DOE builds firewall at lab to fend off hackers

What’s
in Los Alamos’ firewall














Los Alamos National Laboratory has hidden most of its unclassified network behind
a custom-built firewall to stop hacker attacks on the Energy Department facility at Los
Alamos, N.M.


Public information is consolidated on about 150 Web servers outside the firewall. The
rest of about 17,000 networked devices now are off-limits to the public, said Gina Fisk, a
network engineering staff member in the lab’s Computing, Information and
Communications Division.


The lab maintains its own Web site at www.lanl.gov,
separate from the Energy domain.


Because of the large number of lab subnets and the need for security features not
bundled in any one commercial firewall package, “we ended up making our own,”
Fisk said.


The network partitioning and firewall installation, completed in March, went fairly
smoothly, Fisk said. Because much of the public information was consolidated and moved to
new servers, however, the site had many broken links.


Some links still pointed to dead ends three weeks later, but the same amount of
information ought to be available if visitors search for it, Fisk said. Lab scientists
still can publish their research on the Web without any new restrictions.


Los Alamos, operated for DOE by the University of California, recently drew attention
over allegations that one of its scientists had passed classified nuclear warhead designs
to China. The lab has set a number of security measures in the wake of the scandal, but
the firewall resulted from a December 1998 directive to improve unclassified computer and
network security.


Lab director John C. Browne’s directive was part of a larger DOE effort, announced
in November, to boost computer security. Plans for partitioning what was called the Open
Computing Network at Los Alamos got under way before that, in 1997, as part of the
lab’s Information Architecture Project.


“The one purpose of the firewall is to reduce hacker activity,” said Phil
Wood, another network engineering staff member. He said each week he observes several
hackers trying to get into the lab’s network.


Fisk said the lab previously drew the same types of attacks that other government sites
routinely experience. “It was getting old,” she said. “It was time to stop
it.”


Devices now behind the firewall include desktop systems, printers and supercomputers.
They represent about 99 percent of the unclassified network and do not process or store
any public information.


The unclassified network security model in the lab’s Information Architecture
Project describes the firewall as a distributed gateway of routers, proxy servers,
forwarders and other devices. The unclassified network, whether protected or open, shares
the same backbone. The open and protected segments are defined at each router or switch. A
single router can serve both segments or can be dedicated to one.


About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • digital key (wavebreakmedia/Shutterstock.com)

    Encryption management in government hyperconverged IT networks

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group