Infosec vendors build test bed for COTS solutions

A group of systems integrators has launched an information technology laboratory to allow federal government clients to test the integration and interoperability of computer security products in a hardware and software scenario that mirrors their own computing environment.

Called the Infosec Research and Engineering Network (IREN), this joint investment project is led by Booz-Allen & Hamilton Inc., with Lockheed Martin Corp., Electronic Data Systems Corp., TASC Inc. and J.G. Van Dyke Associates participating in the project. Each of the concerns has electronically linked its own laboratory to form the test bed, which contains various platforms to mirror the complex computing environment found in the government, said Don Busson, vice president of Booz-Allen.

"We recognize that most security solutions for our government clients are going to be provided with [commercial off-the-shelf] solutions," Busson said. "The goal with this network is to have the ability to integrate those different security products in an environment that's very similar to the environment that our clients operate in."

In essence, IREN is a virtual laboratory because federal agencies can remotely access the test bed online to test a variety of commercial security products, such as firewalls, intrusion-detection software, networking security products and various components of a public-key infrastructure, including digital signature and certificate technology.

Dividing the Tasks

For example, TASC is providing penetration testing; an agency can connect to the network, and TASC officials will try to penetrate the network in ways that a hacker might use to illegally enter a network, Busson said. The network includes a variety of computing platforms— Unix systems, Microsoft Corp.'s Windows NT and Windows 95 — as well as routers, firewalls, T-1 circuits and dial-up circuits, he said.

While TASC is in charge of penetration testing, EDS is testing lower-assurance applications such as office automation products, Lockheed Martin is testing e-mail and electronic commerce products, and Van Dyke is testing standards and protocols. Booz-Allen is providing the management component and doing modeling and simulation for various products.

Each participating company can market IREN individually. Booz-Allen is marketing it through various General Services Administration schedule contracts, blanket purchase agreements and indefinite-delivery, indefinite-quantity contracts, Busson said.

The company is also featuring IREN on several agency procurements, he said.

To date, the Navy's Space and Naval Warfare Systems Command and one other military agency Busson declined to name have used IREN.

Complex Issues

Rich Kellett, division director for the Emerging IT Applications Division within GSA's Office of Governmentwide Policy and one of two leaders of the Federal Webmasters group, said agency officials are very interested in learning how various IT components— such as an intranet and a local-area network— can be integrated into a secure environment.

"The security issues are getting really complex, and people need more integrated products," Kellett said. "Anything that helps them test those products would be beneficial."

Lack of Understanding

Gary Van Dyke, president of Van Dyke, said IREN allows agencies to observe how particular security solutions will work without investing in their own testing procedures or purchasing large numbers of products.

"[The federal government is] a community that really doesn't understand that security has got to be an integral part of the system," he said. "When one considers a firewall, you're really only considering part of the security problem. IREN can show an agency what else [it] might have to do."