Navy tests plug-in security

The Navy recently demonstrated how a new breed of firewall technology could be used to shore up computer security aboard ships.

By deploying firewall technology embedded on PC network cards, participants in the warfighting exercise enforced security policies across disparate servers located on ships in the Seventh Fleet, based out of Yokosuka, Japan.

Fleet Battle Experiment Kilo (FBE-K), which ran from April 14 through May 5, was the 11th in a series of those experiments and was conducted concurrently with Exercise Tandem Thrust 2003, a U.S. Pacific Command-sponsored exercise focusing on deliberate and crisis action planning and execution in a joint task force environment.

Executed by the Navy Warfare Development Command, the experiments are intended to test and evaluate specific initiatives and their roles in potential future combat scenarios.

Led by the Seventh Fleet, FBE-K was designed to develop and refine processes supporting joint command and control from the sea for future joint operations.

"There were a series of areas of evaluation [in the experiment], including information operations and defensive information operations," said Navy Cmdr. Jeff White, an information warfare officer with the Navy Warfare Development Command. "Computer network defense and the information assurance piece of that play a significant role within the Navy because you need both for a battle force commander to fight effectively."

So White's organization, supported by a team of Navy and commercial organizations, deployed the Defense Advanced Research Projects Agency's embedded firewall, which is based on technology co-developed by 3Com Corp. and Secure Computing Corp. Using firewall technology embedded into 3Com's Network Interface Cards, information technology security staff can prevent unauthorized access to network servers, desktop PCs and notebooks from inside and outside a network.

From a policy server, IT staff can centrally manage systems equipped with 3Com PCI cards individually or in groups, setting policies to control network access, prevent intrusions and detect attacks. The PCI card technology played a vital role in securing systems in the fleet through a wireless, satellite-based connection.

"We fully supported and fielded the technology to provide a level of defense from the endpoint client," said Doreen Ryder, a BBN Technologies employee who represented the DARPA team during FBE-K. "We protect the network from anything that a common adversary might run against a machine. Embedded firewalls protect against attacks on an endpoint [Microsoft Corp. Windows server] rather than at the routers or switches or other hardware levels."

Ryder said the team was able to remotely enforce policies from USS Blue Ridge — the command ship of the fleet — to USS Vincennes, located about 1,500 nautical miles away. The point, she said, was to prove the concept of remotely controlling the server from one ship to another via a satellite connection and using legacy machines.

An earlier version of the technology was first used in FBE-India in 2001 and expanded in 2002's experiment, Juliet. During Juliet, seven network cards were deployed, one at the policy server level and six to the clients. During FBE-K, "we used 150 cards because we had to determine how it would scale," White said. "It can theoretically go up to 3,000 client/server hosts."

***

Embedding firewalls

The recent conflict in Iraq made "embedded reporters" a household phrase. A less well-known concept that will play a vital role in future conflicts is the embedded firewall, which involves integrating security functions such as access control onto hardware devices.

In the case of the Defense Advanced Research Projects Agency's embedded firewall used in the Navy's most recent Fleet Battle Experiment, that meant installing policy servers on the fleet command ship that could centrally manage Microsoft Corp. Windows-based servers equipped with 3Com Corp. Network Interface Cards with built-in firewall functions.

Information technology staff could then set policies to control network access, prevent intrusions on networked servers and remote client machines, and automate filtering to block cyberattacks.