Cryptologic and Cyber Systems Division

Providing the Warfighter’s Edge

AFLCMC… Providing the Warfighter’s Edge

Rogue Devices:OMG! What are All These

Rogue Devices on My Network?

Arlyne Shelton

AFLCMC/HNCDI

UNCLASSIFIED

OVERALL BRIEFING IS UNCLASSIFIED

Distro A: for Public Release

AFLCMC… Providing the Warfighter’s Edge

Overview

2

• Rogue Devices• Rogue Devices Effects and Solutions• DOD PKI as a Solution • DoD NPE Portal• Path Forward• Summary• Next Steps• Questions

UNCLASSIFIED

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

Rogue Devices

3

• Department Home Land Security Strategy 16 May 18 – Current cyber threat – increased more than ten-

fold in last 5 years– Cyber security strategy – 60% focused on

reducing or mitigating vulnerabilities

• What are rogue devices?– Unidentified access point– Unauthenticated computer equipment

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

• Rogue device effects– Cyber attacks on government agencies

• Equifax and Anthem breaches • AFCEA, The Cyber Edge 20 Sept 2017

– Federal cybersecurity survey• July 2017 Market Connections, INC SolarWinds World

Wide, LLC • 30% increase in external hacking and denial of service• 60% of respondents felt confidence

• What solutions can be used to prevent?– Shared Secret, Port Security, Internet Protocol Security

(IPSEC), Domain Name System Security Extensions (DNSSEC)

– Public Key Infrastructure (PKI)

Rogue Device Effects and Solutions

4

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

DOD PKI as a Solution

5

• What is an NPE certificate?– Credential granted to an authorized device – Ensures ownership and use in accordance with guidance and directives

• DOD PKI not more widely used due to– Lack of awareness– Degrades the user experience– Familiarity with legacy processes– Current PKI issuance method is a manual process

• DOD PKI benefits – Facilitates Integrity of Data Transfer– Eliminate Simple Passwords for Authentication

• Legacy certificate issuance (manual process)– Not responsive to the needs of the customer– Requires several Out Of Band Steps

• Is there a more streamlined method?

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

DoD NPE Portal

6

• DoD NPE Portal (Next Gen)

– Replacing manual process

– Expands issuance methods

– Trusted roles

• DoD NPE is an automated enterprise capability

– SIPRNet and NIPRNet

– Available for devices not connected to Active Directory

• Issuance method

– Web enrollment – Automates device certificate issuance

– Bulk enrollment – No daily limit for requesting and issuing

device certificates

– Device Enrollment over Secure Transport (EST) and Simple

Certificate Enrollment Protocol (SCEP) Protocols

• Edge Router, DMZ, etc.

• Protocols to auto enrollment

• Reduce Validity Period on issued certificates

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

DoD NPE Capability Comparison

7

LEGACY NEXT Generation

100% manual process Automatic issuance portal

Submit DD Form 2842-2 (<10) Unlimited amount of certificaterequests

AF RA approval required AF RA approval not required

Must monitor and renew prior to expiration

Automatic renewal of certificates (EST)

Could take 1-5 days for certificate approval

Approval in seconds

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

DoD NPE Portal Roles

8

PKI Sponsors Capability Approval FunctionalityUnregistered Sponsor

(any CAC holder) Web, Bulk RA Same As Legacy

Registered Sponsor Web, Bulk, SCEP, EST Automatic Next Generation

Administrator Web, Bulk, SCEP, EST Automatic Next Generation

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

DoD NPE Path Forward

9

• Current projections– Operational Assessment – Fall 2018• AF participating• Sufficient participation sites for Web & Bulk• Need CISCO & Juniper devices for EST & SCEP

– FOT&E – Spring 2019 • AF Participating• More sites and devices will be needed

– Full Deployment Decision – Spring 2019

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

Summary

10

• Rogue Devices– Risk to the network– PKI as a solution

• Legacy NPE vs. NPE Portal– Manual process

• Several out of band steps• Approval in days

– Automated process • Streamlined and scalable• Approval in seconds

• NPE path forward– Current schedule projections– Requirement for more participation

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

Next Steps for YOU

11

• Assess your environment

– How are your devices authenticating?

– Verify need for NPE certificates

– Identify devices eligible for auto-enrollment with EST/SCEP

• Complete the NPE Portal Training (https://powhatan.iiie.disa.mil/pki-

pke/training/NPE/FOUO_index.html)

• Verify you can reach the portal (https://npe-

portal.csd.disa.mil/NPEPortal)

• Identify and request roles for your personnel

• Request being part of Operational Assessment

– Visit the AF PKI SPO booth for more info

– Contact AF RA org box (afpki.ra@us.af.mil)

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED

AF PKI SPO POCs

12

• AF PKI HelpdeskAFPKI.Helpdesk@us.af.mil

• AF PKI Registration Authority AFPKI.RA@us.af.mil

AFLCMC… Providing the Warfighter’s Edge

UNCLASSIFIED 13

Questions