Title: Net Defense from Encrypted Communications
Release Date: 2014-12-28
Description: This February 2012 presentation from NSA’s Technology Directorate describes a system codenamed BLUESNORT and its relationship to associated systems: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.
Document: (U//FOUO) Net Defense
from Encrypted Communications
irt i ir\ / 1 HI 1
SECRET//SI//REL TO USA, FVEY
Increment 3 Requirement
SYSREQ10322.2
(S//REL) TURMOIL shall reinject decrypted
IP traffic into BLUESNORT for malicious
network activity detection.
2
SECRET//SI//REL TO USA, FVEY
TOP SECRET//SI//REL TO USA, FVEY
Three-Feather Solution
GALLANTWAVE application
- Same module supports NetDef and SIGINT
- Supports dynamic update of targeting via UTT
- Supports static target updates
GALLANTWAVE Reinjection application
Same module supports NetDef and SIGINT
Supports re-injection of decrypt into TURMOIL for detection by BLUESNORT
BLUESNORT in Stage 1 Prime application
Emits events off decrypted, re-packetized, reinjected data
TOP SECRET//SI//REL TO USA, FVEY
SECRET//SI//REL TO USA, FVEY
HIGH Level Data Flow
Net Defense and SIGINT sites
TIPS (Bluesnort Events)
SECRET//SI//REL TO USA, FVEY
SECRET//SI//REL TO USA, FVEY
Status
Running on MHS DEV ESO T5 and T22
Transform, Reinjection, Signature Hits
confirmed
Signatures need further development
to produce true hits vs. false positives
NTOC POC reviewing XKS hits to
generate new signatures.
SECRET//SI//REL TO USA, FVEY
SECRET//SI//REL TO USA, FVEY
Issues/Risks
1. CA Servers at Net Defense Sites
,> ITx Connectivity to LONCHAUL
w NTOC requires stand-up of separate dev and live ITx fabric
¡. - H/W funding may be needed
a. - Need paperwork for update to firewall - submission expected by 25 Feb
o Expected completion was 29 Feb; now delayed to TBD
di SSH connectivity
& Short term: via BLUEBOX CA Servers at Pentagon - done
o Longer term: via deployment of servers within the NTOC enclave that connect to CA Servers in the field
2. GALLANTWAVE Targeting Challenges
MAILORDER/Ni-FI not yet available
m Mitigation: Manually load static targeting files
6
SECRET//SI//REL TO USA, FVEY
SECRET//SI//REL TO USA, FVEY
CA Capabilities Planned for NCC-3 Test
Events
Capability DT/OA 2 (June 2012) DT/OA 3 ) (June 2013
Defensive Sensor SIGINT Sensor Defensive Sensor SIGINT Sensor
CA Reinjection No DGO TTENT DGO
SECRET//SI//REL TO USA, FVEY
SECRET//SI//REL TO USA, FVEY
Near-term Schedule
Capability Date
GW-R Gate 2 Done (15 Feb)
GW-R Gate 3 Done (29 Feb)
GW-R Gate 5 31 Mar
GW-R Deploy to U sites May
ITx Dev Fabric at NetDef sites 29 Feb +
CA Server ssh connectivity Done via Bluebox
Initial Live Dev Test TURTLEZOO -May
GW-R Core 4.0 May
GW Core 4.0 May
ITx Live Fabric TBD
SECRET//SI//REL TO USA, FVEY
SECRET//SI//REL TO USA, FVEY
Players
BACKUP SUDES
SECRET//SI//REL TO USA, FVEY
CCA Capabilities Planned for NCC-3 Test
Events
Capability DT/OA 2 (June 2012) DT/OA 3 (June 2013)
Defensive Sensor SIGINT Sensor Defensive Sensor SIGINT Sensor
NETFLOW Full Netflow Pretty Good Netflow Full Netflow Full Netflow
BLUESNORT (updates) Yes No Yes Yes
FULL SNORT Yes No (Core 4) Yes Yes
POPQUIZ No No Yes Yes
Performance Testing Yes No Yes Yes
Wireless reinjection N/A Yes N/A Yes
CA Reinjection No Yes Yes Yes
Cyber Tasking Yes Partial Yes Partial
Updated Cloudshield Interface Partial N/A Yes Yes
Metrics and Monitoring Yes No Yes Yes
Orange items are being revisited. Requirements without explicit TML Core 4 dependency
need mission documentation to justify not being covered in DT/OA 2.
SECRET//SI//REL TO USA, FVEY
(S//REL) Dynamic Defense Logical Diagram
CD
INTERNET
(S//REL)
Active Response
Block,
Reroute,
Alter
Network
Interface
Normalized
Packets
Detect
?
COMMAND Action BUSINESS
DISTRIBUTION LOGIC
Alert
Decide
Protected Internal Network
Legend:
TUMULT TURMOIL TUTELAGE NTOC
(T113) (Til 2) (Till) (VSPO)
12
TOP SECRET//COMINT//REL TO
---------JSAr:¥E* -
tRout
Core SSC
SessionFilte
r
(ApJjid)
GW
FragmentFilte
r
D FA Proxy
(IOPort64)
GW-MI
(Metadatalnjecto
TE-STAGE1-
GALLANTWAVE.xxx
GW-
LoadManager
I
#{GALLANTWAV
E-SERVICE}
V
CAServer
X
H>
TargetManager
/ I _ 11 |
\ I I I I
CoreSSC gets UTT updates, tri^{^AhiA©1Erl§ets |
GW-TargetManager responds to IbâdTargets request
from CoreSSC, pulls the GW IP addresses from the
Targeting database; issues control-flow messages
for each IP:Port combination and sends periodic
updates for those.
FCP responds to control-flow messages by
promoting all packets to/from the targeted IP:port
combinations, and PacketRouter ensures these
packets are sent to GW-FIP for sessionization. GW-
FIP outputs 'raw' SOTF session-fragments to the
TE-GW service on the same host.
GW-SessionFilter identifies sessions containing
target technology-of-interest by applying an
appropriate appld tag to each session-fragment.
GW-FragmentFilter removes session-fragments not
containing an appropriate appld for the target
technology-of-interest. Additionally, as a work-
around for an issue in FIP 3.1.10, erroneous
session-fragments missing a specific metadata
filed are removed. GW-MI applies SRI obtained
from Dfid Allocator.
SECRET//COMINT//fRE(EWGMI applies SRI obtained from the DFID
RE USA, FVEY allocator.
SECRET//COMINT//REL TO USA, FVEY
CAServer
Delivery to both XKEYSCORE and
Stage 1 Prime Reinjection
GW-SessionMa nager
GW-
SessionDistributor
TURMOIL SessionReinjection i i
D FA Proxy ,
Desessioniz
er
Packet Injector
Stage 1 Prime
XKS-Sessions
XKSSessionlnterface
r>I XKEYSCORE
SECRET//COMINT//REL TO USA, FVEY
TURMOIL
Stage 1 Prime Reinjection
¡Stage 1 Prime
Decrypted flow
Reinjection
BLUESNORT
DNS
Inspecto
HiddenSalama ider
etc ...
Events
Collect
SECRET//COMINT//REL TO USA, FVEY