Countdown to 50

 

Connecting state and local government leaders

Agencies hustle to prepare their networks for a drastic reduction of Internet gateways.

Federal civilian agencies are under the gun to re-engineer their networks by June 30 to comply with an ambitious Office of Management and Budget plan to improve information technology security through a dramatic reduction of Internet connections.

The Trusted Internet Connection (TIC) plan also includes an April 15 deadline for agencies government wide to declare their capabilities and requirements to carry out the overhaul.

TIC requires the federal government to winnow its array of about 4,000 Internet connections to roughly 50 highly secure gateways. OMB, which launched TIC in November 2007 in response to the surging frequency and sophistication of online assaults against federal systems, first estimated the number of Internet connections to be about 1,000. After gathering information from agencies, that number grew fourfold.

The TIC plan to create a more secure perimeter between Uncle Sam's internal networks and the free-fire zone that dominates the external Internet echoes a project that the Defense Department launched seven years ago.

The new, secure perimeter, sometimes referred to as a demilitarized zone, would help federal IT managers improve their network traffic monitor capabilities.

Agencies also would be able to reduce the number of security appliances they use to filter data crossing into or out of federal networks.

The OMB proposal calls for the Homeland Security Department's U.S. Computer Emergency Readiness Team to implement pivotal TIC operations.

For years US-CERT has operated a 24-hour operations center that monitors network activity across the federal government. Under TIC, the center will enforce network security via its suite of Einstein packet-filtering devices. USCERT uses the Einstein systems to keep malware out of federal networks and prevent sensitive government information from leaving.

The DHS network security response team built the Einstein systems using commercial and government software and hardware. The Einstein devices sit outside government firewalls to detect all traffic that affects federal systems, DHS officials said last year (GCN.com/1022).

Most security experts said the risks involved in the ambitious TIC deployment schedule and the difficulties posed by the network re-engineering plan would be more than offset by its likely effectiveness.

Many of the IT security analysts contacted for this article emphasized the urgent need for security upgrades to protect the federal government's data infrastructure. Most security professionals agreed that the TIC security improvements and similar measures are long overdue.

'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program.

'The concept is very sound,' Schmidt said.

'You can easily monitor what's going on, you can react more quickly, and you have greater visibility of threats. If done correctly, this can achieve a lot.'

Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies.

Coordinated efforts OMB timed the TIC migration deadline to coincide with the government's other major computer security and network security projects.

The coordinated schedule will allow agencies to capture the improvements all at once and launch the security upgrades simultaneously, said Karen Evans, OMB's administrator for e-government and IT.

'We're trying to make sure that everything is raised to the same level, and we've picked these dates because all the efforts align,' Evans said.

OMB early this month sent a memo to all federal departments and agencies asking them by April 15 to submit their proposed solutions for implementing TIC and how they would prefer to receive service from a Trusted Internet Connection Access Provider.

OMB gave agencies three options: be a single- service provider that serves only its own internal customers and has its own TIC; be a multiservice provider that offers services to more than one agency or bureau and shares a TIC with others; or be an agency that connects to a TIC via an approved provider. For agencies that want to be their own TIC provider, OMB asked for extensive supporting data on the agencies' technical ability to monitor traffic and enforce security policies on network links.

OMB will use agencies' submissions in deciding how to allocate the targeted 50 TICs.

Evans said TIC's goal of reducing the number of connections to 50 is ambitious, but added that it is a well thought-out target. She said although some agencies might believe that the goal of 50 Internet links and the June 30 timetable are unrealistic, 'there's no technical reason this can't be done.'

OMB modeled TIC after the network security methods developed for use by banks, brokerage houses and similar financial institutions, said Scott Bradner, technology security officer at Harvard University. Bradner helped OMB plan TIC.

'TIC is not a magic bullet; [but] it will help,' Bradner said. 'It will help by consolidating the Internet connections enough so that they may be reasonably monitored.'

In the government's existing network structure, 'there are too many Internet connections to be reasonably monitored,' Bradner said.

'TIC is a resizing, or a right-sizing.'

Bradner said reducing the Internet links to 50 will leave large federal agencies with two or three portals. He noted that it's impossible to guarantee service reliability from a single portal.

Meanwhile, smaller agencies will share portals or connect to larger agencies' portals via Internet service providers' networks.

The connection from an agency to a portal is where Einstein appliances will be placed to monitor traffic, and layers of firewalls will insulate an agency's internal network from the Internet, Bradner said.

Typically, an agency's network will consist of sub-networks. Those segments will include a front-end network to provide Web services to agency customers or constituents. Each agency also will operate a back-end network to maintain its databases.

Because the back-end databases contain proprietary information that could be private or even classified, the back-end networks need additional protection to fend off hacking attempts from outside. A separate layer of firewalls inside each agency's network will provide security by insulating the back-end systems from the rest of the network, Bradner said.

Federal agencies should be able to meet the TIC requirement fairly easily by updating their routing tables so that traffic to and from the Internet travels across the agencies' designated portals, he said.

The reconfiguration shouldn't slow down the performance of an agency network if the agency engineers the transition properly, Bradner said.

He emphasized that federal network administrators must pay special attention to assuring adequate capacity at their agency's portals to the Internet. Network planners will have to vet the equipment used in the portals and scrutinize the circuits that shunt traffic to and from back-end networks, Bradner said.

Federal network planners said smaller agencies, in particular, will find their path to TIC compliance eased by the pending transition from the government's FTS 2000 telecommunications service contracts to their Networx successors.

The five telecom providers that won places on the Networx schedule have said they would help agencies use standard Networx offering packages to meet the TIC mandate.

'Based on what they know, the Networx providers believe that the Networx contracts could satisfy the TIC requirement,' said John Johnson, the GSA Federal Acquisition Service's assistant commissioner for integrated technology services.

Johnson said GSA might have to modify the Networx contracts in some cases ' for example, to accommodate TIC's provisions for co-located and dedicated data hosting services, content delivery services and IP virtual private network services.

'We don't see those modifications as significant activities,' Johnson said.
The Defense Department isn't included in the Trusted Internet Connection initiative because it has already consolidated its Internet connections from more than 60 to 15. However, DOD's experience with network consolidation and its lessons learned provide valuable guidance.

DOD began its Internet consolidation project in 2003, and by 2004, had completely inventoried its network to establish 60 as the baseline number of Internet access points between its Non-secure IP Router Network and the Internet, DOD officials said. By 2007, DOD had consolidated its more than 60 access points into 15, although its eventual goal is to reduce the number to 10.

At the outset, DOD mapped its planned topology for the network by analyzing traffic patterns and traffic growth projections, with additional modeling to account for the scheduled closing and restructuring of military bases.

To handle the reconfigured traffic, DOD added new circuits to connect to new interconnection points established in the consolidation process while also upgrading the bandwidth of existing circuits when redirecting additional traffic to an existing site. DOD officials said the department redirected about 40 interconnection circuits to new sites without significant disruptions to service. When possible, DOD provided a one-month overlap of old and new circuits to prevent outages. If that wasn't possible, officials scheduled cutovers during hours when Internet demand was low.

The biggest technical challenges involved in the transition was redirecting traffic and scheduling unavoidable network outages to minimize the impact on operations, the officials said.

The step that contributed the most to successfully completing the consolidation was devoting enough time to the modeling and planning stages to ensure that DOD sequenced its implementation carefully.

NEXT STORY: DOD blazes TIC path

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.