HBSS Configuration

prevention systems are to identify malicious activity, log information about the activity, attempt
to block/stop activity, and report activity. There is one more major capability that HBSS gives us
to protect the Army Enterprise, that capability is called the Device Control Manager (DCM). The
DCM allows for the creation of security groups to prevent access to predetermined peripherals.
This capability had been mandated by the Chairman of the Joint Chiefs of Staff, this action is a
result of Private First Class Bradley Manning who is accused of the largest spillage of classified
information in the history of the United States. He allegedly leaked over 380,000 records
pertaining to Iraq, and 90,000 pertaining to Afghanistan, all of them SECRET documents and
videos to the website “WikiLeaks”. He was arrested and charged on may 26th
, 2010; immediately
after his arrest the DoD began implimenting DCM to prevent any SIPRnet, NIPRnet or
CENTRIXS computers the ability to write to any removable media (thumbdrive, CD/DVD,
external drive, SD card, ect.) unless an exemption is granted by the first Colonel (O6) Designated
Approval Authority (DAA) or Brigadier General (O7) DAA in their Chain of Command. This
will minimize the ability for another insider threat like this occuring again. Additionally, the
personnel who are granted and exception are required to have two person integrity when writing
to a removable media and the removable media must be cataloged and properly stored.
System Center Configuration Manager
The System Center Configuration Manager (SCCM) replaced the older Windows
Software Update Server (WSUS) and is formerly known as Software Management Server
(SMS). SCCM comprehensively assesses, deploys, and updates enterprise servers, clients, and
devices—across physical, virtual, distributed, and mobile environments (www.microsoft.com,
2011); it is an integral part of our Enterprise Security and Management. The Army Enterprise
uses SCCM for several primary functions, Asset Intelligence, Software Update Management,

Configuration Management, Software Distribution and Operating System Deployment. Asset
Intelligence gives administrators better control over the IT infrastructure and assets through asset
intelligence technologies that provide IT administrators’ continuous visibility into what hardware
and software assets they have, who is using them, and where they are by providing software and
hardware inventory. Configuration management assists administrators to ensure that IT systems
comply with Enterprise configuration policy to improve availability, security, and performance
network-wide. The Software distribution function feature is very important as it allows remote
patching; this compliments our Information Assurance Vulnerability Management Program, see
Tier 3 tool, techniques and processes.
Tier 3 Tools, Techniques and Processes
Public Key Infrastructure
Public key infrastructure (PKI) enables users of a basically unsecure public network such
as the Internet or a more secure network like the Army Enterprise to securely authenticate and
privately exchange data through the use of a public and a private cryptographic key pair that is
obtained and shared through a trusted authority. The public key infrastructure provides for a
digital certificate that can identify an individual or an organization and directory services that can
store and, when necessary, revoke the certificates. The public key infrastructure assumes the use
of public key cryptography, which is the most common method on the Internet or more secure
networks like the Army Enterprise for authenticating and sending or encrypting a message.
Traditional cryptography has usually involved the creation and sharing of a secret key for the
encryption and decryption of messages. This secret or private key system has the significant flaw
that if the key is discovered or intercepted by someone else, messages can easily be decrypted.
For this reason, public key cryptography and the public key infrastructure is the preferred

approach. For PKI to work there are four major entities; a certificate authority (CA) that issues
and verifies digital certificate, a certificate includes the public key or information about the
public key; a registration authority (RA) that acts as the verifier for the certificate authority
before a digital certificate is issued to a requestor; one or more directories where the certificates
(with their public keys) are held and a certificate management system. VeriSign® is the world’s
leading certificate authority (www.verisign.com, 2011).
Information Assurance Vulnerability Management Program
The Information Assurance Vulnerability Management (IAVM) program employs
positive control mechanisms to mitigate potentially critical software vulnerabilities, through the
rapid development and dissemination of actions to all Department of Defense Enterprises. The
IAVM program establishes positive control of the Department of Defense (DoD) Information
Assurance Vulnerability Alert (IAVA) system, provides access to vulnerability notifications that
require action, requires acknowledgement of action messages, requires compliance and reporting
status, tracks compliance and reporting, conducts random compliance checks and vulnerability
scans. The IAVM program is managed jointly by the United States Cyber Command (USCC)
and the Defense Information Systems Agency (DISA). Both agencies publish alert messages
stating software that have vulnerabilities that can be exploited. They also provide a patch
repository that was mentioned during the SCCM portion. SCCM is used to push software
package updates that are provided by the repository to ensure that all software and systems are
properly patched to remediate any potential vulnerability. In order to ensure compliance across
the Army Enterprise we conduct Information Assurance Vulnerability scans using REM/Retina.
Retina is a vulnerability management and compliance solutions designed specifically for
Government agencies (eEye Digital Security, 2011). Retina.GOV is an integrated end-to-end

vulnerability management and compliance solution designed to help Government departments
and agencies with protection and compliancy by defining and monitoring relevant IT controls.
Retina Enterprise Manager (REM) is the interface that Retina uses to conduct the vulnerability
scans.
Information Assurance and Computer Network Defense (IA/CND)
IA/CND is a process that we use to remediate any IA issues within the Enterprise. We
use a ticketing system called BMC Remedy to manage our incident handling program. This
allows for us to create, route, track and ensure compliance for any IA events throughout the
Army Enterprise.

Conclusion
The research has shown the Army Enterprise Architecture and the tools, techniques and
processes that are used at each Tier of the Enterprise. The Enterprise’s Defense in Depth strategy
is sound, but there is always room for improvement. As the technologies evolve, so does the
threat of attackers, viruses, malware and other malicious activity. It is imperative that
administrators stay vigilant and maintain situational awareness. The Tiers within the defense in
depth concept are being managed by different administrators; this requires a thorough Network
Operations processes within the community as well as a sound Change Management program.
The lack of these processes will inevitably prevent users from being able to communicate due to
the multiple systems and tiers in the enterprise. As the research shows, there are numerous pieces
of equipment that are blocking access within the Enterprise, one firewall modification can
prevent General Officers from Commanding and Controlling their combat forces.

Work Cited
(USCENTCOM), U. S. (2001). (CENTRIXS), for Multinational Operations, Concept of
Operations.
http://www.deepnines.com. (2010). Retrieved 03 06, 2011, from
http://www.deepnines.com/secure-web-gateway/definition-of-network-security
Institute for Telecommunications Science. (2010, January). Retrieved March 6, 2011, from
http://www.its.bldrdoc.gov/projects/devglossary/_malicious_logic.html
www.intelink.gov. (2010). Retrieved March 10, 2011, from www.intelink.gov/hbss
Defense Information Systems Agency. (2011). Retrieved March 08, 2011, from www.disa.mil:
www.disa.mil
http://www.marketresearchmedia.com. (2011). Retrieved March 8, 2011, from
http://www.marketresearchmedia.com/2010/02/17/deep-packet-inspection-market/
http://www.symantec.com. (2011, 01 01). Retrieved March 07, 2011, from
http://searchg.symantec.com/search?q=worm&charset=utf-
8&proxystylesheet=symc_en_US&client=symc_en_US&hitsceil=100&site=symc_en_U
S&output=xml_no_dtd&context=ent&x=9&y=12
www.arcsight.com. (2011). Retrieved March 9, 2011, from www.arcsight.com
www.cisco.com. (2011). Retrieved March 9, 2011, from
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a008009483
1.shtml
www.howstuffworks.com. (2011, 01 01). Retrieved 03 07, 2011, from
http://www.howstuffworks.com/virus.htm
www.lumeta.com/ipsonar. (2011). Retrieved 03 08, 2011, from www.lumeta.com/ipsonar

www.microsoft.com. (2011). Retrieved March 10, 2011, from
http://www.microsoft.com/systemcenter/en/us/configuration-manager/cm-overview.aspx
www.symantec.com. (2011). Retrieved March 10, 2011, from
http://www.symantec.com/business/products/family.jsp?familyid=brightmail
www.symantec.com/security_response. (2011, 01 01). Retrieved March 7, 2011, from
http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99
www.verisign.com. (2011). Retrieved March 11, 2011, from https://www.verisign.com/ts-sem-
page/?sl=t11990306090000002&gclid=CKDh4v-3xKcCFUtSHAodclBgDA
Anderson, N. (2010, June 10). http://arstechnica.com. Retrieved March 8, 2011, from
http://arstechnica.com/tech-policy/news/2010/06/deep-packet-inspection-soon-to-be-15-
billion-business.ars
BlueCoat. (2011). www.BlueCoat.com. Retrieved March 10, 2011, from
http://www.bluecoat.com/products/proxyclient
Cisco Systems. (2005). Designing Network Security. Indianapolis, IN: Pearson Education, Inc.
Cisco Systems Inc. (2011). Access Control Lists. San Jose, CA, US. Retrieved from
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html#wp
3696
Defense in Depth. (n.d.). Retrieved 03 04, 2011, from www.nsa.gov:
http://www.nsa.gov/ia/_files/support/defenseindepth.pdf
Department of Homeland Security. (2011). www.us-cert.gov. Retrieved March 6, 2011, from
United States Computer Emergency Readiness Team: www.us-cert.gov
eEye Digital Security. (2011). www.eeye.com/gov. Retrieved from www.eeye.com/gov

Garfinkel, S. L. (2005, 26 01). http://skypetips.internetvisitation.org. Retrieved 03 06, 2011,
from http://skypetips.internetvisitation.org/files/VoIP%20and%20Skype.pdf
http://www.tech-faq.com. (n.d.). Retrieved March 07, 2011, from http://www.tech-faq.com/logic-
bomb.html
Pearson Education. (2005). Threats to an Enterprise Network. Pearson Education: Pearson
Education.
Shead, S. (2010, January 25). Steve Shead Dot Net. Retrieved 03 05, 2011, from An Information
Security Blog: http://www.steve-shead.net/tag/
Teo, L. (2000, December 1). Network probes Explained. Retrieved March 6, 2011, from
http://www.linuxjournal.com/article/4234
The SANS Institute. (2010, 12 04). http://www.sans.org. Retrieved March 07, 2011, from
http://www.sans.org/top-cyber-security-risks/summary.php
U.S. Secret Service and CERT Coordination Center/SEI. (2004). Insider Threat Study: Illicit
Cyber Activity in the Banking and Finance Sector.
Webbmedia Group, LLC. (2009, August 31). DDoS explained. Baltimore, MD.
www.kratosdefense.com. (n.d.). Retrieved 03 04, 2011, from
http://www.kratosdefense.com/c5isr.htm
www.nsa.gov. (n.d.). Retrieved 03 04, 2011, from
http://www.nsa.gov/ia/programs/global_industry_grid/index.shtml
Young G, P. J. (2010, December 06). www.gartner.com. Retrieved March 09, 2011, from
www.mcafee.com/us/.../rp-gartner-magic-quadrant-network-ips.pdf

Network Defense Strategies

Recommended

Recommended

More Related Content

Similar to Network Defense Strategies

Similar to Network Defense Strategies (20)

Network Defense Strategies