FBI shooting for two-in-one security
- By William Jackson
- Oct 05, 2005
New appliance tackles both vulnerability management and access control
Lockdown Networks' Enforcer appliance handles access control and security compliance.
The FBI's Los Angeles office plans to add a new access control appliance to the defenses of its West Coast networks. While it's at it, the group will ensure that clients connecting to its network comply with all configuration policies required for safe access. It's a two-for-one deal that could prove highly efficient.
'We are considered a West Coast regional hub,' said network manager Rick Swanson. The networks under his control include nonclassified, secret and top secret, as well as interagency networks operated with local, state and federal law enforcement groups. The level of sophistication of the nets runs the gamut.
'It ranges from Internet connections with DSL to private networks and satellite links with voice and video,' he said.
The bureau has good perimeter security to keep hackers out, but it was looking for ways to get better control over what was going on inside the network.
'We had two concerns about the security of the network,' Swanson said. 'How effective were the patches that were being installed? We didn't have any way to fully test whether they were really achieving what they were intended to. And we wanted to have a better level of control over people who were coming in from the outside.'
There were not a lot of products to choose from that handled both tasks. The FBI settled on the Enforcer network access control device from Lockdown Networks Inc. of Seattle. It's an appliance built on a vulnerability assessment and management platform, with added features for authentication and access policy enforcement. Retail pricing starts at $19,995.
'It allows you to assess the compliance of every device on the network, and authenticate every user and assign the proper level of access to network resources,' said Dan Clark, Lockdown's vice president of marketing.
Swanson said the Enforcer appeared to be the most feature-rich access control tool for handling both assessments and authentication.
'We believe it will be able to accomplish both jobs,' he said.
The Enforcer scans not only devices connecting to the network but also those inside it to ensure compliance with security and configuration policies. Scanning can be done continuously or on demand, as well as automatically upon connection to the network.How it works
For authentication, it uses IEEE 802.1x (not to be confused with 802.11x) to integrate with an existing remote authentication dial-in user service server, or it can use its own built-in Radius server. It also supports standalone authentication, Windows authentication and IP-based authorization.
The box is attached to any managed switch and becomes the default gateway for outside connections. The connecting device is put into quarantine in a virtual LAN while it is scanned for compliance with configuration policies. Scanning can be done with an agent loaded on the client device for deep, detailed assessments, or it can be conducted from the appliance for a quicker process. A Web page with resources to remediate problems without involving IT help desks can be delivered to clients that do not meet policy requirements.
Once the client is authorized to access the network, it no longer goes through the appliance, so there is no additional latency in the connection.
The Enforcer has a library of 7,000 scans it can perform. The IT administrator determines which scans will be used, depending on local policy. The standard model Enforcer can handle about 1,000 users per appliance, and a high-availability model can handle up to about 3,000 users. The number of connections it can handle at one time depends on the level of scanning and enforcement required by policy, Clark said.
The FBI has been managing vulnerabilities on its West Coast network with a customized product from Cisco Systems Inc., which it will continue using, Swanson said.
'We look at this as yet another layer of security we can add,' he said.
So far the Enforcer has been limited to tests on the network, but the FBI plans to begin rolling it out in small segments. Policies need to be tailored to the needs of each network, but the process is straightforward, Swanson said.
'There has been minimal impact from having the appliance on the networks' during tests, he said. 'I feel fairly confident it is going to do what we want it to.'
William Jackson is freelance writer and the author of the CyberEye blog.