[ISN] DOD may pull key net from the Internet

From: InfoSec News (isnat_private)
Date: Tue Aug 27 2002 - 06:01:05 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - August 26th 2002"

    By Christopher J. Dorobek and Diane Frank 
    Aug. 26, 2002
    In an effort to secure one of its most widely used Internet networks,
    the Defense Department is considering constructing something more akin
    to an intranet.
    The Non-Classified Internet Protocol Router Network (NIPRNET) was
    created in 1995 as a network of government-owned IP routers used to
    exchange sensitive information.
    But DOD officials, increasingly uncomfortable with having NIPRNET
    reside on the Internet, want to put the network behind firewalls and
    create a "demilitarized zone" for services that need public access,
    said Keith Fuller, the Defense Information Systems Agency's chief
    engineer for information security, speaking last week at the
    Government Symposium on Information Sharing and Homeland Security in
    Some military services and Defense agencies need public access to the
    Internet, he said. That was evident when DOD shut down access to the
    Internet as part of its effort to protect the agency from the "Code
    Red" worm that was proliferating across the Web.
    In conjunction with the efforts to secure NIPRNET, DISA is creating a
    database that will contain the ports and protocols for DOD systems to
    identify what would be affected if DOD had to pull the plug on its
    Internet connection, he said.
    The efforts are part of a long-term goal to plug security holes on
    NIPRNET. "The long and the short of it [is] that it was, in all
    practical terms, just an extension" of the Internet with "little
    additional controls," said retired Col. John Thomas, former chief of
    DISA's Global Operations and Security Office and now director of
    strategic programs at EMC Corp.
    NIPRNET has some "significant" security controls but is still largely
    an open network, he said, because NIPRNET was developed before there
    were significant threats.
    In 1999, DISA sought to plug some of those holes by cracking down on
    unofficial connections. "Positive control of all NIPRNET/Internet
    connections is an absolute requirement," according to an Aug. 22,
    1999, policy issued by then-DOD chief information officer Art Money.
    That policy, however, failed to plug the holes. A December 2000 report
    from the DOD inspector general was critical of the efforts and
    concluded that NIPRNET's security policy was never incorporated into
    overall DOD policy.
    Furthermore, the IG report noted that the policy "lacked visibility"  
    because it did not clearly define the process for connecting services
    nor did it require regular status reports on the progress made in
    securing the NIPRNET/Internet connections.
    Whenever DISA attempted to push greater security, there was always
    resistance, Thomas said. He said the military "has an absolute need to
    be able to transit the Internet."
    The DOD IG report noted that 70 percent of the traffic on NIPRNET is
    directed toward the Internet. "As the growth and usage of the Internet
    surge, so do the dangers of intrusion into sensitive networks," the
    report concluded.
    Thomas stressed that the difficulty has always been in finding the
    right balance between security and open lines of communication.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 09:28:41 PDT