Network protection takes top priority in Navy/Marine Corps Intranet rollout.
Defense in depth is the key to securing what will be one of the world’s largest intranets. The U.S. Navy is using a layered approach to protect the systems that will connect all of its land commands and, through satellites, its ships at sea.
Information security is of critical importance to the framers of the Navy/Marine Corps Intranet (NMCI). Even as the Navy was developing its requirements for industry teams vying for one of the largest federal contracts in history, department officials placed a high priority on solutions that would comply with U.S. Defense Department and Navy Department security policies. The Information Strike Force, a corporate team led by EDS, Herndon, Virginia, was awarded the $6.9 billion multiyear contract in 2000. Annually, it is estimated that 50 percent of the NMCI program office’s budget is dedicated to security oversight.
The Raytheon Company’s Secure Networks Division, St. Petersburg, Florida, is coordinating the information security piece of NMCI. The firm is working with several companies to provide a complete solution.
One critical element to securing NMCI is integrated solutions, says Cmdr. Bruce Mathers, USN, technical division head, NMCI. Network operations centers (NOCs) can be opened as soon as all the information assurance tools are fully integrated with the other network tools. This includes security at all levels, from individual computers to the network management that ensures that security can be monitored. Currently, three NOCs are operating in San Diego; Norfolk, Virginia; and Ford Island, Hawaii.
While some of the tools are host-based, others are layered to comply with Defense Department public key infrastructure (PKI), Cmdr. Mathers adds. PKI is fully implemented at Defense Department desktops today, the commander says, and will be an integral part of NMCI in the next few months.
Garnett Smith, deputy division head for NMCI information assurance, compares the NMCI protection approach to an onion with each layer offering another level of security. Firewalls, intrusion detection systems and mail scanners are some of the items that guard NMCI users from the threats of the outside world. PKI provides an identification and authentication element to the system, he says.
According to Smith, the vendors decide which security technologies to use; however, the Navy sets the requirements and has the right to approve the choice. For a technology to be accredited, the configurations must be reviewed and tested by the Navy. This information is provided to the designated approval authority, which then matches it to the requirements and, if they are met, grants interim authority to operate. This leads to final approval by the Defense Information Systems Agency (DISA) Security Accreditation Group for interim authority to connect to the unclassified but sensitive side of the nonsecure Internet protocol router network (NIPRNET). The next step is to qualify to connect to the secret Internet protocol router network (SIPRNET), the commander explains. NOCs were the first elements connected to NIPRNET and SIPRNET.
This process will take place for every site and server farm that involves NMCI, so users are confident that the network is both safe and secure. “It’s like putting the puzzle together one piece at a time,” Cmdr. Mathers relates.
Testing is done to validate the configuration and ensure that it is designed in the specified manner. “That’s the first part of the government’s oversight. After the seat has been cut over to the Navy, security operations take over. They ensure intrusion detection and data integrity, compliance with PKI and SIPRNET compliance,” the commander offers. When required, the program office’s information assurance planning services rapidly deploy additional appropriate tools. Then, a red team from the Fleet Information Warfare Center (FIWC), Norfolk, Virginia, checks intrusion detection soundness, and a green team reconfigures the network to address any flaws in the system.
Smith calls this the “trust but verify” motif. “Trust is good as it’s being built, but you have to verify once it’s going operational,” he says. Cmdr. Mathers adds that a $10 million incentive is offered to the vendor for proper information assurance. The contract allows for incentives to be offered quarterly, annually or on a specific project.
According to Lt. Cmdr. David Wilton, USN, red team division officer, FIWC, one way his organization tests the vulnerability of NMCI is by imitating hackers. “We are looking at vulnerabilities from the point of view of the Internet service provider and an insider. We use everyday kinds of techniques that a hacker would use. We attack open forts or firewalls or routers and see if we find any vulnerability. There are some vulnerabilities, and we turn those over to SPAWAR [Space and Naval Warfare Systems Command] and go to the Information Strike Force to make sure the holes are closed,” Cmdr. Wilton states.
Cmdr. Mathers maintains that the Navy’s greatest concerns are security breaches that originate from outside NMCI. “That’s where the greatest threat lies. A lot of the internal threats are management issues more than the tools. The Information Strike Force has fielded some outstanding tools, but once again what do you do with the preponderance of that data? So, we’re taking the latest hacker techniques to address those threats that are the greatest,” he says.
Cmdr. Wilton agrees that the major threat to the network comes from outside the intranet. While hackers can be a nuisance, nation states conduct intelligence collection operations, he adds. “We currently see intrusion attempts every day that run the range from [being the work of] a 15-year-old hacker to something that looks more organized. The Navy’s networks are under attack 24/7 from every level,” the commander discloses. Computer network defense is increasing as the technology and the tools become easier to use, he maintains.
All of the network operation centers have been designed to assume the capabilities of another NOC if security is compromised. In addition, each NMCI site has disaster contingency plans in place. Data at each site is duplicated to provide self-protection. If a security breach brings down a NOC, the data can be sent by individual sites to help bring the NOC back online. In addition, two providers not connected to the NMCI—WorldCom and DISA—have a backup network. “These are key capabilities in the event of a wide area network outage,” Cmdr. Mathers states.
Raytheon’s goal is to provide information assurance at many levels so that such an outage is unlikely. Barton L. Abbott, Raytheon’s NMCI program manager and director of information assurance for the Information Strike Force, says the concept of defense in depth was a key element of the Navy’s requirements. “Raytheon, working with the broader EDS solution designers, assembled a wide range of security solutions for NMCI that would provide that depth. We looked at threats, weighed the risks and proposed multiple layers of defense to protect the system,” he says.
For example, to protect against outside intrusion via the Internet, the company assembled NMCI into a protected enclave using strong Navy policies at the boundary interfaces with NIPRNET and other external networks. To address insider threats, Raytheon employs strong authentication using PKI, the common access card, host intrusion detection and policy monitoring, Abbott says. “The result is an overlapping set of defenses that ensures the types of protections that the Navy and the Marine Corps desire,” he adds.
The company’s work protects against outside and inside attack alike. “It’s a tough call as to whether the insider or outsider threats are worse. We most often think of the outsider threats because those are typically where hackers and others are. Worms and viruses typically emerge on the Internet and find their way into military systems. We take them seriously. There are a number of warning services that we, the Navy and the Marine Corps, employ to alert us to things that might happen. But even if we are not warned, we’ve demonstrated that our architecture can protect us,” Abbott maintains.
Insider threats can often cause greater damage to systems, he adds. To address this possibility, the Information Strike Force and NMCI staffs limit access to parts of the network.
Implementing an intranet as large as NMCI poses some challenges. One of the biggest problems, Abbott says, is transferring and operating a large number of legacy applications on NMCI. “Many of these applications must communicate with servers remaining in the legacy network. This requires that NMCI provide boundary connections to these networks. We work very closely with naval NOCs in restricting these boundary interfaces to what is required to make the applications work,” he explains.
Although Raytheon bears the ultimate responsibility for the information assurance on NMCI, the work entails the incorporation of products developed by other companies as well. Brian J. Finan, director of strategic programs and homeland security, Symantec Corporation, Rockville, Maryland, explains that even during the bidding process, Raytheon was looking for a partner that could offer a full range of security layers. At the time, Axent Technologies Incorporated and Symantec were working on combining strengths. Since then, Symantec has acquired Axent, and the company is now the largest security vendor supporting the project, he states.
According to Finan, systems that have not been patched properly and blended threats pose the biggest danger to information systems today. Blended threats combine the characteristics of viruses, worms, Trojan horses and malicious code with service and Internet vulnerabilities to initiate, transmit and spread an attack, he explains. “By utilizing multiple methods and techniques, blended threats can spread rapidly and cause widespread damage,” he adds.
To address this danger, Symantec is providing a number of products that offer layered protection, including the Symantec Enterprise Firewall 7.0, which is the technology that stopped Code Red attacks when other firewalls missed it, Finan shares. NetProwler is an intrusion detection system that searches for network attacks. It monitors user actions continuously, checks security in real time and manages a networkwide response. By transparently examining network traffic, it instantly identifies, logs and terminates unauthorized use, misuse and abuse of computer systems that are launched by both internal saboteurs and external hackers.
To provide in depth security, NetProwler links with another Symantec product called Intruder Alert. The software looks for malicious or unauthorized activity on laptop computers and servers. The host-based, real-time intrusion-monitoring system allows administrators to implement policy-based management that determines which systems and activities to monitor and what actions to take, while providing real-time reports for both host and network components.
For additional protection, NMCI also is using Symantec’s iGear, a technology that searches for malicious activity being promulgated via the Internet, and NetRecon, which tests the network infrastructure for security vulnerabilities and provides recommendations for fixing them. One product familiar to most computer users, Norton antivirus software, is a key technology for NMCI, Finan says, and it is providing security all the way down to the handheld computer level.
Symantec also is supplying software for NMCI that will help in reconstitution efforts in the event of a security breach. Norton Ghost is a disk-mirroring product that allows users to recover the information on their hard drives after an attack.
Symantec’s newest addition to the NMCI effort is the Enterprise Security Manager (ESM). Because program leaders are interested in cost-effective solutions, the company developed ESM, which allows a reduction in both the number of staff members required to monitor systems and the number of license purchases.
Available this summer, ESM will allow managers at each NOC to monitor hundreds of thousands of machines, making security management something they can cope with, Finan offers. The software intelligently assesses network vulnerabilities and policy compliance from a central console, or management can be delegated in intranet sectors to different individuals.
Symantec is following the lead of Raytheon and EDS in training people at individual sites and NOCs, and so far has been adhering to the program’s rollout pace. “We have people at the NOCs to be sure that any appliance that we put in, Navy personnel know how to use,” Finan relates.
Abbott predicts an exciting future for the security of NMCI. “For example, PKI is going to become even more important in the future for NMCI. When we began, the Defense Department’s PKI wasn’t fully compatible with the Microsoft operating system. Despite attempts by middleware providers, this lack of interoperability meant that we couldn’t deliver a true cryptographic log-in using the common access card. One of our key victories with NMCI was in working with DISA and Microsoft to bridge these problems.
“Late this summer, NMCI will be rolling out the first large-scale use of Defense Department PKI with true cryptographic log-on control. Second, we’re going to roll out a similar Defense Department PKI capability on the NMCI classified network, which will be the first of its kind within the Defense Department.
“Finally, the business of information assurance always keeps changing. Threats change every day. That drives suppliers to develop new products to counter the threats. We’re looking to what the next few years will bring,” Abbott concludes.
Additional information on the Navy/ Marine Corps Intranet is available on the World Wide Web at www.eds.com/nmci.