Saturday, December 15, 2007

Feds Plan to Reduce, Then Monitor

According to OMB directs agencies to close off most Internet links, by June 2008 the Federal government plans to reduce the number of Internet connections it maintains, and then monitor them more closely:

The Office of Management and Budget's Trusted Internet Connections (TIC) initiative likely is to be the last publicized program in the Bush administration's stepped-up focus on cybersecurity, some experts say. More importantly, the new initiative requires agencies to implement real-time gateway monitoring, which has been a deficit in federal network protection.

The TIC initiative mandates that officials develop plans for limiting the number of Internet connections into their departments and agencies. OMB officials want to reduce the number of gateways from the more than 1,000 to about 50, said Karen Evans, OMB's administrator for e-government and information technology.
(emphasis added)

This sounds promising. The story continues:

The initiative also asks chief information officers to develop a plan of action and milestones for participating in the Homeland Security Department's U.S. Computer Emergency Readiness Team's Einstein initiative. The program offers agencies real-time gateway monitoring capabilities and helps them react more quickly to security incidents. About 13 agencies voluntarily participate in the Einstein program.

"The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner," Evans said. "While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale."


Reduction of gateways + enhanced monitoring = better, stronger, faster -- and cheaper.

The story With Internet gateways, less is more adds:

A June deadline for agencies to consolidate their Internet connections coincides with another OMB deadline. June is also when agencies must upgrade their backbone networks to run the next-generation Internet protocol, IPv6...

“The [TIC] initiative is saying, ‘We have to know what we own in order to protect it,’ ” Evans said. “We also must know we are managing risk at an acceptable level.”

Evans said the federal government has more than 1,000 gateways to the public Internet.

The target number is 50, but that is not an absolute number, she said. “We know 1,000 or more is not the way to do it. At a minimum, 50 is two per department.”

Fifty gateways is a reasonable number, Evans said, adding that the Defense Department has reduced its Internet gateway count to 18. The Homeland Security Department expects to have only two Internet gateways after it completes its OneNet initiative.

“The 50 or so points of presence [would] become the perimeter of the federal government,” Evans said.
(emphasis added)

Kudos to Karen Evans. I am hopeful that someone who realizes FISMA Is a Joke has begun steering the Federal government away from worthless documentation and towards real network security operations.

10 comments:

Isam said...

I'm skeptical about this aspect:
"better, stronger, faster -- and cheaper."

If we've learned anything in engineering and design it's that you can only pick any two of the three qualities: good, fast and cheap :]

Richard Bejtlich said...

Isam, check the link. This is partly a joke.

DanPhilpott said...

50 internet gateways is going to be great. Because redundancy is totally overrated.

I know that fewer gateways is a wonderful idea in theory. Fewer points of access to attack for the bad guys. Easier to manage and monitor access for the good guys. 50 internet gateways would be perfectly reasonable for any well engineered, centrally managed network infrastructure.

But are the federal government's networks either centrally managed or well engineered? Does the DoD share bandwidth with HUD? Given the amount of data traffic the US Government generates daily it's going to be interesting to see how a successful implementation can be engineered. What happens if some DDoS script kiddies get it into their heads to attack these bottlenecks? What happens when there is an emergency and internet traffic spikes? (What happens if they decide FISMA is a joke and don't go through a well thought out process to consider the possibilities?) With 50 internet connections spread over the myriad federal agencies I see the possibility of spectacular failures in the future. Only time will tell, but I doubt it will take much time.

Richard Bejtlich said...

So make it 100. The problem is that the Federal government, in all its agencies' glory, is already suffering "spectacular failures."

I heard a colonel at a briefing say the "Digital Pearl Harbor" had already happened. The difference between now and 66 years ago is it's easier to hide a digital Pearl Harbor.

DanPhilpott said...

If you can hide a "Digital Pearl Harbor" ... is it really a "Digital Pearl Harbor"?

And I'd agree, the government is regularly suffering spectacular failures. The question here is one of scale. A spectacular failure affecting internet connectivity for 2,000 employees is spectacular. A spectacular failure affecting internet connectivity for 200,000 employees and all the public customers of that agency is above the fold, front page of the Washington Post followed by Congressional inquiries spectacular.

I'm not disputing that a reduction of internet connections to a manageable level is a good thing. It can mean better perimeter control and improved security. In a centrally managed organization with strong security leadership it can lead to gains in real security. But the scale of this reduction is ludicrous. Redundancy is the biggest issue but certainly not the only one.

Imagine you are the person who implements the firewall on that link, who are your customers? Everyone in that agency. So how many exceptions are you required to make? Lots. What is your firewall now? Swiss cheese. As a security guy I'd love to say "No, we can't make those exceptions." but in the real world business requirements trump security directives. Defense in Depth is, of course, the answer here but that begs the question: What was the security gain from the reduction in internet connections?

Anonymous said...

I think I agree with Daniel, but time will ultimately tell. Another of the issues aside from redundancy is who gets to manage the links for which agencies.

Daniel asked, "But are the federal government's networks either centrally managed or well engineered?" The answer is that it depends on the agency. Some agencies may well benefit from letting a more experienced entity take over network management, while some may have to cede control to less experienced or less capable entities. Unfortunately, I doubt that will be part of the equation when they decide who manages what.

Anonymous said...

Hopefully they will have real analysts watching the gateways. Having worked in DoD as a contractor I can tell you the cut and paste monkeys most contractors hire are useless. They put up Snort sensors and then literally cut and paste the Snort alert into a trouble ticket and send it to you. One packet out of context and expect you to solve the problem.

If they do real NSM and look at the entire transaction then it might be worthwhile. If they looked at the entire transaction they would see the web server sent a "404 File Not found" in response to the request Snort alerted on as a web request for "cmd.exe".

Monitoring without intelligence and analysis is useless. In order to do analysis, analysts need data and tools to analyze the data. Hopefully their monitoring will include full packet capture.

Though I suspect monitoring will be having a bake off and awarding a contract to a single vendor for some "Silver Bullet" monitoring tool. Then award a contract to a single vendor to supply CISSP's to monitor that tool. See it is all about "better, faster & cheaper". As a previous poster noted you can have it good, fast or cheap; pick any two.

DanPhilpott said...

In reference to my "either centrally managed or well engineered?" comment. I was thinking more in terms of central management/engineering covering the whole of the government as opposed to individual agency implementations. I meant that if their were a single 'Government Network' then 50 internet connections could provide sufficient redundancy and a well engineered solution. But when each agency has one or two central connections and has to distribute that traffic internally to a national customer base the risk of 'spectacular failure' increases. I'm sure some agencies have excellent internal network organizations, but structurally this topology concerns me.

battery said...
This comment has been removed by a blog administrator.
BTR01 said...

This is all very interesting, and I'm sure that it will work, at some scale. How that all works out will remain to be seen.

As a current government employee, I can tell you that when something like this does happen (I have no doubt that it will), it will be worse than things are now. Why do I say this?

FACT: I tried to send a travel voucher to DFAS last year. There were three ways to get it to them. One was to email it, another was to fax it, and the third was to actually snail mail it. In this day and age, there was no way that I was going to mail that stack of papers with all of my information on it to them. So that effectively left two ways to get it to them. Both of those ways were basically (unbeknown to most)the same, because their fax machine was tied in with their email servers. Guess what they were having problems with... yep, you guess it, their email servers. So basically there was no way of getting this information them electronically. But wait a minute... there was another problem. Guess who managed their network? Well, it wasn't them, that's for sure. So when I emailed my digitally scanned documentation in pdf format, guess what was being blocked by their network admins? Yep, you guessed it, pdf files!

Ok, maybe this whole thing is a little lengthy, but the point that I'm trying to make is this. The agencies don't play well together, let alone communicate. So if anything is going to be done to force the agencies to interoperate together nicely, I would recommend that before that is attempted, there needs to be some sort of agreement in place between the agencies, and then there needs to be someone with grade kahonas on both sides of the fence to make things happen and hold people accountable! Until this happens, and it isn't happening yet, there's no way to make something like this work that remains fundamentally broken.

Well, that's my 2 cents. Thanks for listening.