JRSS Adds Security Features, Pushes Ahead in U.S. and Europe
Getting better defenses up and running to protect the U.S. military’s digital networks is taking longer than expected. But even amid delays, the defenses themselves are being upgraded.
The 48 Joint Regional Security Stacks (JRSS) intended to become the Defense Department’s bulwark against hackers, viruses and malware attacks, are behind schedule, according to a report from the Pentagon’s Office of Operational Test and Evaluation (OT&E).
Ultimately, all network traffic into and out from DoD networks will flow through the JRSS gateways, which are critical to implementing a sweeping, years-long effort to remodel DoD’s disjointed conglomeration of networks into a single, secure, Joint Information Environment (JIE).
OT&E reported in February that JRSS tests scheduled for 2014 and 2015 were delayed, as was a computer network defense exercise scheduled for October 2015. The JIE Executive Committee postponed that work to provide more time for engineering, installing and implementing initial JRSS capabilities, including multiprotocol label switching (MPLS), OT&E reported. The committee plans an operational assessment in Europe later this year.
Delays shifted initial implementation from Europe to the southern United States, OT&E said. “The European JIE early operational assessment continues to slip due to JRSS integration complexity, lack of overall schedule discipline and service-influenced funding priorities.”
Four security stacks have been installed thus far, and are now ready for the Army to begin “migrating” its networks, said Col. Scott Jackson, chief of the JIE Solutions Division of the Defense Information Systems Agency (DISA). These will reroute network traffic through the stacks so they can filter internet traffic and guard against dangers coming in and unauthorized data flowing out.
Those stacks – at Fort Meade, Md., Joint Base San Antonio and Fort Hood in Texas and Fort Sill, Okla. – are JRSS iteration 1.0, Jackson said. Now they are being upgraded to JRSS 1.5 to meet Air Force needs, so its networks can begin migrating to JRSS stacks this summer, he said.
The security stacks planned for Europe are still being assembled and hardware and software for 16 stacks planned for the Pacific region are still being procured, Jackson said.
“My optimistic master schedule” – if budgets aren’t delayed or cut by sequestration and if equipment is delivered on time – is that 15 unclassified and 17 classified security stacks will be installed by the end of this year, he said.
Then comes a “lengthy migration phase,” during which service networks must be methodically transferred to JRSS. If there are 1,000 rules in a network firewall, each must be recreated virtually in JRSS, Jackson explained.
By 2019, there are to be 23 security stacks for unclassified network traffic and 25 for classified traffic, he said.
Packet Capture Upgrade
Even as the stacks are being built, DISA continues to upgrade the hardware and software each stack will use to foil intruders.
Among the newest features: A packet-capture capability that will enable JRSS to record traffic just like “a security camera at the door of a bank,” said Paul Spencer, vice president of engineering at Niksun, Inc. of Princeton, N.J., whose Supreme Eagle security system is being added to JRSS.
Supreme Eagle will enable JRSS to make and store copies of all of the traffic that flows into and out of the military’s networks, examining them for malware and signs of malicious activity.
“We look inside to pull out certain metadata and protocol information,” Spencer said.
When malicious traffic is spotted, network operators are alerted. “The key thing we bring to the table is the ability to trace events as far as what an attack consists of, step by step,” Spencer said. “We have experience dealing with cases where an attacker puts in a back door” and it remains undiscovered while its owner gradually ex-filtrates information or sabotages data. By saving a record of network traffic, Spencer explained, “we can reconstruct events, see how they installed the back door and what was exfiltrated.”
Attack records are stored in a “network knowledge warehouse,” where they can be used to identify and disrupt future attacks. The Supreme Eagle system automatically compares traffic data to information from its warehouse for forensic analysis. “There is no need to manually parse through streams of traffic data to find information relevant to a network incident,” Spencer said.
This new packet capture technology “is much more robust,” Jackson said. The initial packet capture technology used by JRSS could not keep up with network traffic. But Niksun’s technology performs captures packets at more than 100 gigabits/second, enough to keep up with the full flow of data through JRSS gateways.
Improved Malware Scans
To further bolster JRSS defenses, DISA is also adopting a new file-scanning technology called Metascan, which will funnel incoming data through 26 separate anti-malware engines.
Because no single anti-malware engine can detect every possible threat, Metascan processes data through multiple virus screens at once.
“Basically, we’re taking the scanning functionality of 26 different anti-virus companies and putting it into one package” that runs on premise, said Curtis Cade, federal sales manager at Opswat, a San Francisco-based supplier of enterprise security technology. Included are industry leaders like Symantec, McAfee, Microsoft, Kaspersky and lesser known threat libraries.
At the same time, an InQuest inspection and analysis tool performs “deep file inspection” on traffic moving through the network.
“We intercept, identify, analyze and catalog everything,” says Pedram Amini, chief technology officer at InQuest of Arlington, Va.
Amini said “the most common way of breaking into a network is through the Web and email.” But typical perimeter security defenses are less and less effective at securing networks against threats embedded within files and email attachments.
InQuest’s software focuses on files and data downloaded from the Web or received in email. “We feed it through a gantlet of security checks,” Amini said.
For example, with an email that includes a zipped file, the software will dig down through layers of zipped content, expanding, decoding and analyzing for threats. It will also examine Internet Protocol addresses, domain names, files, and email addresses, searching for anything suspicious.
A threat-scoring algorithm then assigns a threat level to the data. The process can take minutes, “which is astronomical at the scale we’re talking about,” said Amini. Less thorough file inspections may take only microseconds, but speed reduces thoroughness and effectiveness.
The stream of viruses, spyware, Trojan horses and other malware is continuous, like “constant noise,” Amini said. “Everyone’s exposed to the noise, but a large part of what we’re doing is filtering out the noise” to focus on the serious threats.
DISA’s Jackson said JRSS will use these and many other cyber defenses to bring a uniform level of security to military networks. “The biggest benefit of JRSS is that it standardizes everything.”
How well it all works should become clearer later this year. Reports OT&E: “The National Security Agency plans to conduct a cybersecurity deep-dive assessment in 2016.”