Countdown to 50

Federal civilian agencies are under the gun to re-engineer their networks by June 30 to comply with an ambitious Office of Management and Budget plan to improve information technology security through a dramatic reduction of Internet connections.

The Trusted Internet Connection (TIC) plan also includes an April 15 deadline for agencies government wide to declare their capabilities and requirements to carry out the overhaul.

TIC requires the federal government to winnow its array of about 4,000 Internet connections to roughly 50 highly secure gateways. OMB, which launched TIC in November 2007 in response to the surging frequency and sophistication of online assaults against federal systems, first estimated the number of Internet connections to be about 1,000. After gathering information from agencies, that number grew fourfold.

The TIC plan to create a more secure perimeter between Uncle Sam's internal networks and the free-fire zone that dominates the external Internet echoes a project that the Defense Department launched seven years ago.

The new, secure perimeter, sometimes referred to as a demilitarized zone, would help federal IT managers improve their network traffic monitor capabilities.

Agencies also would be able to reduce the number of security appliances they use to filter data crossing into or out of federal networks.

The OMB proposal calls for the Homeland Security Department's U.S. Computer Emergency Readiness Team to implement pivotal TIC operations.

For years US-CERT has operated a 24-hour operations center that monitors network activity across the federal government. Under TIC, the center will enforce network security via its suite of Einstein packet-filtering devices. USCERT uses the Einstein systems to keep malware out of federal networks and prevent sensitive government information from leaving.

The DHS network security response team built the Einstein systems using commercial and government software and hardware. The Einstein devices sit outside government firewalls to detect all traffic that affects federal systems, DHS officials said last year (GCN.com/1022).

Most security experts said the risks involved in the ambitious TIC deployment schedule and the difficulties posed by the network re-engineering plan would be more than offset by its likely effectiveness.

Many of the IT security analysts contacted for this article emphasized the urgent need for security upgrades to protect the federal government's data infrastructure. Most security professionals agreed that the TIC security improvements and similar measures are long overdue.

'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program.

'The concept is very sound,' Schmidt said.

'You can easily monitor what's going on, you can react more quickly, and you have greater visibility of threats. If done correctly, this can achieve a lot.'

Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies.

Coordinated efforts OMB timed the TIC migration deadline to coincide with the government's other major computer security and network security projects.

The coordinated schedule will allow agencies to capture the improvements all at once and launch the security upgrades simultaneously, said Karen Evans, OMB's administrator for e-government and IT.

'We're trying to make sure that everything is raised to the same level, and we've picked these dates because all the efforts align,' Evans said.

OMB early this month sent a memo to all federal departments and agencies asking them by April 15 to submit their proposed solutions for implementing TIC and how they would prefer to receive service from a Trusted Internet Connection Access Provider.

OMB gave agencies three options: be a single- service provider that serves only its own internal customers and has its own TIC; be a multiservice provider that offers services to more than one agency or bureau and shares a TIC with others; or be an agency that connects to a TIC via an approved provider. For agencies that want to be their own TIC provider, OMB asked for extensive supporting data on the agencies' technical ability to monitor traffic and enforce security policies on network links.

OMB will use agencies' submissions in deciding how to allocate the targeted 50 TICs.

Evans said TIC's goal of reducing the number of connections to 50 is ambitious, but added that it is a well thought-out target. She said although some agencies might believe that the goal of 50 Internet links and the June 30 timetable are unrealistic, 'there's no technical reason this can't be done.'

OMB modeled TIC after the network security methods developed for use by banks, brokerage houses and similar financial institutions, said Scott Bradner, technology security officer at Harvard University. Bradner helped OMB plan TIC.

'TIC is not a magic bullet; [but] it will help,' Bradner said. 'It will help by consolidating the Internet connections enough so that they may be reasonably monitored.'

In the government's existing network structure, 'there are too many Internet connections to be reasonably monitored,' Bradner said.

'TIC is a resizing, or a right-sizing.'

Bradner said reducing the Internet links to 50 will leave large federal agencies with two or three portals. He noted that it's impossible to guarantee service reliability from a single portal.

Meanwhile, smaller agencies will share portals or connect to larger agencies' portals via Internet service providers' networks.

The connection from an agency to a portal is where Einstein appliances will be placed to monitor traffic, and layers of firewalls will insulate an agency's internal network from the Internet, Bradner said.

Typically, an agency's network will consist of sub-networks. Those segments will include a front-end network to provide Web services to agency customers or constituents. Each agency also will operate a back-end network to maintain its databases.

Because the back-end databases contain proprietary information that could be private or even classified, the back-end networks need additional protection to fend off hacking attempts from outside. A separate layer of firewalls inside each agency's network will provide security by insulating the back-end systems from the rest of the network, Bradner said.

Federal agencies should be able to meet the TIC requirement fairly easily by updating their routing tables so that traffic to and from the Internet travels across the agencies' designated portals, he said.

The reconfiguration shouldn't slow down the performance of an agency network if the agency engineers the transition properly, Bradner said.

He emphasized that federal network administrators must pay special attention to assuring adequate capacity at their agency's portals to the Internet. Network planners will have to vet the equipment used in the portals and scrutinize the circuits that shunt traffic to and from back-end networks, Bradner said.

Federal network planners said smaller agencies, in particular, will find their path to TIC compliance eased by the pending transition from the government's FTS 2000 telecommunications service contracts to their Networx successors.

The five telecom providers that won places on the Networx schedule have said they would help agencies use standard Networx offering packages to meet the TIC mandate.

'Based on what they know, the Networx providers believe that the Networx contracts could satisfy the TIC requirement,' said John Johnson, the GSA Federal Acquisition Service's assistant commissioner for integrated technology services.

Johnson said GSA might have to modify the Networx contracts in some cases ' for example, to accommodate TIC's provisions for co-located and dedicated data hosting services, content delivery services and IP virtual private network services.

'We don't see those modifications as significant activities,' Johnson said.
The Defense Department isn't included in the Trusted Internet Connection initiative because it has already consolidated its Internet connections from more than 60 to 15. However, DOD's experience with network consolidation and its lessons learned provide valuable guidance.

DOD began its Internet consolidation project in 2003, and by 2004, had completely inventoried its network to establish 60 as the baseline number of Internet access points between its Non-secure IP Router Network and the Internet, DOD officials said. By 2007, DOD had consolidated its more than 60 access points into 15, although its eventual goal is to reduce the number to 10.

At the outset, DOD mapped its planned topology for the network by analyzing traffic patterns and traffic growth projections, with additional modeling to account for the scheduled closing and restructuring of military bases.

To handle the reconfigured traffic, DOD added new circuits to connect to new interconnection points established in the consolidation process while also upgrading the bandwidth of existing circuits when redirecting additional traffic to an existing site. DOD officials said the department redirected about 40 interconnection circuits to new sites without significant disruptions to service. When possible, DOD provided a one-month overlap of old and new circuits to prevent outages. If that wasn't possible, officials scheduled cutovers during hours when Internet demand was low.

The biggest technical challenges involved in the transition was redirecting traffic and scheduling unavoidable network outages to minimize the impact on operations, the officials said.

The step that contributed the most to successfully completing the consolidation was devoting enough time to the modeling and planning stages to ensure that DOD sequenced its implementation carefully.