Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Building Secure Computers?

Cliff posted more than 9 years ago | from the even-keyboard-adccess-won't-make-it-easy dept.

Security 628

maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"

Sorry! There are no comments related to the filter you selected.

Secures computers need Windowsz 95 (5, Funny)

Anonymous Coward | more than 9 years ago | (#13394630)

So sayeth the editors of Slashdot.

Re:Secures computers need Windowsz 95 (4, Funny)

jericho4.0 (565125) | more than 9 years ago | (#13394758)

"Ask Slashdot: Where New Tech Should Libraries Try Next?" posted by Cliff @ 4:30PM.

"Ask Slashdot: Building Secures Computers?" posted by Cliff @ 7:32PM.

He'll pass out by 10, I bet.

Re:Secures computers need Windowsz 95 (5, Funny)

SYFer (617415) | more than 9 years ago | (#13394816)

No no no. If you'd actually read TFA, you'd see that the building in question is contructed with windows and doors so small that a computer cannot be passed through them, ergo the building does indeed secure the computers. Now that IS news for nerds!

How Ironic... (0, Offtopic)

rpj1288 (698823) | more than 9 years ago | (#13394631)

I click on "read more" and what do I see? "Nothing to see here, move along." Nice.

I just pooped in my diapers! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13394634)

Eww, I'm a little baby now!

Get a Mac (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13394635)

Security at its finest.

I could tell you (1, Offtopic)

SEWilco (27983) | more than 9 years ago | (#13394637)

Prepare for "I could tell you, but..." comments.

Re:I could tell you (1)

lanced (795958) | more than 9 years ago | (#13394860)

No, no, no. That's not it at all. The correct line is: "I can niether confirm, nor deny the existence of secret computers. However, if they did exist, I'm sure I couldn't tell you what OS they're running. And I'm sure I would have to kill you if I told you how they are assembled."

Don't ask Slashdot (5, Interesting)

kevlar (13509) | more than 9 years ago | (#13394638)

Ask the Dept of Defense. Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle. No offense to /. community.

Don't ask IANA... (5, Funny)

Anonymous Coward | more than 9 years ago | (#13394670)

"Asking Slashdot about DoD guidelines is like asking an elementary school for details about the space shuttle."

True. But we ARE good with law, business, and economics.

Re:Don't ask Slashdot (4, Insightful)

maotx (765127) | more than 9 years ago | (#13394687)

Our facility security officer has a stack of papers that I have been reading over but it is pretty slim in details when it comes to the specifics. Network is a definate no, floppies and CDs are ok, but what about USB harddrives? Etc.

The only reason I asked Slashdot was for a jump start. My manager says we need to have something, at least a plan, by next week.

Re:Don't ask Slashdot (4, Informative)

TripMaster Monkey (862126) | more than 9 years ago | (#13394751)


My suggestion would be to disable floppy as well as USB, and only allow transmission of information to and from this system via CD. USB is right out...don't let anyone try to convince you otherwise...it's an unacceptable security risk. Also, only allow data to be transferred to and from a protected 'sandbox' area on the system, and make certain that autorun of CD-ROMs is disabled in the registry. One more thing: keep the system in a locked room, and personally supervise, if not actually conduct, all data transfers.

Sure, it sounds paranoid...bit is it paranoid enough?

Don't ask Slashdot, ask an SSO/SSR/IAM/ISSO/IASO.. (-1, Troll)

choppahead (533533) | more than 9 years ago | (#13394825)

...like me. I just sent you an email with my .mil contact info. This isn't really a conversation for the masses. If you're worried about security, you should start with OPSEC.

Also, the comments that I've read so far were not good advice as far as DIA/DODIIS security regs go. Network security and DIA/DODIIS security requirements are two very different animals. Completely ignore the advice you've gotten on here.

If you want some actual military assistance, respond to my email.

Re:Don't ask Slashdot (2, Informative)

maotx (765127) | more than 9 years ago | (#13394851)

My suggestion would be to disable floppy as well as USB, and only allow transmission of information to and from this system via CD. USB is right out

We weren't going to add a floppy drive not only for security, but because of how outdated and unusued it is here. CDs and printing are going to be to the most common methods of transmitting the data. USB is still thrown up in the air. I'm very uncomfortable with it but our client uses it quite often to transfer data. I'm sure the line on that is somewhere though not in the documentation I've been given.

only allow data to be transferred to and from a protected 'sandbox' area on the system, and make certain that autorun of CD-ROMs is disabled in the registry. One more thing: keep the system in a locked room, and personally supervise, if not actually conduct, all data transfers.

Considering licensing is per computer, not install, each secure project will have its own hard drive with Windows and all other required applications installed with it. No need to worry about unauthorized users having access to any cached data. Also, considering the only information going to be rated classified is what is on the hard drive, we're trying to see if we can use the machine in a nonclassified environment as well and only secure it for classified data when needed. That is a question I'm leaving for DoD though. I seriouslly doubt we'll be able to do it without having it audited and certified each time. However, when being used for classified data it will always be in a locked room designed to hold secret data.

Re:Don't ask Slashdot (1)

some2 (563218) | more than 9 years ago | (#13394768)

Give them as much storage capacity as they could reasonably need to accomplish the goal of their work with the secure computer. AUDIT EVERYTHING. Ensure non-repudiation by using secure access tokens and physical access controls (secure-id, and a swipe-card locked door).

Permission to state the obvious... (0)

Anonymous Coward | more than 9 years ago | (#13394639)

You are not qualified for your job. Quit.

I've never had to worry about this... (2, Insightful)

jayhawk88 (160512) | more than 9 years ago | (#13394642)

What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?

....but my gut says "vendor", if for no other reason than a little CYA.

Re:I've never had to worry about this... (3, Insightful)

some2 (563218) | more than 9 years ago | (#13394698)

CYA is exactly why you'd want a vendor to do the build. They have E&O insurance to cover their asses if they screwed something up -- you just lose your job. Also much less work & worry for you if someone does tamper with the equipment as they will have already designed a methodology to review the break-in/tampering to determine the amount of data lost. If the company doesn't have that, don't use them.

A few too many 's'-es (5, Funny)

jrockway (229604) | more than 9 years ago | (#13394643)

Buildings secure computers? Computers secure building? What?

Oh, you meant "building secure computers".

Re:A few too many 's'-es (4, Funny)

Basehart (633304) | more than 9 years ago | (#13394677)

I was halfway through building a lego house next to my computer to make it more secure before I realized it was a typo.

Duh

Re:A few too many 's'-es (1, Insightful)

Tackhead (54550) | more than 9 years ago | (#13394752)

> Buildings secure computers? Computers secure building? What?
>
> Oh, you meant "building secure computers".

In Soviet Russia, security clearance loses you!

Seriously. To the original poster, you are probably asking the wrong audience, and you are definitely risking your clearance by doing so.

Find the guidelines. Read the guidelines. Learn the guidelines. Think of things you would do in order to circumvent those guidelines.

And then, even if it's possible to do it yourself, do not do it yourself, but have a vendor do it. When you find a vendor that offers something that neither you, nor your fellow (cleared :) geeks can come up with a decent means of circumventing, you're probably on track to finding the right vendor.

Security is a process (umm, a process which you've probably broken by bringing this up here :), not a product. Avoid any vendor who appears to be in denial on this point.

As for you asking this in the wrong place, the only hint I can offer is to read the responses at "0" (or even -1). If there are vendors worth avoiding, some Anonymous Coward will probably be around help (or hinder :) you. Some folks with moderator points may choose to help you, but the people most qualified to help you with mod points may very well choose not to help you, if you catch my drift.

Good luck. Because if you're asking here, you'll need it. :)

Spelling Nazi (0)

Anonymous Coward | more than 9 years ago | (#13394644)

What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?

Oh yeah trolls? My text is encrypted in rot26. Any reposts and/or making fun of my error is evidence that you broke my encryption. I shall be sending dmca agents over shortly.

Mine (1)

Deltaspectre (796409) | more than 9 years ago | (#13394645)

I have a fairly secure computer squared away between my ears. Every once in a while it will over heat and quit, but that's fine with all the advanced functions it has like "Sneezing" and realistic "Artificial Intelligence". It is very good at being a CAD, with only one problem... it doesn't interface with PAPER at as good of a quality as some other head computers.

Re:Mine (1)

LordNightwalker (256873) | more than 9 years ago | (#13394856)

It's not as secure as you might think; the relative effectiveness of the bar-hack has been proven time and again. The technique consists of saturating the device with plain old alcohol, which on the organic apparatus you describe has the effect of making the output devices more permeable to the sensitive data, up to the point where a simple query will suffice to extract said data.

Secure computer (3, Insightful)

AVazquezR (906094) | more than 9 years ago | (#13394646)

Build it yourself. I wouldn't rely on any manufacter.

Re:Secure computer (2, Insightful)

Jeff DeMaagd (2015) | more than 9 years ago | (#13394720)

Build it yourself. I wouldn't rely on any manufacter.

It still has to be made of parts, and generally those parts are made by manufacturers...

Re:Secure computer (1)

andy jenkins (874421) | more than 9 years ago | (#13394821)

A manufacturer who advertises secure computers probably has faith their product won't get them sued into oblivion.

I heard that... (5, Funny)

rbarreira (836272) | more than 9 years ago | (#13394647)

I heard that the first step towards building secures computers is to be attentive to small details such as spelling and grammar.

You cannot do it most likely (1, Interesting)

gtrubetskoy (734033) | more than 9 years ago | (#13394648)


Though I have never worked for DoD, here is a guess on how this works:

If you are building this system for DoD at a request from DoD, then you have what is called a "need to know", which qualifies you for getting a security clearance sufficient for you to receive the exact requirements for such a system after that it is simple just meet the requirements. Of course, once (if!) you get the clearance (and this is an expensive, tedious and long long process involving the polygraph in some cases) and are given those documents, you will be forbidden from sharing this information with anyone else without breaking the law and risking a severe penalty.

If youre not building it for DoD, (or for them but not at their request - e.g. in hopes they'll buy your product), then you have no "need to know" and cannot apply for clearance and be revealed the requirements.

Im guessing its the latter (or you wouldnt be posting to /.), so the answer is you simply cannot build such a system because you cannot know the requirements.

Re:You cannot do it most likely (1)

Brandon K (888791) | more than 9 years ago | (#13394671)

I'm thinking he is using them for a company he is part of, which needs the documents to be stored under Department of Defense standards, to prevent stealing of their data.

Re:You cannot do it most likely (3, Informative)

maotx (765127) | more than 9 years ago | (#13394767)

To clarify:

Our company is rated for 'secret' information. We currently have classified information, it is just paper right now. We have been requested to expand our capabilities so we may develop new products to meet the demands. We have a set of papers that are pretty light on the details of what is required for a computer to be certified for secret information, but it does not go into enough details for us to have an open mind about it. If we want a secure computer, thats easy. Case sealed with stickers, operating system and software installed on removable hard drive, no network card, and a paper trail going all the way down to the details of the last person who sneezed on it.

What I was really trying to ask was, "In your experience, is the extra money going into a vendor worth it or, is it better just to by a chassis and setup a machine yourself?"

Re:You cannot do it most likely (4, Interesting)

DaEMoN128 (694605) | more than 9 years ago | (#13394859)

No network is not a DoD requirement. Not being connected to an unencrypted netowk is. If you have an accredidted Secure Network.... you can network these. It is worth the extra money... trust me. I have been in your shoes. Contract writers like warrenties.

Re:You cannot do it most likely (1)

ebooher (187230) | more than 9 years ago | (#13394864)

It's not that expensive. You just need to be on a secured base performing a legit job function (ie copier repair) have the Captain who is supposed to escort you off base just wave you on which causes you to see something you aren't supposed to at which point you are interrogated for 48 hours at the end of which you are granted Leve...... NO CARRIER.

Re:You cannot do it most likely (0)

Anonymous Coward | more than 9 years ago | (#13394869)

There is no such thing as a Secret Clearance with a polygraph. Nice try. Plus the post didn't ask about getting a security clearance at all.

Novell Linux (0)

Anonymous Coward | more than 9 years ago | (#13394649)

Use Novell Suse linux with built in support for encrypted filesystems......

Recommendations (1)

Elitist_Phoenix (808424) | more than 9 years ago | (#13394654)

What is you're experience in setting up a secure computer
Don't use windows

and is it better to have a vendor do it
Yes, teamwork, a way to share the blame!

You've already violated protocol... (3, Interesting)

TripMaster Monkey (862126) | more than 9 years ago | (#13394658)


Wow...where to begin...

First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.

Second, security stickers on their own simply aren't adequate to the task at hand. Remember, you're looking for tamper-proof, not merely tamper-evident...

Re:You've already violated protocol... (1, Insightful)

timmarhy (659436) | more than 9 years ago | (#13394748)

any employer which is backward thinking enough to consider asking for advice from the wider community a bad thing, well i sure wouldn't care to work for them. next thing you will be suggesting posting to a mailing list should get you fired.

Re:You've already violated protocol... (1)

choppahead (533533) | more than 9 years ago | (#13394878)

It is amusing me to read the opinions of people who are completely out of their element...

I'm a SIGINT guy in the Army. I've spent a number of years now building/accrediting/auditing intelligence processing systems (READ: secure computers) and you silly little Slashdot geeks have NO idea what you're talking about when it comes to DoD red-tape.

Re:You've already violated protocol... (2, Informative)

Anonymous Coward | more than 9 years ago | (#13394750)

Actually, most DoD requirements are for tamper-evident rather than tamper-proof. DoD physical security requirements have no illusion that tamper-proof is even possible, but tamper-evident is well within reach.

HOwto (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#13394663)

-Start a company
-Call it 'Secures'
-Build computers

stickers don't prevent tampering (2, Insightful)

josecanuc (91) | more than 9 years ago | (#13394664)

"Security stickers" don't prevent tampering, they only indicate possible tampering.

Building secures computers? Yes. (1, Funny)

Anonymous Coward | more than 9 years ago | (#13394665)

Building secures computers? Yes, if the building has good locks. Even then, I'd invest in motion sensors and trustworthy guards.

Secure Stickers... (2, Funny)

DavidChristopher (633902) | more than 9 years ago | (#13394672)

YES! That's what I need. Forget hardening the system, forget locking down the administrator! Forget DOD requirements. I'll put a STICKER on my machine and it will be secure!

A building that secures computers, interesting. (4, Funny)

Agret (752467) | more than 9 years ago | (#13394676)

How does this building secure the computers? Does it use laser cutty things like on Resident Evil?

closed network (0)

Anonymous Coward | more than 9 years ago | (#13394685)

The only totally secure computer would be one on a physically disconnected network and if the information is that valuable then this would be the only realistic solution.

Talk to your FSO (3, Informative)

ostrich2 (128240) | more than 9 years ago | (#13394686)

If you have to set up a secured computer and your Facility Security Officer can't direct you how (roughly), then there's no way you'll get classified information on the system. It's not like you can set up a computer and all of a sudden the government will trust you to put secure information on it. You need to have a written, approved procedure for doing so. Your DIS rep has to authorize you to put stuff on the system.

At I place I used to work, we just bought Dells. (Heck, I think we even leased them!) When they were delivered, we'd put a standard image on them that did things like warn the users before they logged on, and turned on auditing on certain directories.

Ummm (0, Redundant)

B4D BE4T (879239) | more than 9 years ago | (#13394690)

Even if anyone reading this did know, I'm pretty sure it's illegal for them to give you details.

Come to think of it, I'm pretty sure it's illegal for you to even disclose the fact that you're building computers for a classified project...

if you have to ask... (2, Insightful)

xenomouse (904937) | more than 9 years ago | (#13394699)

...I've been tasked with something I'm not quite prepared for...

...is it better to have a vendor do it, or yourself?

If you have to ask the question, i think you already know the answer. I'm sure there are tons of great DIY methods of securing a computer, but if you are new to it (and you are), leave it to someone who has done it before.

It would be great to get some first-hand, practical experience on the matter when you have a proper guinea pig, but a classified DoD computer is not said guinea pig.

Not from dell (1)

dj245 (732906) | more than 9 years ago | (#13394702)

The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering.

My advice- Don't buy from Dell. Not because they don't have good business computers (They frequently treat businesses ok) but because even within the same exact model number, different motherboards/video cards/sound cards are used because of price fluctuations. And we all know Dell buys the cheapest stuff possible. Pull one hard drive out of one of these systems and put it into another (seemingly identical) system that happens to have a completely different motherboard, and poof, blue screens of death all over the place.

I've heard that Dell is decent to business buyers. But if you want to buy identical boxes with the chance to buy more in a few months time, you might want to steer clear.

BYO (2, Insightful)

unixbugs (654234) | more than 9 years ago | (#13394706)

Easy as that. If you don't know enough to lock down a computer from the ground up having a vendor supply the service is not going to do you any good because you won't know how it works and you will be at the mercy of Tech Support during a crisis. We have spent years building our own linux distro with what most might consider an over-kill in RBAC and other model implementation. When the latest greatest exploits/bugs/worms hit the scene we go right in and rip up the source and its fixed on the spot that morning, no questions asked. Try getting that out of a 1-800 service. The bottom line is security, not accountability. If you want to make things happen then make them happen, don't wait for someone else to do it. If the NSA thought Microsoft or any other MSO was a big prospect in the contract we wouldn't have SELinux. I could be wrong about trusting the security of my systems to other people, but I can't afford to take that risk, can I?

security stickers (1)

msbsod (574856) | more than 9 years ago | (#13394707)

Make sure the "security stickers" are washable. Seriously, most DOE sites require various forms of such stickers, too. At the same time they ditched secure systems like VMS. These days you see lots of Dell and Gateway PC's with Windows or Linux - and of course with security stickers.

Yes of course (0)

Anonymous Coward | more than 9 years ago | (#13394708)

Computers left outside are hacked at rates many times higher than those secured in buildings.

Stickers prevent tampering? (1)

Dracos (107777) | more than 9 years ago | (#13394710)

Surely the Department of Homer Simpson, er, Homeland Security, will now outlaw naptha. Should go well with the duct tape.

(naptha dissolves the adhesive on most stickers, making them easy to remove cleanly)

Re: (0)

Anonymous Coward | more than 9 years ago | (#13394713)

Well, I saw a couple of non-slanderous posts which had good ideas. Just combine them and I am sure you will have your secure machines.

1. Are the specs required to have a secure terminal, i.e. opening the case, using boot disks etc.
2. Are there items sensitive enough to require a encrypted filesystem? If so, you don't necessarily need to use SuSE to do this.
3. Are there requirements for the local/network authentication? i.e. retina, fingerprint etc? I am sure you could find a vendor for these solutions as well.

Good luck, don't listen to people trying to tell you aren't qualified. Experience is not something alot of people would have with this.

The Perfect Design (0)

johnnytv (899977) | more than 9 years ago | (#13394715)

I for one welcome our new DoD computing overlords...I would expect that 'removable drives' would not be protected by stickers at all. Perhaps you should bury it in concrete and post sentries at all times to guard the files. Don't let vendors build anything, source it yourself...there's some fine mercenary computer builders out there..

At a guess, and only a guess... (1)

suitepotato (863945) | more than 9 years ago | (#13394718)

I'm relatively sure you'd need to use two or more factor hardware and software encryption on multiple levels, an approved OS which would likely not be Windows given statements by Homeland Security, and some other things that I'm sure the people from the DoD will no doubt be only too happy to tell you if they want you to actually do something for them. They'll definitely tell you what to do. In excrutiating detail. They're funny that day.

Re:At a guess, and only a guess... (1)

suitepotato (863945) | more than 9 years ago | (#13394744)

(sorry, that should read "They're funny that way.") See the sig before you go spelling nazi.)

ok, your guess is wrong (0)

Anonymous Coward | more than 9 years ago | (#13394773)

DoD/Navy have op-sheets for securing Windows machines for use on nuclear subs with warheads/etc

try again.

ouch (2, Informative)

lmeyerov (878511) | more than 9 years ago | (#13394722)

There are various levels of Gov. approved hardware/software security. The specifications are public.. but it'd be a waste of your time to figure out how to comply on your own. Furthermore, for most interesting levels, you need to go through a few cycles with outside verification. I think you should start making phone calls.

It's not about the hardware (3, Informative)

Anonymous Coward | more than 9 years ago | (#13394724)

I'm involved in IA (Information Assurance) on VA Class subs... for Voyage Management and Radar.

A sticker and removable hard drive complying with IA is like saying that a power cord is what's needed to make a computer.

At one point we had a meeting and reviewed the full blown DoD requirements for secure computing. Our estimation was that the resulting system would A) be unusable for anything due to the insane lockdown policies, and B) cost around a $million to configure and test to their specs.

It's all about configuration.

Ok, on the non-sensational side... other computers where I work, for dealing with classified data, are to be located in a certified secure room (forget the name of the certifying authority), and yes there is a "class" / "unclass" sticker on the PC, and yes, the hard-drive is removable, and yes must be stored in an approved safe while not being used. And access to the room is by approval only, with both a horribly hard to use combo lock, and a cipher door lock on top of that. Oh yeah, connection to the house-net is verboten. Any-net for that metter.

And my facility is a low-brow Secret only site. Travel to certain DoD contractors with only a Secret clearance and you're treated like a second class citizen.

It's all about configuration. (repeated intentionally)

Be prepared for mind-numbing configuration, test and audit sessions.

I am light on details because I do my best to stay at arms-length from IA at work... it's teh suxor

w

Security (0)

Anonymous Coward | more than 9 years ago | (#13394725)

Here's a little how the NSA makes there Macs secure.
http://www.nsa.gov/snac/downloads_macX.cfm/ [nsa.gov]
There is also some more info there on how to secure other platforms,
Combine that with stickers, biometrics http://bssc.sel.sony.com/Professional/puppy/index. html/ [sony.com] and such, your on your way to very secure computing.

Cheers

Easy (0)

HairyCanary (688865) | more than 9 years ago | (#13394729)

All you need to have is a removable hard drive. When the computer is to be secured, the hard drive must be removed and placed into a safe rated for Secret information.

I suppose this could be out of date information, but this is how we did it in the military in 1995. Just garden variety Gateway PC's at the time, but with a removable hard drive tray so we could through it in the safe. Even in '95 we no longer had to observe TEMPEST requirements for material classified Secret.

Simple (0)

Turn-X Alphonse (789240) | more than 9 years ago | (#13394733)

Simplest way. Put it in a private room and only the people who NEED (not want, NEED) a key get it. Then make sure no one leaves the door open and you can get nothing more secure.

Obviously it's easier to buy from a company, then you can go "hey Dell said it" and you keep your job.

MICROSNITCH ALARMS (0)

Anonymous Coward | more than 9 years ago | (#13394738)

Movement sensitive when the PC is turned off, these alarms put out a LOUD alarm sound that can only be deactivated by turning the PC on, or turning the key.

Secure PC (1)

Jom112 (842247) | more than 9 years ago | (#13394739)

First off the DoD will not ever specify use windows NT and have a cisco firewall in front. What they will say is have a secure operating system and necessary network protection. The key is to eliminate possible ways of data leaving the PC. So no USB slots, or ZIP Drives. CAD drawings are relatively large in size so having a Floppy drive if fine. Also go with a vendor solution and then modify it. Showing the DoD that you purchased a secure PC and then made additional enhancements helps then saying you did everything yourself. Of course this was just all BS that you probably already figured out.

Re:Secure PC (1)

RoadDoggFL (876257) | more than 9 years ago | (#13394772)

Secret computers often have USB ports and floppy drives, even CD burners. They have these because of the existence of secret USB drives, floppy disks, even CD's. Just lock up the removable HDD and make sure the computer's a piece of crap. Seems to be the norm with what I've seen.

Re:Secure PC (1)

Jom112 (842247) | more than 9 years ago | (#13394809)

Maybe consider painting the PC light pink. That should ward off any thieves...

Two words (2, Funny)

digitalgimpus (468277) | more than 9 years ago | (#13394740)

Two words:

Duct Tape

add some plastic wrap, and it's Dept. Homeland Security Approved as well. /sad, but true.

contact (0)

Anonymous Coward | more than 9 years ago | (#13394743)

You should provide a method of contact I dont think a slashdot forum is the place to discuss such things

Take a class (0)

Anonymous Coward | more than 9 years ago | (#13394756)

You need to take the NISPOM CH8, Requirements for Industry (or something like that). It is offered by the DSS, but the waiting list is usually months. That class should tell you most of what you need to know.

Once again.... (0)

Anonymous Coward | more than 9 years ago | (#13394765)

somebody probably getting paid more than quite a few of us, asking Slashdot to do their job for them.
Yay.
While we're on this topic, does anyone want to write some code for me? I don't feel like really researching it on my own. I'll just ask Slashdot to tell me how to do it.

Re:Once again.... (1)

jasen666 (88727) | more than 9 years ago | (#13394779)

And in a way, it seems to be a valid method of research.
Instead of looking for the data... have the data come to you.

Lazy, but possibly effective.

Well, a couple of general comments... (1)

starseeker (141897) | more than 9 years ago | (#13394769)

I'm not a sysadmin, but there are certain universal constants...

a) Get ahold of the standards that will actually be applied to test the system and what it actually needs to have/means to be in compliance. Understanding that comes first - make sure you understand it as well as you can (ideally at least as well as the vendor you're buying from.) A.K.A Operation Build BS Detector. ;-)

b) Find out your responsibility - can you hand off responsibility for the computer being built to specs to the vendor, or will you ultimately catch the heat for it regardless of method of purchase? If you're in the hot seat you need to be very sure you can trust the vendor to do it right! In that situation perhaps doing it yourself might be the best way to be sure there are no unpleasant surprises in store, since you can make sure yourself you meet all requirements.

c) Is there some former sysadmin around who has been through purchasing a system that meets these particular specifications before? They may make a good resource - there's nothing like having been in the trenches to teach you all the mistakes and how to avoid them.

d) Do your department have performance reports compiled based on past performance of products purchased from your potential vendors? Also occasionally useful, particularly if you need hard data to justify a choice. This is not the way necessarily to pick the BEST system, but if you don't have the leeway to try a new vendor sometimes you have to go with the gold standard. (Microsoft built an empire based on this principle, and it's worse when you need something secure.) Indeed, I am surprised there isn't a vendor qualification process for something like secure computers, and "approved" vendors which constitute the only choices. If that IS the case, it's down to the usual questions when choosing between vendors - quality, price, performance, etc.

e) Perhaps you could look at uses of BRL-CAD? IIRC some of its uses are classified, so perhaps people using that system could give you some good pointers.

I'm assuming this computer is not networked, and physical security is the only criteria? If so operating system is not an issue, presumably.

Best of luck!

Culpability (1)

HowIsMyDriving? (142335) | more than 9 years ago | (#13394770)

If you build a computer that is compliant, then found out that it is not, and the shit hits the fan, you could be in big trouble. If HP or IBM builds that computer, and it is found out it is not compliant, but they state it is, and sell it as one, the shit hits the fan, and you are in trouble, but not the "get fired, and never work for the government again" kind like the building your own might do.

Three words (1)

citking (551907) | more than 9 years ago | (#13394778)

Anonymous FTP access. Saves the hacker a lot of time and trouble, ya know?

Secure Site (1)

eriksmithtex (658265) | more than 9 years ago | (#13394781)

Back in TI's DOD days this was handled by the computers all being in a vault room (like a bank vault - just a little bigger and with cubicles). Surprising not TEMPEST compliant. Regardless, the machines were TI Explorers (at least where I was at) and the only people who had access to the room were those that had clearance. Nothing special was done to these workstations while they were in production, but were destroyed in complaince with DOD mandantes when the project was done. Physical security is the only realistic, and probably only legal, way to make sure the machines are secure.

Vendor (1)

LnxAddct (679316) | more than 9 years ago | (#13394782)

Coming from someone with federal security clearance and who has had this issue themself, let the vendor do it. Its just easier and you know it will comply. You seem to not have dealt with this stuff before or you were improperly briefed when you got your clearance, so be warned that once the box is classified, anything that touches it must become classified or destroyed. Make backups of CDs before you use them in the machine because according to policy, if they are to leave the classified area, they must be destroyed. These regulations do vary with different levels of clearance, but the above requirements are most common. Regardless, slashdot is not the place to ask this question, there are government departments set up to handle this, and more importantly, your company's security officer should know exactly what is needed as it is his job. If your company doesn't have a security officer (or head of security, whatever they call him at your place), notify someone quickly because you are most likely violating a federal policy. Do not *ever* plug the computer in on a public network, you can't use the machine then (well you'll need a new harddrive). Once again, this all depends on the level of clearance this computer needs, but the above is the most common criteria I've come across.
Regards,
Steve

Doesn't matter (0)

Anonymous Coward | more than 9 years ago | (#13394787)

Having to deal with this on a daily basis, I can tell you that you are ultimatly going to be responsible for the computer, it doesn't matter what the vendor does, your name is on the dotted line and it will be your tail either way.

Need to know is part of it, the other part is who's rules are you going to be going by? Nispom or some dod agency? Each one requires something a little different, also the protection level of the system will dictate how it is setup as well.

Too strong a word. (4, Insightful)

Dan East (318230) | more than 9 years ago | (#13394797)

Editor is too strong a word for what is done by Slashdot staff. Person who clicks button to approve story is far more accurate, although lacking a certain panache.

Dan East

Depends on the containment (1)

rworne (538610) | more than 9 years ago | (#13394803)

There are two ways of securing the computers, but first you need to make a choice:

1. Use the computers in an unsecured (unclassified) area
2. Classify the entire area the computers are in

If #1, you will need to make sure that the area has no uncleared personnel while the classified info is processed and that the drives on the computer are removable and lockable and can be placed into a secure area (like a Mosler safe) for storage when not in use.

If #2, you will secure an area of the building. The advantages to this is that the entire floor or room is secure. PCs in this area can be regular off-the-shelf jobs because the room itself needs to be secured with an alarm, appropriate locks, etc. for access control.

If you really want to get into the nastiness with classified data, try transferring data (unclassified) from a classified system to a non-classified one and see the hoops you need to jump through. Do it improperly and you have another classified system to deal with. That's a real pisser if it winds up being your personal notebook.

The obvious (0)

Anonymous Coward | more than 9 years ago | (#13394810)

1. keep the lan off the internet
2. think twice before you allow a laptop to be
      connected to the lan.

Not rocket science, but pay attention to detail. (5, Informative)

jinx90277 (517785) | more than 9 years ago | (#13394811)

Most of what you need to know is contained on the Defense Security Services (DSS) Information Assurance website: http://www.dss.mil/infoas/ [dss.mil] The guiding document for DoD contractors is the National Industrial Security Program Operating Manual (NISPOM). Classified systems have to go through a formal certification and accreditation process before they will be approved for classified processing. Since your ultimate goal is to satisfy the accreditor, you should contact him/her as soon as possible to have them explain what will be required and to hear their particular areas of concern so that you can address them early in your design. Security paperwork requires considerable time to fill out, and mistake can result in long delays in accreditation, or even the rejection of your system.

However, it isn't enough to just build a system with the proper hardware and software configuration -- you also have to make sure that the physical environment and users will meet the requirements of the NISPOM. If you don't already have a facility clearance, then you have a significant issue to tackle before you can even build your system. I'm hoping that you are simply building a new computer to add to an existing classified network or house in an existing DoD closed area -- if not, you may find this to be a very daunting task.

I Heard.. (1)

Comatose51 (687974) | more than 9 years ago | (#13394813)

I heard the Chinese will sell you a real nice 100% DoD compliant computer for really cheap. The only caveat is that you have to use their ISP for network connections.

TEMPEST (0)

Anonymous Coward | more than 9 years ago | (#13394817)

Its been a while since I had anything to do with secure systems. However, when I used to do this stuff, DND (Canada's version of DoD) used a series of standards called TEMPEST. In general computers that dealt with classified information could not be networked in any manner. There are strict limits on the radio frequency emmisions that the computer can emit. With a good antenna and some hardware, it is possible to figure out what is on a typical computer screen from the emitted RF. The hard drives have to be removable. Normally the hard drive is stored in a safe, and only checked out when there is work to be done. In at least one case, we found it cheaper to build a TEMPEST chamber to contain the computers rather than buy half a dozen TEMPEST qualified computers.

Possible way (1)

varmittang (849469) | more than 9 years ago | (#13394822)

You could use a RAID 0 for the drives to make it less likely to steal the drives out of it. That you couldn't just walk out with just one drive and have all the info. Especially if you are working with large files and the system writes to both to keep speed hight. That someone would have to take all the drives to have all the info. This could last line of defense for what the person has to get out of the building with. And if they try for one drive one day, another the next, the PC will crap out on them since one drive is missing, thus drawing attention. But as they always say, nothing is safe unless its locked in a safe, and not powered on.

Secure computers (0)

Anonymous Coward | more than 9 years ago | (#13394823)

Take a look at this "very readable" document: http://www.dss.mil/isec/nispom.htm [dss.mil] Also look at: http://iase.disa.mil/stigs/stig/ [disa.mil] Get some help! The DSS is the approving authority if I am reading your needs right (a computer used by a civilian contractor). If you didn't know about the DSS, you really need to find someone who knows the processes. Talk to your facility security officer -- they should be able to point you to the right folks in your company.

well, for starters.. (1)

grey259 (731295) | more than 9 years ago | (#13394834)

Don't tell a community of savvy computer users that you're building it.

Take a computer (0)

Anonymous Coward | more than 9 years ago | (#13394837)

Buy a computer with no floppy, no usb, or disable usb in the bios, no CDROM, the case locks and is tamper proof. Run a certified version of Windows on it. Use the approaved hardware from the machine they got the certification on.

Lock the computer into a room with no connections to the outside. Filter the power, cover all the windows, paint the room with antispy paint. Cover everything with copper mesh, eh voila, secret computer.

Make it take two people to enter or leave the room. Disallow taking any bags or papers or books or writing utensils into the room. It's best if they change into tyvex coveralls after a strip search with full body cavity inspection. Once they enter the room the are locked in until they are allowed to leave 12 hours later, no food water or bathroom priviledges allowed.

Enjoy your secret computer!

Security Officer (1)

Detritus (11846) | more than 9 years ago | (#13394841)

Your company should have a security officer who knows the current regulations and requirements, and can provide you with reliable information and training in how to handle classified information.

What are your users requirements. (0)

Anonymous Coward | more than 9 years ago | (#13394842)

Most current vendors have contracts to meet the standards you are inquiring about.

I would buy from a vendor for many reasons. The least being the warrenty. A home brew system will not have the same warrenty support and those who write the contracts like that stuff. Also the vendors also probably know the requirements better than you do. Also get with your organizations IASO, ISO, or IMO in order to find out what you will need network wise for your accredidation.

check what your maximum requirements are and then find a package that meets your needs. It will save you a lot of headaches.

BTW.. I have done

fwd: Security Problem (0)

Anonymous Coward | more than 9 years ago | (#13394845)

"First of all, if he works for the DoD why would he spill that on a public website? Secondly, why would he tell everyone what it is that he's doing?
I don't think he needs to worry about computer security. The breach in security here is his need for public adulation."

...Ditto what he says.

First you need a secure fondation (0)

Anonymous Coward | more than 9 years ago | (#13394850)

First of all, if you are to detain classified, secret, top secret or nato secret level data in your facility you need to physically secure it before you even build/buy that computer.

1) You need a badge system that prevents intruders from getting inside the building without autorisation.
2) You need security staff that checks employee background information.
3) You need a security guard on site after business hours.
4) Follow strict company-wide IT security policies.
5) You need to apply for a gov security clearance for each of your employees.
6) You probably need security cameras recording every doors that enter/exit the building.
7) Keep logs of entry access of the badge system.
8) Visible employee badge with picture as to be always worn. Challenge anyone who does not have one.
9) You need a TEMPEST (like a faraday cage) protected enclosure when your staff will work with computers that will have secret data. It is sometimes called a shield. It normally has an automatic door connected to a badge system, plenum floors, sensors, automatic fire exinguisher, etc.
10) You need to that that shield build right in the middle of the building for many reasons.
11) You need to have that shield inspected many times a year for EM leaks.
12) When employees that the data out the shield with a removable hard disk, they must secure the drive inside a heavy metal cabinet that has a front metal bar (prevent opening cabinet) and a big lock.

Then after you met all these criterias, you can start to think about building that computer. All that stuff is pretty comon sense and these best practices are not secret at all.

Any off the shelf computer equipment will do. You just need to use the computer inside the shield if you are to view/create/modify the data.

Get someone else to do it (1)

shish (588640) | more than 9 years ago | (#13394852)

If you can't get your / you're right, how do you hope to get top class security right?

If your computer skills are anywhere near your writing, you're going to cock up something bigtime, and you DON'T want to be working for the DoD when that happens. I might even be so extreme as to suggest a change in career, for the safety of all involved.

I would go with a hardware solution (1)

rhino_badlands (449954) | more than 9 years ago | (#13394862)

Personaly If your job was on the line to protect this computer and hard drives I would go with a hardware solution, in conjunction with desk locks.

http://www.computersecurity.com/index.html?linkpag e=2&linktitle=computer+security+case [computersecurity.com]

I just googled and found the above site, it may give you some ideas

Oh, damn. (1)

Wilson_6500 (896824) | more than 9 years ago | (#13394870)

Well, the headline's an obvious typo, but it still got me thinking. Specifically, it got me thinking about how buildings could be used to secure computers.

Unfortunately, all I could come up with was old Simpsons gags. Worse, they're all sight gags, so I can't even post "Oblig. Simpsons."

"The real humans won't... won't burn quite as fast." No, it's just not the same.

Use the specs from Oceans 12 (1)

Rissole (693590) | more than 9 years ago | (#13394874)

Close linked system with 2 redundant servers locked in titanium cases. Throw in some security stickers and you're done.

from an FSO (0)

Anonymous Coward | more than 9 years ago | (#13394877)

1. You are risking your clearance. This is the last place on the planet that you want to be asking these questions. Also, the answers I've read in this thread so far are mostly dead wrong.
2. If you, or for that matter your boss, have to be asking these questions, you are not qualified to hold your jobs...I don't mean to say this in a cruel way, but you're not. You fuck this up, and you could be looking at fines, jail time, Cuban vacations, etc. Hire a qualified FSO/OPSEC guy (they aren't cheap) or else you WILL get caught during your first audit and that will be the end of your career. And probably your bosses' career as well.

Not nearly enough info (1, Redundant)

YrWrstNtmr (564987) | more than 9 years ago | (#13394883)

I've been tasked with something I'm not quite prepared for:

Quite.

Security level?
FOUO, Secret, Top Secret, Other

Physical security?
Is the actual room secure, or just the hardware?

What platform?
Win/Lin/Mac/Other?

Fingerprint scanner? SmartCard reader?

Some sort of secure LAN, or standalone workstations?

And this is just scratching the surface. You need to find out these answers, and far more. But don't ask in here.

Call your person who set up the contract, the DoD program manager, and your building security manager
Then call Dell. Especially if you need a basic plan soon.

A removeable HD and a sticker does not a secure system make.

Best guess (0)

Anonymous Coward | more than 9 years ago | (#13394885)

I have never been responsible for this but this should be a good start for you.

Have a vendor do the initial build then you verify it. A little direction for you...

Read the DOD directives regarding this. They are publicly available. They are somewhere in the 8000 series.

DISA and the NSA release gold standard guidelines to harden your systems . I would also look into C&A since it will house classified data.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?