DOD adopts COTS wares to protect supercomputers

The Defense Department's high-performance computing program office is finalizing plans for a security policy using commercial hardware and software security products to control access of more than 4,000 users of supercomputers nationwide.

The DOD High-Performance Computing Modernization Program (HPCMP) security policy covers two main areas: preventing unauthorized personnel from accessing supercomputers at various sites and protecting data transmissions between machines at the centers and users' desktop computers.

The program plans to issue in May SecurID cards, from Security Dynamics Technologies Inc., to control access, and it plans to use Kerberos encryption software to encrypt data transmissions, according to a policy statement issued by program officials.

The high-performance computing program promotes the use of supercomputing modeling and simulation to analyze weapons systems before the weapons are designed and developed. It encompasses four large centers, called major shared resource centers, and 13 smaller distributed centers. All of the centers offer high-performance computers and software to users who are linked via high-speed networks.

The majority of the users remotely access the high-performance machines, although this access is controlled through a secure wide-area network, according to a consultant who works with the program.

The policy, which is scheduled to be fully implemented by the end of fiscal 1998, has been in the planning stages for the past two years, said the consultant, who requested anonymity. The policy is not a response to any security breaches to date, but it is intended to be a proactive measure, he said.

"There is a well-known continuing issue with people out there who seem to have a recreational desire to get into various machines," he said.

The SecurID cards, which are about the size of a thick credit card, generate a new single-use password each time an authorized user enters one of the controlled computer systems. While static passwords used for many commercial systems generally change only once every few months, the one-time passwords provided by the cards change every 60 seconds, making it almost impossible for an unauthorized user to capture a password, according to a Security Dynamics official.

Weak passwords— in the form of easy-to-guess words such as a pet or spouse's name— are often the easiest method for hackers and other unauthorized users to gain access to a network, said Dave Power, Security Dynamics' senior vice president of marketing and corporate development.

The SecurID mechanism couples a unique password generated by a server and contained on the card with a personal identification known only to the user, thereby creating a double requirement for user authentication, Power said. Each card will cost $45 to $50, but they are designed to last four years without having to be upgraded.

"It has been our intention to go to SecurID and Kerberos for several years now," said Phil Webster, an HPCMP staff member. "We've always wanted to move away from static passwords so that a user would not have to send a password in the clear over a network. [SecureID is] good for one minute, and once it's been used, it's canceled out."

Kerberos is an independently developed security protocol available for free that will allow user transmissions to be encrypted wherever they are sent over a network.