NASA adopts firewall plan

Battered by hacker attacks on its home page NASA will move all its public-access servers outside of an agencywide firewall designed to protect sensitive internal networks. When the new security architecture is in place NASA employees no longer will have open access to the World Wide Web they will be allowed access only to those sites identified by the chief information officer as necessary for business agency officials said.

The need for such additional security become clear last week when hackers broke into NASA's home page for the second time pasting it with ominous messages declaring a future reign of "digital terrorism" against corporate America.

None of NASA's internal networks were compromised in the attack said Brian Dunbar an Internet services manager for the agency. He declined to provide details of how intruders gained access to the Web server because NASA's Office of the Inspector General is investigating the break-in.

While the need for increased security was made apparent by the recent attack a move to restrict access to the Internet was questioned by one employee.

Briscoe Stevens advanced scientific systems coordinator for NASA's space sciences lab at Marshall Space Flight Center Huntsville Ala. said restricting Web access would severely handicap the agency's scientists and engineers.

"From the scientific and engineering standpoint it would be devastating because the scientists and engineers use the Web as a source of getting information on topics as well as software upgrades that they need for their work " he said. "If we're put behind a firewall that limits us and we have to get permission anytime we want to go to a new Web page we're going to have a monster of a bureaucracy instantaneously."

Christopher Klaus founder and chief executive officer of Atlanta-based Internet Security Systems a company that specializes in analyzing security vulnerabilities for government agencies including NASA said that while Web page attacks may seem innocuous on the surface they often can cause more internal damage than merely embarrassing the agency. Many hackers install "back doors" or "Trojan horses" that will periodically capture passwords which hackers can use to gain access to other workstations or networks he said.

The Web server hit by the most recent attack was located outside a firewall at the Goddard Space Flight Center Greenbelt Md. This connection - and vulnerability - to the general public has prompted NASA to evaluate more advanced security techniques according to a late 1996 information technology security architecture report produced by NASA's interagency security working group.

Solitary Solution

The report recommends the isolation of public-access servers from internal networks the deployment of a NASA-wide firewall remote-user authentication vulnerability assessments and a restrictive policy for employee Internet access. Prototypes of these security mechanisms - including the NASA-wide firewall - are being tested and could be installed this year said Richard Carr agency IT security program manager at the Ames Research Center Mountain View Calif. Ames is the agency's lead IT security center.

"It's critical and vital to any organization...to have security as an integral component " Carr said. "If you leave that security piece out you just would not be able to conduct business over the Internet. All the federal agencies are in the same stages of having bits and pieces of firewalls in place."

Firewalls have become the product of choice for many government agencies concerned with security but Klaus warned that they cannot be the sole protection from security threats.

"A lot of agencies put a firewall in place and will reconfigure it as needed " he said. "A lot of times they never get reconfigured to get safe again. Through all this reconfiguration the firewall gets left open to allow attacks to happen. Once they get a firewall in place that is not the ultimate solution. It's kind of a Band-Aid. NASA works with so many other agencies and contractors [that] even if they put in a firewall they're not able to block all the risks."

Computer systems that reside on vital NASA network segments are being configured as information servers to the general public forcing public users to travel these segments to access the servers according to the working group's report. As a result it is virtually impossible to configure an effective firewall between NASA and the public.

The group has recommended that all public-access information servers be moved to a new agencywide consolidated Public Information Center that would house and distribute all information to the public.

This is the only option to provide information electronically in light of the group's proposal for a firewall to span the entire government agency the report states.

Access Denied

The working group recommends a NASA-wide firewall that would deny access to all transmissions except those that are explicitly allowed. The new expansive firewall would eliminate the need for center- or enterprise-level firewalls which are sprinkled throughout the agency.

Other requirements for the security architecture include:

* Users not physically located within the NASA community (inside the firewall) would have to authenticate themselves to the NASA-wide firewall using advanced authentication devices.

* Issuing modems and analog phone lines to individual computer operators would be stopped and those in existence would be removed. All modem-type communications would be through modem pools managed by the NASA-wide firewall.

* All local-area networks would be secure and devices not connected to a drop would be disabled automatically.