Defense expands cyber DMZs

Friday - 1/7/2011, 7:45am EST

WFED's Jason Miller

Click below to hear the report on the Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Defense Information Systems Agency has put the military's unclassified network behind a demilitarized zone.

And over the next two years, all unclassified applications across the Defense Department will have to go through this virtual no-man's land to reach the public Internet.

"If we are under a cyber attack we could potentially crank up the level of security for most of our servers inside and yet leave certain critical e-commerce servers open to the Internet, still with security controls, but we don't have to cut them off," said Dave Mihelcic, DISA's chief technology officer, Thursday at a lunch sponsored by the AFCEA-DC chapter in Arlington, Va. "It's a collection of services to secure both inbound and outbound traffic, and control what is exposed and what isn't."

DISA has been deploying these demilitarized zones (DMZs) over the past few years, but they have had limited functionality.

Mihelcic said the initial capabilities were white listing and blocking or limiting inbound traffic to a limited range of machines.

The goal, however, is to expand the DMZs across all DoD networks over the next two years.

"What will take two years to complete is the migration of all of the service applications behind this," Mihelcic said. "That migration is not necessarily moving a box place-to-place, but really redirecting traffic through this capability. We have a plan working with the services to do that."

Richard Hale, DISA's chief information assurance executive, said the DMZs grew from the need of combatant commanders to take risks without exposing other commanders to the dangers.

"We want to better structure ourselves to have a network that can support multiple access control and perimeter defense policies at the same time," he said. "No one-size fits all NIPRNET and no one size fits all reactions to problems on the NIRPNET."

Hale said DISA is going to rename DoD DMZ to Project Lightning because DMZ was the worst name possible.

DoD decided it needed something like a DMZ after feeling the effects of the CodeRed and nimda worms in 2001. Mihelcic said DoD had to shut down their network after becoming infected. In the future if such a denial-of-service attack happens, DoD could protect its unclassified networks more easily instead of having to shut them down completely from the public Internet.

The end goal of the DMZ approach is to let combatant commanders to set policy based on mission instead of the one-size fits all.

One model combatant commanders are considering is developing their own networks for each mission. For instance, Hale said the combatant commander in Afghanistan created their own network.

Hale said the challenge is how to gain access to enterprisewide services under this model.

This effort falls under Gen. Kevin Chilton's, commander of U.S. Strategic Command, goal to make sure there is freedom of action in cyberspace.

"We are early on in looking at this so we are trying to figure out what architecture constructs and what technologies can give us this risk separation," Hale said.

Along with DMZs, DISA is implementing public key infrastructure technology to DoD's secret network, SIPRNET.

Hale said this will improve accountability and information sharing across the secret network.

"We also have efforts on attribute based access control on the classified networks so when combined with this identity credential it should improve sharing and security at the same time," he said. "Currently, we use a variety of identity credentialing schemes for classified network. The highest level access control is physical security. But we have layers of cybersecurity and we are trying to standardize some of those layers and strengthen them."

DoD's common access cards, or CACs, are used only for the unclassified networks.

DISA also is focused on enhancing the security of its internal networks.

Larry Huffman, principal director of the global information grid operations, said the agency recreated a DISA command center (DCC) after realizing it had a gap when DoD created the U.S. Cyber Command and the Joint Task Force Global Network Operations (JTF-GNO) went away.

The DCC works closely with the Cyber Command, and oversee DISA's own network and 13 subordinate operation centers.

"The DCC's primary job is to be the synchronizer and director of all those operation centers to develop tactics, techniques and procedures to make sure the infrastructure is responsive," Huffman said. "The additional role is to be the eyes and ears for the director and for the seniors of the agency. As we see issues out in the infrastructure, those get fed back to the seniors and director so we can quickly fix things and mitigate issues in the field."