Agencies Secure Intranets with Firewalls

Although Internet security awareness is growing the security of internal networks has been "abysmal " according to Richard Power an analyst with the Computer Security Institute San Francisco. This shortcoming is more serious than it used to be because organizations "are now conducting mission-critical business on internal nets " he said.

Indeed data on agency intranets is much more valuable than what's provided on external Web servers confirmed Patricia Edfors security and privacy champion at the Government Information Technology Services Board.

And intranets are spreading quickly in the government sector. There's a "huge move toward standardizing on [Internet Protocol] " said Erich Baumgartner director of Eastern-area sales for firewall designer Raptor Systems Inc. Reston Va.

Standardization should be regarded as an opportunity added Lt. Col. Michael Pinkston chief of the Network Strategies Office at the Air Force Communications Agency (AFCA) Scott Air Force Base Ill. "The overall convergence toward [Transmission Control Protocol/Internet Protocol] and the emergence of [Web technology] have created a good basis for a common solution Pinkston said."

But internal security sometimes "gets swept under the table " Edfors said. Part of the problem is poor training and management. Typically security is an "other duty as assigned." She added that "technological euphoria" also can blind people to the risks involved in adopting the latest bells and whistles.

Yet there are policy mandates that encourage agencies to take a harder look at internal security. Edfors pointed out that "segregation of users" as far as information access is concerned has been required since 1974 according to the Office of Management and Budget's Circular A-123. OMB's Circular A-130 moreover requires agencies "to set rules for systems look at the risks associated with systems look at the value of data and define the rules of engagement."

The most secure approach for protecting internal nets is to have "no physical interfaces" to the outside said Kurt Gutz-mann principal engineer with Litton/PRC Inc.'s Center for Applied Technology McLean Va.But there's an "opportunity cost in not sharing all the information [an organization] could because of concerns about security " added Jay Heiser product marketing manager for firewall vendor Norman Data Defense Systems Inc. Fairfax Va.

Agencies Analyze FirewallsAgencies are beginning to think about intranet security but so far they appear to be focusing more on Internet firewalls said Steve Lipner executive vice president of network security products for firewall maker Trusted Information Systems Inc. (TIS) Rockville Md.

Agencies spent their fiscal 1996 budgets "trying to get firewalls installed " added David Steinberg federal region manager at Check Point Software Ltd. a firewall manufacturer. "People are in the planning stages for intranets."

Indeed various agencies are analyzing firewalls for internal networks. AFCA for example "is laying out an architecture on how to set up [secure] base infrastructures " said Larry Merritt technical director of the Air Force Information Warfare Center (AFIWC) Kelly Air Force Base Texas. AFCA's architecture deals with "how to set boundaries ... [and with] external and internal firewalls for isolating one net from another " Merritt said.

AFIWC meanwhile is working with the Electronic Systems Center Hanscom Air Force Base Mass. and AFCA under the Base Information Protection program "to determine what [users] need to buy and install" in terms of firewalls Merritt said. AFIWC also tests firewalls for Air Force clients for interoperability and performance issues.

Firewalls protect internal networks from outside threats whether from the Internet or from other elements of private agencywide networks. But firewalls are "not a foolproof security mechanism " the Computer Security Institute's Power said. It makes little sense to insert a firewall without first "establishing a cornerstone security policy" providing context for its use.

Vendor PerspectiveInternet firewall vendors are positioning their products or spinoffs for intranets. Ideally they say an organization should use a combination of Internet and intranet firewalls.

CyberGuard for example is introducing a software-only firewall starting at $10 000 - much less than the company's current bundled firewall according to Bob Perks vice president of operations. The new system runs on The Santa Cruz Operation Inc.'s (SCO) UnixWare.

Norman Data Defense offers firewalls based upon both Hewlett-Packard Co. and SCO Compartmented Mode Workstation software. This trusted core "gives you protection from the inside and the outside " Heiser said. The software sells on the General Services Administration schedule for around $16 000.

TIS recently began to offer its Gauntlet intranet firewall priced at $7 500 compared to its Internet software at $11 500.

Raptor Systems offers variations of its Eagle Internet firewall. EagleLAN is intended for IP networks Baumgartner said. Eagle Remote offers locally administered security at remote sites. EagleLAN software goes for $3 500. Raptor Systems' firewalls are available on the GSA schedule from Electronic Systems Sylvest Management Systems Corp. and I-NET Inc.

Check Point last month announced Firewall-1 Version 3.0 which provides authentication and encryption support and protects users from malicious Java applets. The company's products are sold in the federal market by integrators such as Computer Sciences Corp. Electronic Data Systems Corp. and The Presidio Corp.

Milkyway Networks Corp. the Canadian developer of the Black Hole firewall claims to be the "only firewall certified by the Common Criteria" as of January 1996 according to Hung Vu president and chief executive. Black Hole was certified at the equivalent of C2 he said. The Common Criteria are standards for secure software intended to apply in the United States and Europe.

I Adams is a free-lance writer based in Arlington Va.