Host Based Security System: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 15:14, 23 March 2014 edit Dthomsen8 (talk \| contribs) 498,600 edits m clean up, typo(s) fixed: counter attacks → counterattacks using AWB ← Previous edit		Latest revision as of 00:01, 13 January 2024 edit undo BD2412 (talk \| contribs) Autopatrolled, Administrators 2,529,171 edits m clean up spacing around commas and other punctuation fixes, replaced: ,h → , h (2) Tag: AWB
(37 intermediate revisions by 30 users not shown)
Line 1: {{Short description\|Department of Defense suite of software applications}} {{~~Orphan~~Update\|date=June ~~2011~~2019}} ~~The~~ '''Host Based Security System''' ('''HBSS''') is the official name given to the United States [[United States Department of Defense\|Department of Defense]] (DOD) [[~~Commercial~~commercial ~~off-the-shelf\|commercial-~~off-the-shelf]] (COTS) suite of software applications used within the DOD to monitor, detect, and ~~counterattacks against~~defend the DOD computer networks and systems. The [[Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group]] (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the [[NIPRNet\|Non-Classified Internet Protocol Routed Network]] (NIPRNet) and [[SIPRNet\|Secret Internet Protocol Routed Network]] (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on [[McAfee\|McAfee, Inc]]'s [[ePolicy Orchestrator]] (ePO) and other McAfee point product security applications such as [[Host Intrusion Prevention System]] (HIPS). == History == Seeing the need to supply a comprehensive, department-wide security suite of tools for DOD System Administrators, the ESSG started to gather requirements for the formation of a host-based security system in the summer of 2005. In March 2006, [[BAE Systems]] and McAfee were awarded a contract to supply an automated host-based security system to the department. After the award, 22 pilot sites were identified to receive the first deployments of HBSS.<ref>''{{Cite web\|date=2010-06-19\|title=Host Based Security System~~'',~~ (HBSS)\|url=http://www.disa.mil/hbss/index.html~~, 3~~\|access-date=2021-08-18\|archive-url=https:/13/web.archive.org/web/20100619104318/http://www.disa.mil/hbss/index.html\|archive-date=2010-06-19}}</ref> During the pilot roll out, DOD System Administrators around the world were identified and trained on using the HBSS software in preparation for software deployment across DOD. On October 9, 2007, the [[Joint Task Force for Global Network Operations]] (JTF-GNO) released [[Communications Tasking Order]] (CTO) 07-12 (''Deployment of Host Based Security System (HBSS)'') mandating the deployment of HBSS on all Combatant Command, Service and Agency (CC/S/A) networks within DOD with the completion date by the 3rd quarter of 2008.<ref>~~''Host~~{{Cite ~~Based Security System HBSS)'',~~web\|date=2010-12-05\|title=infoexchange\|url=http://www.afcea.org/events/landwarnet/08/infoexchange.asp~~, 3~~\|access-date=2021-08-18\|archive-url=https:/13/web.archive.org/web/20101205013909/http://www.afcea.org/events/landwarnet/08/infoexchange.asp\|archive-date=2010-12-05}}</ref> The release of this CTO brought HBSS to the attention of all major department heads and CC/S/A's, providing the ESSG with the necessary authority to enforce its deployment. Agencies not willing to comply with the CTO now risked being disconnected from the DOD [[Global Information Grid]] (GIG) for any lack of compliance. Lessons learned from the pilot deployments provided valuable insight to the HBSS program, eventually leading to the [[Defense Information Systems Agency]] (DISA) supplying both pre-loaded HBSS hardware as well as providing an HBSS software image that could be loaded on compliant hardware platforms. This proved to be invaluable to easing the deployment task on the newly trained HBSS System Administrators and provided a consistent department-wide software baseline. DISA further provided step-by-step documentation for completing an HBSS baseline creation from a freshly installed operating system. The lessons learned from the NIPRNet deployments simplified the process of deploying HBSS on the SIPRNet. === Significant HBSS ~~Dates~~dates === * Summer 2005: ESSG gathered information on establishing an HBSS automated system * March 2006: BAE Systems and McAfee awarded contract for HBSS establishment and deployment * March 27, 2007: The ESSG approved the HBSS for full-scale deployment throughout the DoD enterprise * October 9, 2007: The [[Joint Task Force for Global Network Operations\|JTF-GNO]] releases CTO 07-12 * November, 2009: The [[United States Air Force\|Air Force]] awarded [[Northrop Grumman~~\|Northrop Grumman, Inc.~~]] with the deployment of HBSS on the SIPRNet<ref>Henry Kenyon, ''Northrop Grumman Wins Air Force SIPRNET Contract'', http://www.afcea.org/signal/signalscape/index.php/2009/11/northrop-grumman-wins-air-force-siprnet-contract/, 3/13/2010 {{Dead link\|date=August 2021}}</ref> == HBSS ~~Components~~components == Throughout its lifetime, HBSS has undergone several major baseline updates as well as minor maintenance releases. The first major release of HBSS was known as Baseline 1.0 and contained the McAfee ePolicy ~~Orchestrator~~orchestrator engine, HIPS, [[~~Software~~software ~~Compliance~~compliance ~~Profiler~~profiler]] (SCP), [[~~Rogue~~rogue ~~System~~system ~~Detection~~detection]] (RSD), [[~~Asset~~asset ~~Baseline~~baseline ~~Manager~~manager]] (ABM), and ~~[[Assets]]~~assets software. As new releases were introduced, these software products have evolved, had new products added, and in some cases, been completely replaced for different products. === HBSS Baseline 4.5 MR2 components === As of January, 2011, HBSS is currently at Baseline 4.5, Maintenance Release 2.0 (MR2). MR2 contains the following software: ==== Microsoft ~~Products~~products ====▼ ~~=== HBSS Baseline 4.5 MR2 Components ===~~ {\| class="wikitable ~~collapsible" style="width:100%;"~~ \|- ! Software ~~Application~~application▼ ~~! As of January, 2011, HBSS is currently at Baseline 4.5, Maintenance Release 2.0 (MR2). MR2 contains the following software:~~ \|- ~~\| <div style="height: 500px;overflow:-moz-scrollbars-vertical;overflow-y:auto;">~~ ▲==== Microsoft Products ==== ~~{\| class=redtable border=1~~ \|- ▲! Software Application ! Version \|- Line 38 ⟶ 32: \| 2003 SP2 (5.2.3790) \|- \| Microsoft .NET ~~Framework~~framework \| 1.1.4322.2433 \|- \| Microsoft .NET ~~Framework~~framework \| 2.2.30729 \|- \| Microsoft .NET ~~Framework~~framework \| 3.2.30729 \|- \| Microsoft .NET ~~Framework~~framework \| 3.5.30729.1 \|- Line 57 ⟶ 51: \|} ==== Optional ~~Products~~products/~~Components~~components ==== {\| class=~~redtable border=1~~wikitable \|- ! Software ~~Application~~application ! Version \|- \| Symantec SEP/SAV ~~Integration~~integration ~~Extension~~extension \| 1.3, plugin 1.2666 \|- \| McAfee VirusScan Enterprise \| 8.7.0.570 (~~Evaluation~~evaluation) \|- \| McAfee VirusScan Enterprise 8.7 ~~Extension~~extension \| 8.7.0.195 \|- \| McAfee VirusScan ~~Report~~report ~~Extension~~extension \| 1.1.0.154 \|} ==== SIPRNet-only ~~Only Products~~products/~~Components~~components ==== {\| class=~~redtable border=1~~wikitable \|- ! Software ~~Application~~application ! Version \|- Line 87 ⟶ 81: \| Rollup Extender \| 1.2.8 \|} ~~</div>~~ \|} == How HBSS ~~Works~~works == The heart of ~~the~~ HBSS is the McAfee ePolicy ~~Orchestrator~~orchestrator (ePO) management engine. The ~~engine~~McAfee istools are responsible for: * Providing a consistent front-end to the point products * Consolidating point product data for analysis Line 99 ⟶ 91: * Ensure application patch compliance <!----==== Security ~~Compliance~~compliance ~~Profiler~~profiler ==== The ~~Security~~security ~~Compliance~~compliance ~~Profiler~~profiler (SCP) was one of the original products provided in HBSS Baseline 1.0. It was removed from HBSS as of Baseline 2.0 and replaced with the ~~Policy~~policy ~~Auditor~~auditor component. The SCP is an integral component of ePO that provides enterprise-wide reporting on security patches, including the Microsoft® operating systems.<ref>'''System Compliance Profiler''', http://www.mcafee.com/us/enterprise/products/promos/system_security_management/epolicy_orchestrator/compliance_profiler.html, 3/14/2010</ref> ----> === McAfee ~~Point~~point ~~Products~~products === McAfee considers a point product to be the individual software applications controlled by the ePO server. The HBSS point products consist of the following: * Host ~~Intrusion~~intrusion ~~Prevention~~prevention ~~System~~system (HIPS) * Policy ~~Auditor~~auditor (PA) * Assets ~~Baseline~~baseline ~~Module~~module (ABM) * Rogue ~~System~~system ~~Detection~~detection (RSD) * Device ~~Control~~control ~~Module~~module (DCM) * Asset ~~Publishing~~publishing ~~Service~~service (APS) ==== Host ~~Intrusion~~intrusion ~~Prevention~~prevention ~~System~~system ==== The ~~Host~~host ~~Intrusion~~intrusion ~~Prevention~~prevention ~~System~~system (HIPS) consists of a host-based firewall and application-level blocking consolidated in a single product. The HIPS component is one of the most significant components of the HBSS, as it provides for the capability to block known intrusion signatures and restrict unauthorized services and applications running on the host machines. ==== Policy ~~Auditor~~auditor ==== Policy ~~Auditor~~auditor (PA) was introduced in HBSS Baseline 2.0. Policy ~~Auditor~~auditor is responsible for ensuring compliance with mandates such as: [[Payment Card Industry Data Security Standard]] (PCI DSS), [[Sarbanes–Oxley Act of 2002]] (SOX), [[Gramm–Leach–Bliley Act]] of 1999 (GLBA), [[Health Insurance Portability and Accountability Act of 1996]] (HIPAA), [[Federal Information Security Management Act of 2002]] (FISMA), as well as the best practice frameworks [[ISO 27001:2005]] and Control Objectives for Information and ~~Related~~related ~~Technology~~technology ([[COBIT]]). PA maps IT controls against predefined policy content, McAfee Policy Auditor helps report consistently and accurately against key industry mandates and internal policies across your infrastructure or on specific targeted systems. Policy Auditor is an agent-based IT audit solution that leverages the Security Content Automation Protocol (SCAP) to automate the processes required for internal and external IT audits.<ref>{{cite web\|title=McAfee Policy Auditor\|url=http://www.mcafee.com/us/products/policy-auditor.aspx\|accessdate=15 November 2012}}</ref> ==== Assets baseline ~~Baseline Module~~module ==== The ~~Assets~~assets ~~Baseline~~baseline ~~Module~~module, released in Baseline 1.0 as a [[~~Government~~government off-the-shelf]] (GOTS) product, is used to address system baseline configurations and changes in order to respond to [[INFOCON\|~~Information~~information ~~Operations~~operations ~~Condition~~condition (INFOCON)]] (INFOCON) changes necessary during times of heightened security threats to the system. During the initial deployment stages of HBSS, the ~~Assets~~assets ~~Module~~module was juvenile and lacked much of the products intended capabilities. However, the application has fully evolved into a robust and feature packed version capable of handling the original software's design goals. ABM was originally known as Assets 1.0. It was upgraded to Assets 2.0 in HBSS Baseline 2.0. Later it was called Assets 3000 in HBSS Baseline 3.0. ==== Rogue ~~System~~system ~~Detection~~detection ==== The ~~Rogue~~rogue ~~System~~system ~~Detector~~detector (RSD) component of HBSS is used to provide real-time detection of new hosts attaching to the network. RSD monitors network segments and reports all hosts seen on the network to the ePO Server. The ePO Server then determines whether the system is connected to the ePO ~~Server~~server, has a McAfee ~~Agent~~agent installed, has been identified as an exception, or is considered rogue. The ePO ~~Server~~server can then take the appropriate action(s) concerning the rogue host, as specified in the RSD policy. HBSS Baseline 1.0 introduced RSD 1.0. RSD was updated to 2.0 in HBSS Baseline 2.0. ==== Device ~~Control~~control ~~Module~~module/~~Data~~data ~~Loss~~loss ~~Prevention~~prevention ==== The DCM component of HBSS was introduced in HBSS Baseline 2.0 specifically to address the use of USB devices on DOD ~~Networks~~networks. JTF-GNO CTO 09-xxx, ''~~Removable~~removable ~~Flash~~flash ~~Media~~media ~~Device~~device ~~Implementation~~implementation ~~Within~~within and ~~Between~~between Department of Defense (DOD) ~~Networks~~networks'' was released in March, 2009 and allowed the use of USB removable media, provided it meets all of the conditions stated within the CTO. One of these conditions requires the use of HBSS with the DCM module installed and configured to manage the USB devices attached to the system.<ref>~~Tom~~{{Cite ~~Conway, ''DOD~~web\|date=2011-01-20\|title=DoD Can ~~Safely~~ Use USB~~'',~~ Securely {{!}} Blog Central\|url=http://blogs.mcafee.com/enterprise/public-sector/dod-can-use-usb-securely~~, (Security Insights Blog), 3~~\|access-date=2021-08-18\|archive-url=https:/9/~~2010~~web.archive.org/web/20110120192355/http://blogs.mcafee.com/enterprise/public-sector/dod-can-use-usb-securely\|archive-date=2011-01-20}}</ref> The DCM was renamed to the ~~Data~~data ~~Loss~~loss ~~Prevention~~prevention (DLP) in HBSS Baseline 3.0 MR3. ==== Assets ~~Publishing~~publishing ~~Service~~service ==== The ~~Assets~~assets ~~Publishing~~publishing ~~Service~~service (APS) of HBSS was introduced in HBSS Baseline 4.0 to allow for enclaves to report on asset information to a third-party DoD entity in a standards-compliant format. It adds contextual information to HBSS assets and allows for improved reporting features on systems relying on HBSS data. == Obtaining HBSS == According to JTF-GNO CTO 07-12, all DOD agencies are required to deploy HBSS to their networks. DISA has made HBSS software available for download on their [[Public key infrastructure\|PKI]] protected [https://patches.csd.disa.mil/ patch server]. Users attempting to download the software are required to have a [[Common Access Card]] (CAC) and be on a .mil network. DISA provides software and updates free of charge to DOD entities. Additionally, HBSS ~~Administrators~~administrators require the satisfactory completion of HBSS training and are commonly appointed by the unit or section commander in writing. == Learning HBSS == In order to receive and administer an HBSS ~~System~~system, ~~System~~system ~~Administrators~~administrators must satisfactorily complete online or in class HBSS ~~Training~~training as well as be identified as an HBSS ~~Administrator~~administrator. Online training takes 30 hours to complete while in class training requires four days, excluding travel. An advanced HBSS class is also available to HBSS ~~Administrators~~administrators wishing to acquire a more in-depth knowledge of the system. HBSS online and in class training is managed by DISA ~~and information pertaining to these training classes can be obtained at the DISA [http://iase.disa.mil Information Assurance Support Environment] (IASE) website~~. == HBSS ~~Support~~support == The DISA Risk Management Executive Office (RE) formerly [[~~Field~~field ~~Security~~security ~~Office~~office]] (FSO) provides free technical support for all HBSS Administrators through their help desk. DISA has three tiers of support, from Tier I to Tier III. Tier I and Tier II support is provided by DISA FSO, while Tier III support is provided by McAfee. DISA FSO Support is available using one of the following methods:<ref>~~''IA~~{{Cite ~~Tools'',~~web\|date=2010-02-12\|title=DoD Information Assurance Tools\|url=http://iase.disa.mil/tools/index.html~~, 3~~\|access-date=2021-08-18\|archive-url=https:/14/web.archive.org/web/20100212232302/http://iase.disa.mil/tools/index.html\|archive-date=2010-02-12}}</ref> {\| \|Email: disa.tinker.eis.mbx.cdk21-~~esmost~~hbss-service-desk [at] ~~csd.disa~~mail.mil \|- ~~\|Commercial (405) 739-5600~~ \|- \|[[Defense Switched Network\|DSN]]: ~~339~~850-~~5600~~0032 \|- \|Toll Free: ~~800~~844-~~490~~347-~~1643~~2457 \|} == The ~~Future~~future of HBSS == At its current pace, HBSS has been updated several times from the original Baseline 1.0 to the current Baseline 3.0, MR3 version. Within Baseline 3.0, maintenance releases have been introduced every two to four months, bringing better stability and security with each release. HBSS follows McAfee ePO version updates closely and it is expected to continue this trend as ePO is continuously developed. == References == ~~<!--- See http://en.wikipedia.org/wiki/Wikipedia:Footnotes on how to create references using <ref></ref> tags which will then appear here automatically -->~~ {{Reflist}} == External links == * [http://www.afcea.org/signal/articles/templates/200904SIGNALConnections.asp?articleid=1909&zoneid=258 End-Point Security Spreads Throughout Military] * [http://www.afcea.org/~~signal/signalscape/index.php/2009/11~~content/?q=northrop-grumman-wins-air-force-siprnet-contract/ Northrop Grumman Wins Air Force SIPRNET Contract ] * [http://www.afcea.org/events/landwarnet/08/infoexchange.asp Host Based Security System (HBSS)] * [http://iase.disa.mil Information Assurance Support Environment] * [http://www.mcafee.com McAfee, Inc.]