Army proxy server closes Web back door

As part of a larger effort to scour the Internet for sensitive information, the Army has set up a "proxy server" on which it can host its Web sites for public viewing without opening a back door for hackers.

Lt. Col. John Quigg, branch chief for the network security improvement program under the Army's director for information assurance, likened it to a museum setting up a monitor that would allow visitors to look through a historical document, while the document remains in safekeeping.

Quigg acknowledged that no system is hack-proof but said that so far no site protected by the proxy server has been breached.

John Pescatore, research director for Internet security at Gartner Inc., said the proxy server is basically an "application-level firewall" that has been used for some time in the private sector, especially in the banking and financial industries.

About 67 percent of Web servers are susceptible to "content-changing" hacks, but good application-level firewalls "get that down to less than five percent," Pescatore said.

The protection of its public Web sites is part of a larger effort the Army began in October when it established a Web Risk Assessment Cell of about 30 people to identify sensitive content on the service's public Web sites.

Quigg said the team, which includes a contractor as well as Army personnel, is working through and adding to a candidate list of sites, using keyword searches to locate Army content on non-Army IP addresses, or sensitive data that the service might need to remove or protect.

For example, the History Channel's Web site might be flagged because it contains the words "top secret," but because it was referring to World War II information, no action is necessary, he said.

However, sites with potentially useful information for U.S. enemies, including anything from maps containing data on ammunition dumps to personal information about an Army commander or other top officers, are taken down, cleansed or made secret.

The cell started with Army sites and is in the process of including Reserve and National Guard sites and personnel, Quigg said. The Pentagon began a similar process when former Defense Secretary William Cohen approved the Joint Web Risk Assessment Cell in 1999.

"The fact that the Army is doing this is better late than never," Pescatore said. He added that he remembered issuing Web site security warnings for defense and civilian agencies as far back as 1996, "and we've only seen it get worse."

"This is something everybody with sites on the Internet, and certainly the [Defense Department], should have been doing five years ago," he said.

***

What is a Web Risk Assessment Cell?

The Defense Department opened a Joint Web Risk Assessment Cell in 1999 to monitor DOD Web sites for sensitive data that could compromise military operations or personnel. Last October, the Army established its own Web Risk Assessment Cell, consisting of about 30 people responsible for identifying sensitive content still available on public Web sites.