N/MCI Security Doubts Persist

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.computerworld.com/securitytopics/security/story/0,10801,82390,00.html

By DAN VERTON 
JUNE 23, 2003
Computerworld 

NEW ORLEANS -- The need for a more secure network infrastructure was
one of the driving forces behind the U.S. Navy's quest to build the
$6.9 billion Navy/Marine Corps Intranet. But with only a few months
left before the majority of N/MCI seats are deployed, questions and
concerns about security remain.

During the Navy/Marine Corps Intranet Industry Symposium here last
week, officials from both the Navy and its prime contractor,
Electronic Data Systems Corp., touted N/MCI as "the most secure
network in the Department of Defense" and possibly in all of the
federal government.

"Today, N/MCI is an industry standard," said Al Edmonds, president of
EDS Government Solutions.

But some Navy users, senior officials and even EDS business partners
raised concerns about the N/MCI program's approach to security.

"N/MCI is the most secure network in DOD? It's kind of hard to judge
that," said Cathy Baber, director of information assurance at the
Naval Network and Space Operations Command, which the Navy formed last
year to oversee security for N/MCI. "There are still concerns. There
are a lot of things that weren't thought about," she said.

One such issue is managing the certification process for connecting
N/MCI users to the current Defense Information Systems Network (DISN),
the Pentagon's main telecommunications backbone for both classified
and unclassified data.

Vanessa Hallihan, program manager for IS security at the Space and
Naval Warfare Systems Command, manages the DISN connection process.  
"We haven't yet come to grips with [N/MCI] as an enterprise process,"  
she said. "The workload is very intense, and I don't have the
resources."

Bart Abbott, director of information assurance programs at Raytheon
Co., a subcontractor to EDS on the project, said he believes that the
N/MCI project team has delivered on the Navy's need for a more secure
network, though he acknowledged that there are still wrinkles in the
N/MCI security fabric that need to be ironed out.

For example, EDS has piloted the use of public-key infrastructure
(PKI) technology at two user sites and plans to roll out PKI for all
N/MCI users in conjunction with common access cards, or smart cards.  
But more work needs to be done to make PKI and smart cards easier to
use, he said.

Abbott also acknowledged performance problems resulting from various
security mechanisms, such as e-mail and Web content filtering at the
connection points between N/MCI and the Defense Department's
unclassified network, which is known as the Non-secure Internet
Protocol Routing Network. In addition, users have reported full disk
scans taking place during the log-on process.

"We've looked at the mobile user in particular," said Abbott, adding
that EDS is trying to significantly improve network performance for
remote access. It will take EDS and the Navy several months to improve
remote access and make other network security adjustments, including
the implementation of an updated virus-protection package that
includes a spam filter.

Several industry representatives at the symposium also raised concerns
about commercial contractors' inability to communicate with external
entities, such as their own corporate offices.

"It's a difficult proposition, because the corporate environment is an
untrusted environment from the Navy's perspective," Abbott said.

Lt. Col. Ken Buetel, director of the Marine Corps Information
Technology and Network Operations Center, said some of his supporting
vendors have raised the same issue. Buetel said he has been forced to
tell them, "We really don't trust the corporate domain."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.