Tech Success: Military girds for CYBERBATTLE
BAE, Citadel provide armor for <@SM>protecting computer networks
- By Doug Beizer
- Jun 18, 2005
Defending its computer networks has evolved into one of the Defense Department's top priorities. And as computer systems ? and efforts to hack into them ? grow more sophisticated, efforts to defend military networks will grow even more assiduous.
"It is an integral part of warfighting," said Mitchell Rambler, vice president and general manager of military operations for BAE Systems North America Inc. "If you cannot push critical data to the tactical edge, you are already limited in battle management."
BAE of Rockville, Md., is the systems integrator for a Defense Department project to protect its computer networks through vulnerability detection and remediation support. In the first phase of the project, BAE performs scanning and vulnerability detection across the agency's networks. In a second phase, BAE will use Citadel Security Software Inc.'s Hercules Enterprise Vulnerability Management suite in repairing those vulnerabilities.
"The Citadel piece takes that data and manages how you remediate according to specific DOD direction and policy," Rambler said.
The Defense Department chose Hercules for enterprisewide deployment across its networks, Rambler said. The full operating capability of Hercules won't be reached until summer, but so far, the product is operating as it was expected to, he said.
"It was tested competitively against a number of products within a DOD test bed, and chosen because of its scalability, operating ease and the general robustness of its software," Rambler said.
The core function of the software is to automate the process of fixing vulnerabilities to which a computer network might be exposed to, said Jeff Kidwell, the Dallas-based Citadel's director of defense business.
This automation "will allow DOD system administrators to rapidly manage and patch vulnerabilities faster than the bad guys can exploit them," said Defense Information Systems Agency officials in an e-mail interview. "We also expect to see process improvement by automating what is today often a tedious manual effort."
Citadel classifies vulnerabilities into five types: Unsecured accounts, unnecessary services, backdoors, improperly configured systems and software defects. "Hercules offers fixes for all those classes of vulnerabilities," Kidwell said.
For software defects, Hercules automates sending out patches and making sure they are installed. The product also gives administrators flexibility to configure which vulnerabilities to fix, he said.
"You want to give control down to the local level, whether to fix something or not to fix something," he said. "There are certain vulnerabilities on given systems that you have to live with."
It also lets administrators decide when to fix vulnerabilities.
"There are certain mission-critical systems that you can't remediate in the middle of the day," Kidwell said. "You've got to pick a more appropriate time to remediate it. So the local admin has control of the button to say 'Yes, fix it,' or 'No, don't fix it.' "
The configuration and integration of security software is highly complex in distributed Defense Department networks, Rambler said.
Among the challenges of integrating Hercules is checking for false positives and false negatives in network vulnerability reports. Fixes that the software makes must be validated and verified to ensure patches are not only sent out, but installed.
"You can't just push a patch out there and assume it's going to happen," Rambler said. "The management and tracking of these patches, which come out with amazing frequency these days, is a challenge."
A key part of the project is training network administrators how to use the software and understand its capabilities and limitations. BAE's enterprise support center, a sophisticated help desk, can help administrators avoid potential collisions between network management and network security.
Most of the tasks that Hercules automates had been done manually, he said. For example, if an employee leaves an organization, Hercules can automate closing all of the employee's accounts. It also can be configured to prevent a peer-to-peer application, like such as Kazaa file-sharing service, from residing on the network.
Without Hercules, "somebody is sitting down and writing code and manually remediating that vulnerability [Kazaa], versus using a tool like Hercules to automate it," Kidwell said.
If you have an innovative solution that you recently installed in a government agency, contact Staff Writer Doug Beizer at firstname.lastname@example.org.