Building a more secure network infrastructure was one of
the driving forces behind the US Navy's quest to build the
Navy/Marine Corps Intranet (N/MCI). But with only a few months left
before the majority of N/MCI seats are deployed, questions and
concerns about security remain.
During a Navy/Marine Corps intranet industry symposium,
officials from both the Navy and its prime contractor EDS, touted
N/MCI as "the most secure network in the Department of Defense" and
possibly in all of government.
"Today, N/MCI is an industry standard," said Al Edmonds,
president of EDS Government Solutions.
But some users, senior officials and even EDS business partners
raised concerns about the N/MCI program's approach to security.
Some argued that EDS's regional deployment approach fails to
address the Navy's enterprise requirements. Others said the current
security landscape sometimes hampers performance and even prevents
on-site contractor support from communicating with corporate
headquarters.
"N/MCI is the most secure network in DOD? It's kind of hard to
judge that," said Cathy Baber, director of information assurance at
the Naval Network and Space Operations Command, a command formed
last year by the Navy that has security oversight responsibility
for N/MCI. "There are still concerns. There are a lot of things
that weren't thought about."
One such issue is managing the certification process for
connecting N/MCI users to the current Defense Information Systems
Network (DISN), the Pentagon's main telecommunications backbone for
both classified and unclassified data.
Vanessa Hallihan, program manager for information systems
security at the Space and Naval Warfare Command, manages the DISN
connection process. "We haven't yet come to grips with (N/MCI) as
an enterprise process," she said. "The workload is very intense,
and I don't have the resources."
Bart Abbott, director of information assurance programs at
Raytheon, a subcontractor to EDS on the program, said he feels as
if the team has delivered on the Navy's need for a more secure
network but acknowledged there are still wrinkles in the N/MCI
security fabric that need to be ironed out.
He also acknowledged that there are performance issues due to
various security mechanisms, such as e-mail and web content
filtering at the connection points between N/MCI and the Defense
Department's unclassified network, which is known as the Non-secure
Internet Protocol Routing Network. Users also reported full disc
scans taking place during the log-on process.
Rear Admiral Charles Munns, director of N/MCI, said a security
policy board will decide next month if existing content filters
need to be adjusted.
"We've looked at the mobile user in particular," said Abbott,
adding that EDS is trying to "significantly improve" network
performance for remote access. It will take EDS and the Navy
several months to improve remote access and make other network
security adjustments, including updating virus protection package
to include a spam filter.
Several industry representatives also raised concerns about the
inability of commercial contractors to communicate with external
entities, such as their own corporate offices.
"It's a difficult proposition because the corporate environment
is an untrusted environment from the Navy's perspective," said
Abbott.
Leutenant Colonel Ken Buetel, director of the Marine Corps
Information Technology and Network Operations Center, said some of
his supporting suppliers are asking about the same problem, and he
has been forced to tell them that "we really don't trust the
corporate domain".
Dan Verton
writes for Computerworld