Forwarded from: William Knowles <wkat_private> http://www.computerworld.com/securitytopics/security/story/0,10801,82390,00.html By DAN VERTON JUNE 23, 2003 Computerworld NEW ORLEANS -- The need for a more secure network infrastructure was one of the driving forces behind the U.S. Navy's quest to build the $6.9 billion Navy/Marine Corps Intranet. But with only a few months left before the majority of N/MCI seats are deployed, questions and concerns about security remain. During the Navy/Marine Corps Intranet Industry Symposium here last week, officials from both the Navy and its prime contractor, Electronic Data Systems Corp., touted N/MCI as "the most secure network in the Department of Defense" and possibly in all of the federal government. "Today, N/MCI is an industry standard," said Al Edmonds, president of EDS Government Solutions. But some Navy users, senior officials and even EDS business partners raised concerns about the N/MCI program's approach to security. "N/MCI is the most secure network in DOD? It's kind of hard to judge that," said Cathy Baber, director of information assurance at the Naval Network and Space Operations Command, which the Navy formed last year to oversee security for N/MCI. "There are still concerns. There are a lot of things that weren't thought about," she said. One such issue is managing the certification process for connecting N/MCI users to the current Defense Information Systems Network (DISN), the Pentagon's main telecommunications backbone for both classified and unclassified data. Vanessa Hallihan, program manager for IS security at the Space and Naval Warfare Systems Command, manages the DISN connection process. "We haven't yet come to grips with [N/MCI] as an enterprise process," she said. "The workload is very intense, and I don't have the resources." Bart Abbott, director of information assurance programs at Raytheon Co., a subcontractor to EDS on the project, said he believes that the N/MCI project team has delivered on the Navy's need for a more secure network, though he acknowledged that there are still wrinkles in the N/MCI security fabric that need to be ironed out. For example, EDS has piloted the use of public-key infrastructure (PKI) technology at two user sites and plans to roll out PKI for all N/MCI users in conjunction with common access cards, or smart cards. But more work needs to be done to make PKI and smart cards easier to use, he said. Abbott also acknowledged performance problems resulting from various security mechanisms, such as e-mail and Web content filtering at the connection points between N/MCI and the Defense Department's unclassified network, which is known as the Non-secure Internet Protocol Routing Network. In addition, users have reported full disk scans taking place during the log-on process. "We've looked at the mobile user in particular," said Abbott, adding that EDS is trying to significantly improve network performance for remote access. It will take EDS and the Navy several months to improve remote access and make other network security adjustments, including the implementation of an updated virus-protection package that includes a spam filter. Several industry representatives at the symposium also raised concerns about commercial contractors' inability to communicate with external entities, such as their own corporate offices. "It's a difficult proposition, because the corporate environment is an untrusted environment from the Navy's perspective," Abbott said. Lt. Col. Ken Buetel, director of the Marine Corps Information Technology and Network Operations Center, said some of his supporting vendors have raised the same issue. Buetel said he has been forced to tell them, "We really don't trust the corporate domain." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 01:19:47 PDT