Don't even get me started on our lack of metric....

Now wait a centon, wouldn't the conversion to metric time resolve all those problems with 12 versus 24 hour time?

The reason for preventing the teams from conducting attacks is not legal, it is technical. This exercise is not on a LAN like the typical capture the flag game. The academies are connected via WAN links for the CDX.

Unconstrained force-on-force attacks would probably collapse this network or result in an ugly scrum of flooding attacks and bandwidth starvation, rather than an educational exercise.

The rules require the teams to construct the network within the constraints of a notional budget. This forces the teams to make choices about what infrastructure and security measures to deploy. They cannot have everything they might want; this is a taste of the risk-benefit decisions managers and admins have to make. It is also intended to make it feasible for the Red Team to penetrate a well-watched network, having only a minimal user-base, in only four days.

IPS and other automated response systems are prohibited in the CDX.

For IDS the West Point team used Snort on BSD, with a custom-blended set of rules from VRT and Emerging Threats.

The budget decisions did not support deploying a dedicated firewall device. Firewalling had to be done using Cisco ACLs; however, some creative use of NAT and VLANs helped to make the Red Team's job a bit harder.