Policy: A LANL Success Story

1
Policy A LANL Success Story

• Michael S. Zollinger
• Group Leader
• Departmental Computing Group, CTN-1
• Computing, Telecommunications, and Networking
  Division

2
Outline

• Background
• Why Policy?
• Compounding Factors
• Policy
• Complications
• How To Track Compliance
• Data Sources
• Power of Numbers
• Architecture Improvements
• Current Directors Instructions (Policies
• Future Directors Instructions (Policies) and
  Service Offerings
• Summary

3
Background

• Historically, policies regarding configuration
  management at LANL
• Have been few and far between
• Those that existed had no teeth to them
• Relied on people being good corporate citizens
• This has led to difficulties in many different
  areas
• No mandate for automated tools on systems
• Inventory agents, etc.
• Lack of tools for planning acquisitions
• Nightmarish DOE data calls
• How many systems do we really have?
• How do we find all those files they want us to
  search for?

4
Why Policy?

• Provide foundation of secure computing practices
• System administrators forced into role of
  policeman
• Where does it say I cannot have peer to peer on
  my computer?
• Users do not want ambiguity in the rules
• Some delight in splitting hairs
• Best policies are only one page in length
• Simple, clear language needs to be used
• For some reason the best brains in America need
  it to be simple
• Chaos and free for all does not produce a secure
  environment

Beware the vortex!
5
Compounding Factors

• Yellow (unclassified protected) network is large
• 14,000 Microsoft Windows platforms
• 1,860 Mac OS X
• 1,800 Linux platforms
• 860 Commercial Unix platforms (Solaris, IRIX,
  Tru64)
• In addition, special purpose systems are on
  Yellow
• Control systems
• Data acquisition systems

6
Policy

• LANL issues some policies in the form of
  Directors Instructions
• In January 2006, Dr. Robert Kuckuck issued a
  cyber security motivated directors instruction
• Title On-Site Microsoft Windows-Based Computer
  Systems Using the LANL Yellow Network
• Compliance required by July 28, 2006
• All unclassified Windows systems configured to
  secure configuration guidelines
• All unclassified Windows systems must be members
  of the centrally managed WIN AD domain
• All unclassified Windows systems must have SMS
  client installed for inventory and patch
  management purposes
• If systems are not compliant, they are blocked
  from network problem!

7
Complications

• Blocking systems that were not compliant with the
  three conditions of the policy turned out to be
  problematic
• Verifying securely configured systems through
  automated means was difficult
• Verifying that systems are in central Win Domain
  AD not as difficult
• Verifying that systems had SMS installed was easy
• This required the creation of a SQL database as
  an authoritative record
• Takes as a baseline systems that have SMS client
  installed
• SMS can determine OU that system belongs to
  therefore verifying AD membership
• Systems that do not meet both criteria are then
  slated to be blocked from network within 5
  working days
• System owner notified via email of planned
  blocking event

8
How to Track Compliance?

• Verification tools would be needed to verify
  compliance with the policy
• All unclassified Windows systems configured to
  secure configuration guidelines
• All unclassified Windows systems must be members
  of the centrally managed WIN AD domain
• All unclassified Windows systems must have SMS
  client installed for inventory and patch
  management purposes
• Number one is difficult to verify other than
  through network scans
• Number two and three were tracked separately, but
  needed to be verified together
• Solution a database that pulls data from two
  sources
• Enforcement
• Decision to use existing blocking capability by
  feeding data to CPAT team

9
Data Sources
SMS
Blocking Database
Compliance SQL Database
AD
10
The Power of Numbers

• The SMS infrastructure has allowed for
  significant labor savings
• Installation of patches
• Responding to DOE data calls
• Measuring licensing compliance
• The ability to plan for hardware upgrades
• Remote desktop management
• Forensics investigations
• Example in cost avoidance
• YTD cost avoidance for security patch, antivirus
  DAT file, and AdAware DAT file distributions
• 14M conservative estimate
• 15 minute labor savings per patch per system
• Average standard labor rate at LANL for CTN - 51
  per hour - unloaded

Currently 13,900 SMS Clients on Yellow Network
11
Architecture Improvements
WSUS Server
SAV 10 Server
SMS Servers
12
Current IT Related Directors Instructions at LANL
13
Future Policy Direction

• More policies are in the works
• Installing software on systems
• Who is a system administrator
• Where we provide services, policies are expected
  to follow
• Blocking non-compliant systems from the network
  seems to be the most effective means to date

14
Principles of Design for Services and Tools
15
Windows Sys Admin Services and Tools
ExpressWay
Imaging BartPE
Symantec Protection Agent
SAFE
STOW
SMS
16
UNIX Sys Admin Services and Tools
STOM
ExpressWay (KickStart)
SAFE
RHEST SHARK
RHNSS usrlanl
CFEngine
17
Summary

• For a policy to be successful
• It must be enforceable
• It must be quantifiable
• It must make sense
• Exception process must be explicit and pass
  scrutiny
• Too easy and the masses will exercise it
• Measurable improvements due to policy must be
  publicized
• For LANL, subsequent audits have commented very
  favorable on our approach to configuration
  management