ONI counts on defense-in-depth, redundancy for its nets
Absolute network integrity is vital to protect Office of Naval Intelligence operations, said George M. Barton, deputy director of ONI's Information Technology Directorate.
ONI relies on a range of protections so that there is no one point of failure on its six networks.
'I want overlap, I want redundancy,' Barton said. 'I want automatic systems, I want manual systems. There is value in all of that.'
The value became clear last year when the MSBlaster and SoBig worm variants attacked systems and clogged networks.
'We did not experience one infection in the ONI domains,' Barton said.
A security suite of firewalls, intrusion detection systems and antivirus products guards ONI's networks. John Marshall, chief of ONI's enterprise systems, said the configuration strategy 'was to understand where holes exist in the network before they can be exploited.'
He said the IP360 vulnerability management tool from nCircle Network Security Inc. of San Francisco found the holes.
IP360 scans networks, identifies vulnerabilities and weighs them against an organization's security policy to prioritize the remediation tasks.
In addition to the nCircle product, ONI uses RealSecure from Internet Security Systems Inc. of Atlanta. The two products have different strengths, and nCircle's does more automation, Barton said.Flagging vulnerabilities
'IP360 is one of the better products we've seen to date that helps in identifying vulnerabilities,' he said.
It has two components: a device profiler that queries network devices and a vulnerability exposure manager that correlates the profiles with known vulnerabilities. Each component is a hardened Unix appliance, said Fred Kost, nCircle marketing vice president.
The profiler queries IP devices to discover their configurations, open ports, services and applications being run.
The manager maintains a current list of vulnerabilities for the various profiles. As new vulnerabilities are found, it scores them by their inherent severity and the impact an exploit could have.
The business rules for assessing impact of an exploit typically come from the users, Kost said. The resulting weighted scores prioritize the risks so that the IT staff can take care of the most serious first.
The design goal for IP360 'is to be able to scan an entire network within 24 hours,' Kost said. Each manager component can support about 100 profilers. The number of profilers needed depends on a network's size and layout. A profiler must be located on each side of a partition, for example.
'With lots of security zones, you need more profilers,' Kost said. 'On a more horizontal network, you need fewer.'
In ONI's complex environment, 'we manage multiple LANs at various levels of security,' Barton said. 'We're running the IP360 tool on multiple security domains.' Profilers watch over both internal and external segments.
The manager module connects regularly with nCircle's data center to update vulnerability data. On ONI's LANs that have no Internet connections, staff members install the updates manually from CD-ROM.
Barton said he is continually adding new tools because no single product does everything he needs.
'I fund several thousand dollars a year for these capabilities,' he said. He expressed satisfaction with his agency's defenses but added, 'Your work is never complete in this kind of effort.'