Air Force bolsters net security
- By Gregory Slabodkin
- Mar 16, 1997
Despite recent hacker attacks, Air Force officials said they are confident that
commercial security products can create a highly secure network and protect it from
attacks over the Internet.
The $1 billion Combat Information Transport System, which will be used at 108 air bases
around the world, is undergoing modernization. The security products will protect the
external connections to the redesigned CITS network.
"A network without management and protection is an impotent one," said Lt.
Col. David Genovese, CITS program manager at the Electronic Systems Center at Hanscom Air
Force Base, Mass. "We must have a network that is manageable, scalable and
Base network control centers will be the nerve center at the air bases. From there,
systems managers can spot unauthorized users on networks.
CITS uses routers, switches and hubs from Cisco Systems Inc. of San Jose, Calif.,
including a Cisco 7206 external router, Cisco 7507 internal router and Cisco 2100 Ethernet
The firewall, Sidewinder 3.0 from Secure Computing Corp. of Roseville, Minn., sits
between the external and internal routers buffered by Ethernet switches on each side.
The packet filtering is performed on the external Cisco router using comprehensive
access control lists, Genovese said. The packet filter compares packet headers against an
approved list of IP addresses and halts unauthorized data.
OmniGuard/Enterprise Security Manager and OmniGuard/Intruder Alert software by Axent
Technologies Inc. of Rockville, Md., perform network vulnerability assessments, as well as
monitor and respond to unauthorized entry attempts throughout the enterprise system, Air
Force officials said.
The Axent products are host-based security products, Genovese said. For instance,
Intruder Alert resides in all internal servers; the Enterprise Security Manager software
resides in the computer security officer's PC. Data traffic from Intruder Alert and the
Sidewinder firewall is fed into the security management server and supported by Air Force
personnel who can react to intrusions immediately.
Before moving to a PC LAN running Microsoft Windows NT, the Air Force used a
Hewlett-Packard 9000 for the Security Management Server. The service now uses a Compaq
ProLiant 6500 server. The World Wide Web proxy server, also from Compaq, connects to the
Internet and base LAN. The proxy server controls users' access privileges.
Despite the service's shift to NT, the service is sticking with Unix firewalls because
their software runs on that operating system and Unix is more robust than NT, Genovese
"And from a security perspective, Unix is a much more understood environment at
this point in time," he said.
The software includes HP OpenView, which allows network administrators to find network
faults, as well as enterprise management from Tivoli Systems Inc. of Austin, Texas, and
internal help desk software from Remedy Corp. of Mountain View, Calif.
SafeSuite by Internet Security Systems of Atlanta scans network components for security
vulnerabilities. If a factory-delivered password is left on a Cisco router, SafeSuite
finds it, alerts network managers and suggests possible corrections.
The generic Air Force base network architecture includes access to the external
Non-Classified IP Router Network, which is a potential weak spot for information security.
The Automated Security Incident Measurement (ASIM) system--a network intrusion
detection tool developed by the Air Force Information Warfare Center (AFIWC) at Kelly Air
Force Base, Texas--eavesdrops on IP traffic and finds unauthorized activity. AFIWC also
records the intrusion detection information for review later in the day.
Axent officials likened ASIM to a camera that films a bank entrance while Axent's
security software acts as a camera trained on the bank's vault. The difference is that
Intruder Alert operates in real time.
Electronic Data Systems Corp. and TRW Inc. provide all the network equipment and
security products for the CITS program under the Unified LAN Architecture II contract.
The Air Force, however, is looking at General Services Administration schedules and the
Navy's Voice, Video and Data contract as alternative sources.
About a dozen bases have completed the transition to the CITS network design. The rest
of the bases will follow by the end of 1998.
The Air Force plans to replace cable plants and switching systems at bases with
fiber-optic links by 2004 as part of the CITS program.