Pentagon on behalf of the Network Security Services-Pentagon section of the US Army Information Technology Agency. (I would like to provide a URL, but there's no point linking to sites that return "403.6 Forbidden: IP address rejected" errors!) Doug Steelman, pictured with me in the photo below, invited me to discuss network security monitoring at their Pentagon Security Forum. Last month Erik Birkholz and Steve Andres from Special Ops Security spoke on assessments. Next month Kevin Mandia of Red Cliff Consulting will discuss incident response. Doug and his colleague Mark Orlando were kind enough to take me on a tour of the building and share some of their approaches to detecting intrusions on the Pentagon's networks.
While I will not outline specifics here, I will say I was impressed by the variety of network traffic the Pentagon collects. They are not a single-solution shop that can be beaten by evading one variety of intrusion detection system deployed at the perimeter. Rather, they gather alert, session, and statistical data and have the capability to collect some full content data. I will not name tools, but I was surprised by some of their choices. By this I mean they seemed genuinely interested in novel approaches to identifying and validating security events.
As far as the Pentagon network is concerned, they are literally an ISP in their own right. They have multiple Autonomous Systems (AS') and they connect to the DISA backbone with 100 Mbps ATM links. After September 11th 2001 they decided to reengineer their network to be more disaster-resilient, and they are now deploying a MPLS-based routing design to facilitate this goal. I look forward to meeting and working with this team in the future, and I thank Doug and Mark for being great hosts today.