How the feds are locking down their networks

The federal government is locking down its networks through an ambitious and fast-paced effort to eliminate connections to the Internet that are vulnerable to attack.

In the past nine months, the feds have reduced the number of external network connections they operate from more than 8,000 to about 2,700. By next year, the feds plan to have fewer than 100, many of them shared by multiple agencies. 

It's an approach experts say large private-sector organizations would do well to emulate.

The federal government's remaining Internet access points will have state-of-the-art security policies and managed security services, including antivirus, firewall, intrusion detection and traffic monitoring.

Bush administration officials say the consolidation effort will help agencies fend off a barrage of viruses, worms, denial of service and other attacks, while improving their ability to respond when a hacker gets through its multilayered defenses.

"It will reduce our risk," says Karen Evans, administrator for E-Government and IT in the Office of Management and Budget (OMB). "We will have better situational awareness for what's happening on our networks so we can take actions that will help enhance the trust of the American people that we are protecting their information."

OMB announced the Trusted Internet Connections (TIC) initiative in November. It joins several other administration efforts designed to bolster cybersecurity, including encrypting data on laptops and migrating agencies to a standard desktop operating system configuration. 

The nation's leading carriers -- AT&T, Level 3, Qwest, Sprint and Verizon -- are drafting proposals due in mid-August to provide managed security services for the remaining Internet gateways. The government plans to award contracts in November to some or all of these carriers to support the TIC initiative.

"The federal government has got an onslaught of cyberattacks from foreign entities, and it needs to do something pretty quickly," says Diana Gowen, senior vice president and general manager of Qwest Government Services. "This whole TIC initiative has caused civilian agencies who one could argue are not as security savvy as the intelligence community and the Defense Department to really button things up."

"Internet access, if it's not managed properly, can provide security risks," says Susan Zeleniak, vice president of Verizon Federal. "The government is looking for a way to consolidate that access to make it easier and more efficient to apply appropriate security. . . . The government will see the benefits of this immediately."

Industry observers expect the TIC initiative to continue regardless of who wins the election in November.

"Cybersecurity is such a crucial issue across the whole economy, not just the government," says Ray Bjorklund, senior vice president at FedSources, a market research firm. "Everyone recognizes that there are so many threats out there. The more points of failure you have, the more likelihood you are going to have a failure. The TIC initiative makes sense."

Taking inventory

The TIC initiative required agencies to inventory their networks to identify existing connections to the public Internet and trusted business partners. Agencies are now coming up with plans to consolidate their access points down to two or three, or to share Internet access points with a larger agency.  

The TIC initiative does not require agencies to merge their internal networks; just their Internet access points.

Evans says OMB was surprised to discover that the federal government had more than 8,000 external network connections -- about twice what it expected to find. The number of connections was so high because it included gateways to business partners such as banks as well as Internet connections.

"We were thinking we would be around 4,000 or 5,000 external connections," Evans says. "We quickly dropped that down to 4,500 because all the agencies were going through IT consolidation efforts anyway."

OMB hopes to get the number under 100 by December 2009. Originally, OMB hoped to get under 50 Internet access points but found that goal too aggressive.

"Most of the big agencies are moving to two access points, but some agencies need more than two for good business reasons," Evans says.

Getting the federal government to under 100 Internet access points is reasonable, Evans says.

"OMB and [the Department of Homeland Security] and the service providers believe there is no technical reason why this can't be done," Evans adds. "What we have to do now is work through each of the agencies' access points to make sure they have redundancy, resilience and failover."

The remaining Internet gateways will have a standard set of software tools, which will make security patching faster, OMB says.

"When you have a standardized configuration, you can roll it out and monitor it uniformly," Evans says. "One of the big arguments against the TIC is that everybody knows you've standardized it and now you've made these access points targets. However, that's where you're investing resources, including people with analytical skills who can take proper actions if something happens at one of those access points."

The primary benefit of the TIC initiative is uniformity of the federal security environment, experts say.

"The big surprise with the TIC is that there hadn't been as much rigor uniformly applied across the government," says Jeff Mohan, executive director of the Networx program office at AT&T. "Some agencies have very tight controls, and some agencies had never found out how many access points they had. . . . Now there's a general awareness that cybersecurity is everybody's mission."

Mohan says the TIC initiative has helped agencies discover and shut down rogue portals to the Internet.

"This also had agencies looking from maybe a little different perspective on their network architectures and how they communicate to and from citizens through the public Internet," Mohan says. "With two portals in and out to the Internet, they can do load balancing, have good controls and trap statistics."

On top of the standardized configurations at the Internet access points, the carriers will provide round-the-clock managed security services such as predictive traffic analysis, incident response and post-attack forensics.

Evans says the federal government will benefit by outsourcing the security of its Internet connections to the carriers because they have more expertise in this area.

"Because the agencies will have the access providers looking at their external traffic, the agencies can be more focused on internal types of things that will increase our security," Evans says. "They can keep logs and look at who is accessing what information. They can move their analysis and skill set to inside threats."

All the remaining Internet gateways also will have sensors that link into the federal Einstein program, which provides monitoring and analysis of network traffic to identify unauthorized users and software on federal networks. The sensors feed data to the U.S. Computer Emergency Readiness Team at Carnegie Mellon University.  

Saving money

OMB says the TIC initiative not only improves the federal government's cybersecurity posture, but it also saves money.

"Because the federal government is so big, there are economies that you get from managing a set number of access points," Evans says. "Because we're all competing for the same set of resources as in personnel resources, it makes sense that we would consolidate and limit where we invest those resources rather than having everyone fend for themselves."

OMB says the TIC initiative is not costing much money, either, because agencies were already conducting inventories of their network services and planning for the transition from their existing wide-area network contract, known as FTS-2001, to the new Networx contract, which will provide telecom services for the next decade.  

"There were two different activities that were under way, so we capitalized on them. One was an IT consolidation effort. The other was the transition to Networx," Evans says. "Agencies had been working on their network inventories for over three years" when we asked them to identify their Internet access points, she added.

The federal government is modifying the Networx contracts to allow carriers to provide managed trusted IP services for the remaining Internet access points. The modification is expected to be done in November.

The TIC initiative has the biggest impact on carriers, which will have fewer opportunities to sell Internet access services but the connections they sell will be larger and will come with more managed security services.

"We may sell fewer pipes, but we'll sell bigger pipes and theoretically at a higher value to us," Gowen says. "I see this as good for the carriers."

Zeleniak says the federal IT market -- including carriers and network equipment providers -- are backing the TIC initiative because it makes sense and is the right thing to do.

"It's easy to perceive the value of creating a unified security policy, and obviously it's much easier to manage that with fewer connections," Zeleniak says. "I think all of us see the value in securing the government's interactions on the Internet."

The TIC initiative offers a road map to states, corporations and other organizations looking to reduce their cybersecurity risks. Retailers and companies that have recently gone through a series of acquisitions may have more unprotected Internet gateways than they realize, experts say.

"If you're TJ Maxx, the TIC is a good idea," Evans says. "It allows you to reduce your risks and streamline your operations. Configuration management is one of the biggest issues in security. If you're optimizing how you do configuration management, you can deploy patches faster, which makes you better off."

This story, "How the feds are locking down their networks" was originally published by Network World.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon