Topic: Security
Web Content Filtering
Web Content Filtering To better monitor outbound traffic to the commercial internet, the DoD has implemented a process called Web Content Filtering (WCF). Under normal circumstances, the encrypted traffic between a browser and a website, mediated by a cert, is opaque to the outside world. With WCF, a DoD-furnished certificate acts as an intermediary between the browser and whatever website that the user is attempting to access. As a result, the user’s request becomes visible and readable, such that it can be approved, before it is re-encrypted and passed along to the website.
Web Content Filtering To better monitor outbound traffic to the commercial internet, the DoD has implemented a process called Web Content Filtering (WCF). Under normal circumstances, the encrypted traffic between a browser and a website, mediated by a cert, is opaque to the outside world. With WCF, a DoD-furnished certificate acts as an intermediary between the browser and whatever website that the user is attempting to access. As a result, the user’s request becomes visible and readable, such that it can be approved, before it is re-encrypted and passed along to the website.
Accessing DoD Resources
Accessing DoD Resources Most DoD sites and services requires PKI credentials (e.g. Common Access Card) for access. If the user is coming from a deployed system within Arcus, they have several options for presenting their PKI credentials. Option 1 - Use the “CAC Passthrough” feature This feature allows users to access their local CAC reader from their remote desktop. Advantages: Allows users to use existing CAC Limitations: Less seamless process than the browser based access; users must be allowed to use RDP client on their local machine; limited to Windows systems on the local and remote side Please see this KB Article for more details on using this feature.
Accessing DoD Resources Most DoD sites and services requires PKI credentials (e.g. Common Access Card) for access. If the user is coming from a deployed system within Arcus, they have several options for presenting their PKI credentials. Option 1 - Use the “CAC Passthrough” feature This feature allows users to access their local CAC reader from their remote desktop. Advantages: Allows users to use existing CAC Limitations: Less seamless process than the browser based access; users must be allowed to use RDP client on their local machine; limited to Windows systems on the local and remote side Please see this KB Article for more details on using this feature.
Certificates
CONS3RT sites supporting government users (e.g Arcus) requires the use of PKI certificate credentials for authentication. These can include: DoD Common Access Card (CAC) External Certificate Authority (ECA) (https://public.cyber.mil/eca/) DoD External and Federal PKI Interoperability approved organization (https://public.cyber.mil/pki-pke/) MITRE corporate credentials The 6 sections below cover most common user questions regarding certificates. How to Register with a Certificate Obtaining an ECA Certificate Obtaining a DOD Certificate Logging in to Arcus with a Certificate Adding a New Certificate or CAC to your account Managing your Account Certificates Troubleshooting Certificate issues If you can’t answer your question by perusing this KB, please feel free to submit a support ticket to support@arcus-cloud.
CONS3RT sites supporting government users (e.g Arcus) requires the use of PKI certificate credentials for authentication. These can include: DoD Common Access Card (CAC) External Certificate Authority (ECA) (https://public.cyber.mil/eca/) DoD External and Federal PKI Interoperability approved organization (https://public.cyber.mil/pki-pke/) MITRE corporate credentials The 6 sections below cover most common user questions regarding certificates. How to Register with a Certificate Obtaining an ECA Certificate Obtaining a DOD Certificate Logging in to Arcus with a Certificate Adding a New Certificate or CAC to your account Managing your Account Certificates Troubleshooting Certificate issues If you can’t answer your question by perusing this KB, please feel free to submit a support ticket to support@arcus-cloud.
Firewall Default Configuration
The default firewall configuration of a machine in a deployment run is set as follows: Linux inbound ports allowed on the cons3rt-net 22 TCP 5902 TCP ICMP Windows inbound ports allowed on the cons3rt-net 3389 TCP/UDP 5902 TCP All other incoming traffic on the cons3rt-net is either blocked or rejected All outgoing traffic on the cons3rt-net is not filtered Traffic on all other interfaces is not filtered Using firewalld The default firewall configuration is handled on Linux using iptables and iptables-service.
The default firewall configuration of a machine in a deployment run is set as follows: Linux inbound ports allowed on the cons3rt-net 22 TCP 5902 TCP ICMP Windows inbound ports allowed on the cons3rt-net 3389 TCP/UDP 5902 TCP All other incoming traffic on the cons3rt-net is either blocked or rejected All outgoing traffic on the cons3rt-net is not filtered Traffic on all other interfaces is not filtered Using firewalld The default firewall configuration is handled on Linux using iptables and iptables-service.
Customer FAQs
Question: When a user is sent a link to upload a file to Arcus to his/her email, how long is the link valid? If there is no limit on this, can there be? Example: User A uploads a file. User A then leaves his/her current role and should no longer be able to upload a file. Since this was a link and the user need not be registered in Arcus could he/she keep uploading files indefinitely?
Question: When a user is sent a link to upload a file to Arcus to his/her email, how long is the link valid? If there is no limit on this, can there be? Example: User A uploads a file. User A then leaves his/her current role and should no longer be able to upload a file. Since this was a link and the user need not be registered in Arcus could he/she keep uploading files indefinitely?
IATT-like Connectivity
IATT-like Connectivity By default, teams can not access systems inside of Arcus from an external source other than through the Arcusportal. This is by design and part of the security accreditation. However, for organization with short term test and evaluation needs, there is an Interim Authority to Test (IATT)-like process for granting temporary inbound access from specific sources. Users can request specific, event based exceptions to temporarily allow inbound traffic into their Arcus cloudspace for the purposes of a preplanned, coordinated test event.
IATT-like Connectivity By default, teams can not access systems inside of Arcus from an external source other than through the Arcusportal. This is by design and part of the security accreditation. However, for organization with short term test and evaluation needs, there is an Interim Authority to Test (IATT)-like process for granting temporary inbound access from specific sources. Users can request specific, event based exceptions to temporarily allow inbound traffic into their Arcus cloudspace for the purposes of a preplanned, coordinated test event.
Password Complexity Rules
Complexity Rules: Password must be more than 14 and fewer than 121 characters in length Password can not be the same as, nor contain, the user name Password must contain at least two uppercase letters Password must contain at least two lowercase letters Password must contain at least two numbers Passwords must contain at least two special characters
Complexity Rules: Password must be more than 14 and fewer than 121 characters in length Password can not be the same as, nor contain, the user name Password must contain at least two uppercase letters Password must contain at least two lowercase letters Password must contain at least two numbers Passwords must contain at least two special characters
Anti-Virus Whitelist Process
In Arcus, you can request whitelist support for uploading files that might otherwise trip typical antivirus protections Whitelist Process Submit a ticket Scan your file at http://virusscan.jotti.org/en. If there are more findings than ClamAV, it is your responsibility to remediate. If only ClamAV has a finding, you can request a whitelist Submit the file to site admins (via support@arcus-cloud.io) Our site admin will scan your file. If it passes, we will add your file name to whitelist.
In Arcus, you can request whitelist support for uploading files that might otherwise trip typical antivirus protections Whitelist Process Submit a ticket Scan your file at http://virusscan.jotti.org/en. If there are more findings than ClamAV, it is your responsibility to remediate. If only ClamAV has a finding, you can request a whitelist Submit the file to site admins (via support@arcus-cloud.io) Our site admin will scan your file. If it passes, we will add your file name to whitelist.