May 08 2008

Time for Security

In the vanguard of collapsing Internet access, DOD has experience that other agencies can exploit to meet the TIC mandate.
by

Vanessa Jo Roberts is editorial director of BizTech magazine. She’s been covering technology since the days when data was shared via “sneakernet.” 

The move to fewer Internet gateways clearly unnerves agencies: When the Office of Management and Budget asked agencies to provide a list of the gateways they wanted to keep, they identified more than 1,900 in all — roughly 1,850 more than OMB wants agencies to use governmentwide.

As a starting point, OMB estimates the government maintains about 4,000 Internet gateways, says Karen Evans, administrator for e-government and IT. Agencies can keep a gateway if they can justify a unique need.

Essentially, OMB based the Trusted Internet Connection plan on the Defense Department’s successful consolidation of Internet gateways. DOD now runs all traffic through 15 to 19 gateways, says Defense Deputy CIO David Wennergren.

Making the shift engenders a classic turf battle, he says. The control freaks in the agencies won’t want to cede their gateway jurisdictions, he says. It’s the job of IT to help program managers understand the benefits of moving to fewer gateways, which include better security and fewer management concerns, Wennergren says. Plus, “there’s no reason that anyone has to take a performance hit when you consolidate your Internet access points.”

Here are pointers Wennergren offers, drawn from DOD’s consolidation effort:

  • Develop a process that’s repeatable. The number of gateways that an agency needs will fluctuate, so define the rules for when to set one up and when to shutter one.
  • Institute a standard enforcement process for gateway governance so that IT can monitor what managers need from their Internet gateways to achieve their mission goals.
  • Create a demilitarized zone so that you can have a place where both trusted and untrusted connections can occur. The DMZ will let you keep users out of your production networks — “crucial in the Web-based world.”
  • Keep the total number of gateways at fewer than two dozen. “With more than a couple dozen, you can’t afford to monitor and you can’t get the job done.”
  • Make sure you have agency buy-in. Because gateway needs will change and this effort demands governance, “the agency chief has to care about this, and they have to care more than one time.”
  • Consider partnering with other agencies to create classification and log-review organizations because it’s fairly expensive to do this research and to review mass volumes of traffic.
Making the Most of Vulnerability Analyses

As part of the TIC effort, the Homeland Security Department has begun revising the vulnerability reports that US-CERT releases.

“We must provide this data daily and in a better format than we have been,” DHS CIO Scott Charbo says.

US-CERT needs to provide agencies with a better feedback mechanism on what it learns from its research of malware and network traffic irregularities, he says. It’s not useful enough or tactical enough now for agency IT teams to make use of and to apply to their security operations, Charbo adds.

Meanwhile, he encourages CIOs and other senior IT chiefs to make sure that they have attained adequate security classification levels. Charbo says many need a higher classification so that they can view analysis materials issued by US-CERT.

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now