One card is key to many nets
One card is key to many nets
With controller, a Defense agency's users no longer need multiple PCs
By William Jackson
A secure government office has begun using the 2in1 PC controller card from Voltaire Advanced Data Security Ltd. of Vienna, Va., to connect to public and secure networks from a single PC.
Physically separating network connections inside the PC is eliminating multiple workstations at a secure Defense agency.
The National Security Agency in July certified the 2in1 PC controller for use with secret-level networks after it met Assurance Level 2 of NSA's Common Criteria for Information Technology Security.
The surest way to keep secure networks separate from others has been an air gap'in other words, connecting through separate PC clients. The 2in1 PC puts the air gap on the controller card via electromechanical switches.
'Our initial purpose was to reduce the number of seats and the infrastructure support,' said Daniel L. Williams, a consultant working at a secure Defense Department agency in Alexandria, Va., where the card is in use.More efficient
Williams said workers can be more productive when they do everything at a single PC instead of having to switch between two or more to get onto different networks.
Charley Gienger, an employee who has been using a 2in1 PC controller on a trial basis for several months, said the planning room where he works has three shared PCs connected to the Internet, plus a classified computer on each desk.
'We have to physically get up to use the Internet,' he said. 'With the dual card, we have both capabilities on our desks.'
Williams, a principal functional analyst for Innolog Inc. of Alexandria, said the number of agency PCs will drop from 50 to about 30 when 2in1 PC is fully installed.
The 2in1 PC controller card, introduced in 1998, fits in an ISA slot. An IDE cable from the hard disk connects to the card, and a second cable connects the card to the motherboard. The card has receptors for RJ-11 and RJ-45 plugs for separate network connections.
The controller's software, PartitionMagic from PowerQuest Corp. of Orem, Utah, segments the hard disk and sets aside a transition area to handle switching between networks. The user specifies the size of the secured and public partitions, each of which has its own operating system.
Partition information and master boot records reside in nonvolatile memory on the controller card. Relay switches allow only one physical network connection at a time.
Clicking on an icon initiates a change between networks, shutting down the applications and operating system on the open network. After the machine has powered down, the card switches to the transition area and reboots, accessing the second network.
Gienger said his agency had tried other ways to keep secure and nonsecure data on a single machine, but he called them 'fair, at best.'
Removable hard drives 'worked to a certain extent,' he said, 'but we were still concerned about getting things mixed up and having things clearly defined.'
The drives also had to be physically secured when not in use, and their failure rate was high, making them more ex-pensive than a 2in1 card, Williams said.
'You could pay for two cards within a year with removable drives,' he said.
Williams said he found the Voltaire product during a Web search for security boards.
'We said, 'I wonder if this works,'' he said.
The agency put the controller through its paces in six weeks of testing before the pilot began.
'We asked them for a show-and-tell, and they showed us,' Williams said. 'Then we said, 'We have a system, make it work.' Then we said, 'Fine, let's take it to the next level. There's a bounty out for making it break.'' After eight months, no one has collected the bounty, he said.
The initial installation of 2in1 PC was on a 166-MHz Dell Computer Corp. Pentium II system with 2G of RAM, the agency's low-end system. Good performance there means the controller will work on anything the agency has, Williams said.Timing's OK
The wait for a reboot when switching networks on the slower machines is not a problem, Gienger said.
Even so, Williams expects some objections when the 2in1 PC begins to eliminate the dedicated Internet PCs in coming months.
One problem is that radios do not work well in the subbasement where the planners use the secure network. To improve the ambience in the windowless basement, they have been playing Internet radio. With 2in1 PC, the planners cannot access the Internet while working in the secure mode.
But because of a savings of up to $2,600 for every PC replaced by a card, Williams said he does not expect the absence of radio to be a compelling argument.
'It's all about dollars,' he said.