New technologies, new procedures in network security help Army Signal Command move from 'hasty defense' to 'deliberate defense'

by LTC Marc Withers and MAJ Mike McNett

FORT HUACHUCA, Ariz. Imagine an analytical capability and system that would allow proactive measures to be taken against information threats. The system would also allow users to rapidly react to new situations, would ensure the highest level of network availability to customers and would reduce vulnerabilities that can be exploited by malicious users.

Striving to meet these goals today, as well as fulfilling the Defense Department’s Joint Vision 2010 premise of information superiority, is exactly where the Army Signal Command’s Army Network, Systems and Security Operations Center here is moving to in close cooperation with several other organizations.

Building upon an impressive base, the efforts underway in ANSSOC – along with efforts in ASC’s other theater-network-systems security-operations centers – provide the Army a program that will ensure the highest levels of information assurance throughout the world while simultaneously providing a high quality of service to Army customers.

ANSSOC staff members at work ANSSOC staff members at work.

ANSSOC is composed of a variety of highly skilled soldiers, civilians and contractors who are leaders in the field of information technology and IA. The center provides a variety of network and computer-protection services in the continental United States and worldwide to the Army around the clock:

Managing the Army’s domain-name-service system;
Providing direct support to key standard Army management information systems projects;
Monitoring and protecting the Army’s CONUS information infrastructure above the installation level;
Managing the Army’s dial-in services; and
Acting as the public-key infrastructure registration authority for private Army webservers and devices.

ANSSOC has a day-to-day operational mission of monitoring, managing and protecting the Army’s portion of the CONUS defense information infrastructure. ANSSOC has successfully teamed with several organizations to leverage their skills, experience, expertise and data. Some of these include ASC’s other TNSSOCs, the Army Computer Emergency Response Team, Defense Information Systems Agency and even the Federal Bureau of Investigation. However, ANSSOC’s primary partner for IA is the Regional Computer Emergency Response Team-CONUS.

Along with the close relationships with these organizations, ANSSOC has also ensured success by intertwining network operations with network and systems security and protection. Integrating these two areas has ensured ANSSOC is proactive and quick to react to any threats to the Army infrastructure. This process is enhanced by the colocation of RCERT-C with ANSSOC. This allows each organization to leverage off each other’s expertise continually and has resulted in a partnership organization that not only ensures a high availability of information to our customers, but has also led to an integration of security into all operations (see figure below).

C2-protect partnership Command-and-control-protect partnership.

As part of the network-security improvement program defense-in-depth strategy spearheaded by the director of information systems for command, control, communications and computers, ANSSOC’s role in IA is fulfilled primarily above the installation’s infrastructure, in which lie the "demilitarized zones" and the installation top-level architecture (figure below).

ANSSOC role ANSSOC's role is fulfilled primarily above the installation-infrastructure level.

Army installations’ perimeter security includes Army security routers that route all traffic into and out of each location. ANSSOC centrally manages and monitors these ASRs to ensure both network availability and network protection of the Army’s part of the DII at all times.

The next two levels of defense-in-depth are the network-based and host-based intrusion-detection systems that ANSSOC also centrally manages and monitors. This, combined with the ASR status, allows one facility to obtain a common operational view of the entire CONUS DII for the Army’s networks and critical servers. These levels are closely tied to and coordinated with the RCERT-C and other agencies.

This defense-in-depth strategy has created a very close relationship between network operations and network and systems security. One example of this close relationship is router log management. Traditionally, routers have been considered to be network-management devices, with little attention paid to their role in network security and protection. However, the ASRs located at each installation are dual purpose: they ensure proper traffic routing, and they’re configured to be "firewall-like" devices. The logs from these routers are routinely analyzed to find both network anomalies and potential security events. This results in highly reliable and secure networks.

In fact, about 25 percent of the network-security blocks issued are the direct result of router-log analysis. These blocks represent malicious activity that occurs as low-level attacks that don’t necessarily meet the detection thresholds for the network IDSs. If the routers were only viewed with respect to network-availability problems, the Army would lose in its fight against malicious users since much of this low-level activity would be missed.

Another example of the synergy resulting from integrated network operations and security is with distributed-denial-of-service attacks against Army systems. During such attacks, the network-operations portion sees degradation of the network and monitored systems, while the security side of network operations simply sees a large number of events triggered on the security monitoring devices. By having an integrated network and security operation, the Army obtains a very rapid response to activities such as this by leveraging everyone’s skills and abilities.

The structure set up to protect the Army’s networks, although successful, is best characterized as a "hasty defense." The Army can now defend itself against frontal attacks (for example, from "script kiddies"). We can also defend our flanks through means such as existing security mechanisms, policies, procedures or the IA vulnerability-assessment process. However, we’re still vulnerable to two types of attacks: the rear battle (backdoors) and the snipers and stealthy individual foot soldiers with lots of camouflage and expertise who are along our perimeter – in other words, sophisticated hackers.

Hackers are willing to take long periods of time to conduct reconnaissance so they can find our vulnerabilities to exploit. To protect against these folks we must expand our defense-in-depth and establish a "deliberate defense" – more robust, with better tools and a more sophisticated architecture able to detect the enemy by looking at all data sources in a coordinated fashion.

This coordination is required because of the multiple sensor devices and information that comes into ANSSOC: host-based IDS logs for Army critical servers, server logs, firewall logs, network-management data, external reports, network-based IDS logs and router logs. While all these data sources are valuable when they are viewed independently, we’ve found a great deal of synergy can be gained when you look at this data as a whole.

This information would do us little good if we didn’t have highly qualified and skilled analysts, system administrators and network managers. However, even the best human can’t correlate all events from all these systems. We need the systems to use their "intelligence" and help out the human.

Event correlation is the technique we’re starting to use for this purpose. The ability to correlate between events within one data source is greatly enhanced when you can cross-correlate between different types of data sources such as router logs, IDS logs and incident reports. ANSSOC is currently correlating data from various data sources to determine when multiple sites are being attacked from the same or multiple sources. This correlation capability has already resulted in an increase in protection across the Army’s portion of the DII.

ANSSOC (and many other Army organizations) have made impressive gains in improving the Army’s IA posture and providing security to Army networks. What has been done, however, is just the start. We’re now moving past the "hasty defense" and making initial changes to implement a "deliberate defense" that takes advantage of new technologies and new procedures learned over the last few years. The threat continues to evolve and so must our countermeasures.

ANSSOC has deployed an impressive array of systems to stay at the forefront of the IA battle and to integrate network operations with network security. All the Army must strive to do the same.

MAJ McNett is ANSSOC’s director. He holds bachelor’s and master’s of science degrees in computer science from Illinois State University and University of Illinois, respectively.

LTC Withers is chief of ASC’s Network, Systems and Security Management Division. He earned a bachelor of arts in mathematics and history from the Virginia Military Institute and a master of science in computer science from the Georgia Institute of Technology.

Acronym QuickScan
ANSSOC – Army Network, Systems and Security Operation Center
ASC – Army Signal Command
ASR – Army security router
CONUS – continental United States
DII – defense information infrastructure
IA – information assurance
IDS – intrusion-detection system
RCERT-C – Regional Computer Emergency Response Team-C(ontinental United States)
TNSSOC – theater-network-systems security-operations center

dividing rule

Back issues on-line | "Most requested" articles | Article search | Subscriptions | Writer's guide

Army Communicator is part of Regimental Division, a division of Office Chief of Signal.

This is an offical U.S. Army Site |

04/04/12

This is an offical U.S. Army Site |