Sea trials

The Navy has tested the project for years; IT Petty Officer 1st Class Lansaw check the policy server aboard the USS Blue Ridge last April.

Courtesy of the Navy

The Navy tests an embedded firewall card and policy server on land and at sea, including aboard the USS Coronado

After surviving three years of Navy testing ashore and at sea, the Embedded Firewall PC Card for notebook PCs and the Embedded Policy Server have received Common Criteria Certification.

3Com Corp. of Santa Clara, Calif., is marketing the Embedded Firewall card, which uses technology developed by Secure Computing Corp. of San Jose, Calif., and the Defense Advanced Research Projects Agency.

In June the PC Card and policy server both received Common Criteria Evaluated Security Level 2 certification with an endorsement for flaw remediation. The firewall client hardware also is available for servers and desktop PCs but has not yet received certification.

'The Navy Warfare Development Command used the Embedded Firewall card in four experiments as an example of current system defense technology,' said Cmdr. Jeff White, information warfare officer for the development command in Newport, R.I.

The Space and Naval Warfare Systems Command in San Diego and the Office of Naval Operations plan to buy the cards in bulk.

At the client level, the firewall is operating system-independent, blocking malicious traffic before it reaches the OS. The policy server centrally manages all the clients.

'They work hand in hand,' 3Com product manager Drew Terry said. 'The PC Card protects the end user.'

The user cannot alter policy or disable the firewall. Up to 30 rules can be enforced without significant performance impact, Terry said. Having more than 30 rules imposes a 5 percent to 10 percent performance cut, but a well-crafted policy need not have that many rules, he said.

The seed of the Embedded Firewall was a 3Com network interface card with a microprocessor for accelerating virtual private network encryption. In 2000, DARPA, 3Com and Secure Computing began developing firmware for packet-level inspection. Their goal was to move firewall hardware from the network perimeter to the end user to add protection under DOD's Computer Network Defense in Depth concept.

The Autonomic Distributed Firewall project went through its paces during Fleet Battle Experiment India in June 2001. 'We applied it to a small enclave of five or six devices running under one policy server,' White said.

A vulnerability assessment and traffic analysis of the network established policy requirements that were applied to the client firmware.

'And then we red-teamed it,' White said. The red team members failed to break into the target IP address even though they had information about client access and the protection being used.

The project then received more development resources from SPAWAR and the Office of Naval Operations. SPAWAR worked on baseline security policies while DARPA continued work on the card.
To see if it could scale up to a larger operation, the hardware again underwent tests during Fleet Battle Experiment Juliet in July and August 2002. It protected four applications of the Joint Fires Initiative 'to the tune of about 45 nodes,' White said.

The nodes were afloat on the USS Coronado and ashore at the Fleet Combat Training Center'Pacific, forming a distributed test environment. The red team tried to disrupt time-critical targeting, and 'again the red team failed,' White said.

A few bumps

Some weaknesses appeared, however. There had not been time to do detailed traffic analysis for the expanded experiment, so problems arose with policy development and integration.

SPAWAR then tested its baseline firewall policy in the Navy's IT for the 21st Century environment. This happened in limited experiments by the Navy's Third Fleet in October and November 2002.

'We saw that the baseline policy worked very well, but additional adjustments have to be made,' White said. Because of the various vessels' systems and missions, no one size fit all.

The final test with commercial-ready products took place during Fleet Battle Experiment Kilo last April. There were 160 protected nodes on the operational network of the USS Blue Ridge, as well as another six nodes on the USS Vincennes.

'It was a success for everyone,' White said.

A risk assessment and detailed traffic analysis done before the test were used with SPAWAR's baseline policy to set rules for the firewalls. The rules traveled 1,500 nautical miles from a policy server to the clients over legacy communications links on the Blue Ridge and Vincennes.

So far, only the Embedded Firewall PC Card for mobile users has been evaluated under Common Criteria. The card is location-aware, so it can follow the appropriate policy whether the notebook logs in from inside the network or remotely.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above