Security Blanket

Security Blanket

NASA's Glenn Research Center

NASA Glenn network architect Richard Kurak uses several techniques to wrap security around an expanding, high-bandwidth environment: proxy-based filtering, caching and careful tuning.

Layered defenses protect NASA research center

NASA's Glenn Research Center in Cleveland strives to protect its sensitive information while keeping the data flowing freely among 4,000 users.

'In a research environment, it's quite a balancing act,' senior network architect Richard Kurak said.

The center has expanded its bandwidth while managing its capacity so that security measures don't slow work to a crawl.

'Research organizations are difficult to wrap a security blanket around,' said Gib Winter, project manager and lead engineer for security subcontractor Verizon Federal Network Systems, a unit of Verizon Communications Inc. 'NASA Glenn has established itself as one of the more secure research centers.'

Desktop PC resources and connectivity come from Intellisource Information Systems Inc. of Lanham, Md., under the Outsourcing Desktop Initiative for NASA contract. RS Information Systems Inc. of McLean, Va., has primary responsibility for security; Verizon is a subcontractor.

As the center's security lead, Kurak works with the contractors to determine the appropriate security architecture and technology. Having commercial providers gives the center access to better resources than it could provide on its own, he said.

'It's very difficult to get highly qualified personnel and keep them,' he said. Three NASA employees work with 12 contractors on the tasks.

'We've been extremely satisfied' so far with the response to security incidents, Kurak said. 'Looking at vulnerabilities we were susceptible to in the past compared to now, I feel a lot more comfortable.'

Winter said systems have grown exponentially since 1999. The network has gone from 10-Mbps shared Ethernet to 100-Mbps Fast Ethernet. Aging network equipment has been replaced with whatever the staff could beg or borrow, he said, and there are now redundant paths to the Internet with some Gigabit Ethernet segments.

Safe but unwieldy

The firewalls at the perimeter have gone from packet filtering to proxy-based, which generally is considered the most secure type of firewall, Winter said. 'It also is the most difficult to manage. When you've got proxy firewalls, you want to optimize resources inside.'

One method is local caching of popular Web pages to reduce traffic across the network. The bandwidth savings from caching can reach 50 percent, Winter said.

'It takes some careful integration, and there are things that can't be cached,' he said, but the reduction in traffic makes the firewall impact less noticeable.

Glenn has three proxy firewalls in use so that one can be taken out of service with two still available. A BIG-IP FireGuard Controller from F5 Networks Inc. of Seattle load-balances the firewalls to further improve network performance.

'We've implemented a number of intrusion-detection tools,' Winter said, including RealSecure from Internet Security Systems Inc. of Atlanta, and several others he would not discuss.

The center uses Verizon's Net Fa'ade, a so-called honeypot that attracts unwelcome visitors. 'It pretends to be a group of machines and looks like a subnet,' Winter said. Because it is a phony site without legitimate visitors, almost any traffic in the honeypot can be assumed to be malicious.

Common wisdom says that an enterprise's biggest threat comes from insiders. Kurak said that has not been the case at Glenn.

'Deliberate internal compromise has not been a major problem,' he said. 'Glenn's users are very focused and dedicated.' The IT security program focuses on education to prevent lapses when impatient users short-circuit security.

'After Sept. 11, it has become more apparent what the results of that can be,' he said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above