EPA buys monitoring software

In an uncommon move to secure its distributed networks agencywide the Environmental Protection Agency has purchased a software package to monitor and manage information security policy at more than 100 sites.

The EPA plans to install Axent Technologies Inc.'s OmniGuard/Enterprise Security Manager (ESM) on all of its more than 700 Unix NetWare and VMS servers by the end of fiscal 1997.

ESM which the Army and the Food and Drug Administration also use allows a few high-level personnel to monitor conformance of an agency's entire network to established security policies.

The EPA's expanding role as an information provider via the Internet spurred the move to monitor compliance with security policies said Robert Lewis the EPA's chief of enterprise technology security services. The agency provides sensitive environmental information to academic and research communities via the Internet. This data transmission must comply with the Privacy Act to ensure the protection of research and classified business information.

While several Defense Department agencies have moved to manage security enterprisewide most civilian agencies have taken only small steps to "plug the holes in the dike " such as installing firewalls or intruder-detection devices said John Negron Axent's federal sales manager.

"These folks [at the EPA] stepped up a level and said `We're responsible for ensuring that all the information across the whole agency is protected ' " Negron said. "It really qualifies the federal market. There are some pockets within the government that are looking at the problem of security at an enterprise level."

The EPA will monitor security policy from Research Triangle Park N.C. From one workstation security administrators will be able to make changes to remote systems and control the level of security on those platforms even if they use different operating systems.

Because the security features bundled within operating systems vary significantly it is impossible to establish a single all-encompassing security policy to span all of an agency's distributed networks. Still it is vital to identify areas within the agency that have not moved to comply with published security directives Lewis said.

"Having the policy in place is one thing but being able to validate whether the policy has been implemented is a question that has to be answered " Lewis said. "It would not be very cost-effective for my staff to validate that all of the 700-plus servers [comply with] the security directives. Those that haven't implemented those security directives obviously make us vulnerable."

ESM covers three security categories: user accounts and authorizations network and server settings and file systems and directories. ESM checks if users have been granted privileges that are outside the scope of security policy monitors the use of passwords to ensure they are changed frequently and cannot be easily guessed and searches for viruses.

It also scans networks for trap doors which give original designers of a program a way to circumvent cumbersome security measures to monitor a system and logic bombs which are timed to damage files or a program when a specific task is performed. Additionally ESM scans for Internet vulnerabilities modifications to key files or programs and other threats.

When fully installed ESM will generate a single report on the compliance of all systems.