Guarding the Coast Guard’s computers

The U.S. market for information security products and services is projected to increase by 19 percent per year between now and 2008. Electrical contractors who play their cards right are in a position to get a big chunk of the $20 billion that will be spent annually over the next four years. According to research by The Freedonia Group, a Cleveland-based industrial market research firm, the fastest growth is expected in the services area.

These fast-growth sectors will be areas typically not viewed as big security buyers—segments such as distribution and the consumer sector. However, the traditional bedrock information security markets—including government and military—will remain, by far, the largest users through the latter part of the present decade and beyond, the researchers say.

Even before 9/11, government agencies were antsy about security. Now, they are downright paranoid. Any electrical contractor working on a government installation (or for any other client) who does not suggest a security scheme is doing a disservice both to the client and the firm’s own bottom line.

In computer networks, protection against physical attacks and against cyber attacks is required. Systems must be protected against viruses and hacks but they also must be protected against physical invasion (ranging from unauthorized access on a machine to outright theft).

At the U.S. Coast Guard’s Headquarters Flag Suite in Washington, D.C., authorities are using an innovative approach to protect their computing power. They simply remove all of the actual CPUs from the work area and stack them in a remote, secure location.

Not only does this free up workspace in the command area, but it also allows the information security (IS) people to keep better control over the computers.

“We had to meet some strict security requirements,” said Lieutenant Commander Kip Whiteman. They run the Department of Defense (DoD)-standard secret IP router network (SIPRNET) along with other traffic, so security is a must.

Whiteman is chief of information services division for the Coast Guard’s Headquarters Support Command out of Washington. He manages 19 sites in the D.C. area. “We have the largest concentration of VIPs here at headquarters,” he said. They needed a secure, convenient, unobtrusive solution for their computing, he added.

However, the impetus for the project was more basic: they simply were running out of space. “We used to have towers in the command center. We wanted a lower footprint so we went to blade servers,” Whiteman said. “We just ran out of space with all the tower CPUs,” he continued. Hurricane Isabel came through the area and flooded the electrical and communications room. It was time to make a move.

There is no question about security here. The VIP premises are protected with intrusion detection systems and small arms.

The Coast Guard’s solution was to run armored fiber cable to the flag officers’ suite and put all of the computing power on blade servers at a remote location.

Cabling was done by their building contractors. These companies specialize in electronics and security. The workers are members of the International Brotherhood of Electrical Workers (IBEW) and work for local commercial electricians.

The system they installed is called the Digital Desktop from Avocent, Huntsville, Ala. It uses trademarked Digital Extension Technology to relocate the physical PC chassis from the user’s desk to a central area. It allows information technology (IT) personnel to extend a PC system bus up to 100 meters over a single Category 5 cable. Cubix servers form the backbone of the system.

The system configuration and installation was done by Cubix, which charges for the service, including the hook-up to the cable that was installed and the final software setup and test. Avocent had an engineer on site as a courtesy to the Coast Guard.

“We do not offer such a service since our equipment does not require any more skills than would be required to install an internal modem,” said Tom Bourke, sales manager/government for Avocent. “In other words, an end-user can install it.”

Moving the computing power to a single area also keeps both the heat from the units and the noise from the units out of the work area. “Cooling and noise were an issue for us,” Whiteman noted.

In an industrial or academic setting, this system has the added value of doing away with any jealousy over someone else’s having a larger, newer or faster computer. The IT staff can assign big computing power to workers who need big power and smaller processors to users who are mainly involved in word processing or other low-memory jobs. None of the users really knows what kind of machine is locked away in the communications closet. All the user sees is a mouse, keyboard and monitor.

This means users see the same front-end, even as generations of computing power are upgraded from one version to the next.

Blade computers, by nature, are rack-mounted devices. Traditionally, blade computers have been used solely for servers since it is not practical to put a rack into an office cubicle. The Digital Desktop technology allows blades to be deployed as desktop systems.

There is also built-in disaster recovery. Since the entire bank of computing power is in one place, the IT staff can provide fail-over or back-up units in a central spot. When a computer crashes, the IT staff does not have to catch an elevator or hike across a campus to make a replacement. Nor does the worker have to spend an unproductive hour or two while a new unit is hooked up. The computer cabinet, typically right in the IT area, can be accessed quickly. The user’s broken unit is taken offline and the user is switched to a working computer. The broken PC then can be fixed at IT’s leisure.

The Coast Guard now has a secure resource room where VIPs can work. However, with the actual computer power being outside the area, the techs and contractors working on the system, upgrading units or correcting failures, do not have to be underfoot while admirals discuss classified work.

Contractors may also discover that it isn’t physical security that worries a customer, but security against cyber attacks (worms, viruses) or other on-network invaders. Or, a customer will complain that a network is not giving the kind of through-put that the electrical contractor or designer promised at installation.

Often that is due to malicious traffic running in the background, said Marc Willebeek-LeMair, chief technical officer for TippingPoint Technologies Inc., Austin, Texas. The firm offers high-speed intrusion prevention. Its UnityOne Intrusion Prevention Systems provide network-level protection to block invaders like the infamous Novarg or MyDoom viruses that propagate via e-mail and peer-to-peer (P2P) networks.

“Every time a new vulnerability is disclosed in a Microsoft or Linux network, you have to scramble to patch it,” Willebeek-LeMair said. Even if a 1,000-PC office gets 95 percent of the computers right at the start, that leaves 50 units ready to broadcast the problem back to the other machines the moment the user comes back from vacation or logs on days later.”

“It only takes a few infected machines on a 100 MB/s link to flood the network,” Willebeek-LeMair continued. TippingPoint’s peer-to-peer security filters enable UnityOne to block attacks coming through P2P traffic as well as block or rate limit illegal P2P traffic for bandwidth optimization.

Whiteman noted the growth in need to communicate on a secure network since 9/11 as well. In addition to Homeland Security activities, Coast Guard VIPs have more need to participate in classified communications and surf classified sites.

No electrical contractor should leave any job without at least inquiring about the physical and logical security of the new network. Failure to do so not only leaves the customer vulnerable but will also cost the contractor the opportunity to add value-added security products to the mix. EC