Odd Web traffic alerts Va. county
- By Shawn McCarthy
- Aug 20, 2003
'Security means people, processes and technology. Of these, the easiest to deal with is technology.'
'Network Director Vivek Kundra
State and local government officials who have noticed strange activity on their computer systems could learn from the experiences of Arlington County, Va.
On Sept. 11, 2001, Vivek Kundra was interviewing for the position of the county's network services director, at a building so close to the Pentagon that he could see smoke and hear the commotion of that day's deadly terrorist attack.
After landing the director job, Kundra found himself witnessing a different kind of suspected terrorist activity. He noticed strange traffic patterns on the county's Web servers. When the county's information security officer reviewed server logs, he found a steady increase in traffic from Middle Eastern countries. Then he noticed the visitors were seeking information about the county's power plants and water supplies.
Kundra said such discoveries have changed the opinions of many people about what purpose a government Web site should serve. The focus has gone from sharing information to protecting it.
To halt the online intelligence gathering, Kundra took some of the information offline. His team also blocked connections from certain countries.
Online research by terrorists is only part of the problem. The other challenge is protecting government networks from cyberattacks.
'Security means people, processes and technology. Of these, the easiest to deal with is technology,' Kundra said. Though sites can be configured to be secure, it's much harder to establish processes to keep systems and information safe. Kundra suggested:
- Establishing rules for how network users must behave. Make sure users are aware of the rules, and enforce them.
- Hardening firewalls. Arlington County uses Cisco Systems Inc.'s Pix firewalls. To secure its routers, the county also uses Cisco Info Center, a service-level diagnostic tool that automates monitoring and looks for network faults, performance problems and trouble spots. Managers also use Micromuse NetCool service monitors from Micromuse Inc. of London to view multiple system devices and servers.
- Improving intrusion detection. Arlington County uses an intrusion detection system from Entercept Security Technologies of Santa Clara, Calif., that looks for intrusion detection patterns on hosts and automatically reacts by locking out certain ports and addresses.
- Doing detailed analysis. Arlington uses enVision, a product from Network Intelligence Corp. of Walpole, Mass. It collects event log data from network devices to create a detailed picture of network usage. It can verify security policy compliance, generate alerts about possible security breaches and analyze network performance.
- Establishing a distributed model for data centers. The Arlington County network serves about 100 buildings. The main data center used to be in a single location. Now it's located in two redundant centers with automatic backup, and the county plans to add a third site.
Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.