DOE builds firewall at lab to fend off hackers

in Los Alamos’ firewall

Los Alamos National Laboratory has hidden most of its unclassified network behind
a custom-built firewall to stop hacker attacks on the Energy Department facility at Los
Alamos, N.M.

Public information is consolidated on about 150 Web servers outside the firewall. The
rest of about 17,000 networked devices now are off-limits to the public, said Gina Fisk, a
network engineering staff member in the lab’s Computing, Information and
Communications Division.

The lab maintains its own Web site at,
separate from the Energy domain.

Because of the large number of lab subnets and the need for security features not
bundled in any one commercial firewall package, “we ended up making our own,”
Fisk said.

The network partitioning and firewall installation, completed in March, went fairly
smoothly, Fisk said. Because much of the public information was consolidated and moved to
new servers, however, the site had many broken links.

Some links still pointed to dead ends three weeks later, but the same amount of
information ought to be available if visitors search for it, Fisk said. Lab scientists
still can publish their research on the Web without any new restrictions.

Los Alamos, operated for DOE by the University of California, recently drew attention
over allegations that one of its scientists had passed classified nuclear warhead designs
to China. The lab has set a number of security measures in the wake of the scandal, but
the firewall resulted from a December 1998 directive to improve unclassified computer and
network security.

Lab director John C. Browne’s directive was part of a larger DOE effort, announced
in November, to boost computer security. Plans for partitioning what was called the Open
Computing Network at Los Alamos got under way before that, in 1997, as part of the
lab’s Information Architecture Project.

“The one purpose of the firewall is to reduce hacker activity,” said Phil
Wood, another network engineering staff member. He said each week he observes several
hackers trying to get into the lab’s network.

Fisk said the lab previously drew the same types of attacks that other government sites
routinely experience. “It was getting old,” she said. “It was time to stop

Devices now behind the firewall include desktop systems, printers and supercomputers.
They represent about 99 percent of the unclassified network and do not process or store
any public information.

The unclassified network security model in the lab’s Information Architecture
Project describes the firewall as a distributed gateway of routers, proxy servers,
forwarders and other devices. The unclassified network, whether protected or open, shares
the same backbone. The open and protected segments are defined at each router or switch. A
single router can serve both segments or can be dedicated to one.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.