How the feds are locking down their networks

How the feds are locking down their networks

US government's ambitious effort to lock down vulnerable Internet connections.

Taking inventory

The TIC initiative required agencies to inventory their networks to identify existing connections to the public Internet and trusted business partners. Agencies are now coming up with plans to consolidate their access points down to two or three, or to share Internet access points with a larger agency.

The TIC initiative does not require agencies to merge their internal networks; just their Internet access points.

Evans says OMB was surprised to discover that the federal government had more than 8,000 external network connections -- about twice what it expected to find. The number of connections was so high because it included gateways to business partners such as banks as well as Internet connections.

"We were thinking we would be around 4,000 or 5,000 external connections," Evans says. "We quickly dropped that down to 4,500 because all the agencies were going through IT consolidation efforts anyway."

OMB hopes to get the number under 100 by December 2009. Originally, OMB hoped to get under 50 Internet access points but found that goal too aggressive.

"Most of the big agencies are moving to two access points, but some agencies need more than two for good business reasons," Evans says.

Getting the federal government to under 100 Internet access points is reasonable, Evans says.

"OMB and [the Department of Homeland Security] and the service providers believe there is no technical reason why this can't be done," Evans adds. "What we have to do now is work through each of the agencies' access points to make sure they have redundancy, resilience and failover."

The remaining Internet gateways will have a standard set of software tools, which will make security patching faster, OMB says.

"When you have a standardized configuration, you can roll it out and monitor it uniformly," Evans says. "One of the big arguments against the TIC is that everybody knows you've standardized it and now you've made these access points targets. However, that's where you're investing resources, including people with analytical skills who can take proper actions if something happens at one of those access points."

The primary benefit of the TIC initiative is uniformity of the federal security environment, experts say.

"The big surprise with the TIC is that there hadn't been as much rigor uniformly applied across the government," says Jeff Mohan, executive director of the Networx program office at AT&T. "Some agencies have very tight controls, and some agencies had never found out how many access points they had. . . . Now there's a general awareness that cybersecurity is everybody's mission."

Mohan says the TIC initiative has helped agencies discover and shut down rogue portals to the Internet.

"This also had agencies looking from maybe a little different perspective on their network architectures and how they communicate to and from citizens through the public Internet," Mohan says. "With two portals in and out to the Internet, they can do load balancing, have good controls and trap statistics."

On top of the standardized configurations at the Internet access points, the carriers will provide round-the-clock managed security services such as predictive traffic analysis, incident response and post-attack forensics.

Evans says the federal government will benefit by outsourcing the security of its Internet connections to the carriers because they have more expertise in this area.

"Because the agencies will have the access providers looking at their external traffic, the agencies can be more focused on internal types of things that will increase our security," Evans says. "They can keep logs and look at who is accessing what information. They can move their analysis and skill set to inside threats."

All the remaining Internet gateways also will have sensors that link into the federal Einstein program, which provides monitoring and analysis of network traffic to identify unauthorized users and software on federal networks. The sensors feed data to the U.S. Computer Emergency Readiness Team at Carnegie Mellon University.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments