DIS Infrastructure Direction Memo #13, WRD Information Technology Security Infrastructure (Firewall Implementation)

In Reply Refer To:
Mail Stop 445

                         MEMORANDUM

                                                       August 1, 2000

TO:       All Water Resources Division Employees

FROM:     Thomas C. Wood 
          Acting Chief, Distributed Information System Program Office

SUBJECT:  DIS Infrastructure Direction Memo #13, WRD Information 
Technology Security Infrastructure (Firewall Implementation)

The purpose of this memorandum is to inform you of the Water Resources 
Division (WRD) plan to significantly improve WRD's Information  Technology 
(IT) security infrastructure through the use of firewall technology.


ISSUE
---------
The Water Resources Division (WRD) and the U.S. Geological Survey (USGS) 
have experienced numerous incidents where computing resources were denied 
to employees, cooperators and customers because of our lack of adequate 
security controls.  One WRD site lost over 100 hours of productivity due 
to downtime over a period of one year.  Other sites have encountered 
instances of computer systems being taken over by "crackers" and in-turn 
being utilized to attempt penetration of other computer systems.

WRD computer security controls are implemented today on individual 
computers by utilizing, among other things, "security wrappers" that allow 
or disallow a connection to a computer service by source address.  Many 
exploits are uninhibited by the security wrappers and require a reboot of 
the affected computer system to restore normal operations.


SOLUTION
-------------

 Mike McNally of the DIS Program Office has been named the WRD Computer
 Security Manager.  Other members of the WRD Security Team are:

 David Boldt, DIS Program Office        James Morris, Kansas
 Tim Brown, Illinois                            Shawn Noble, Iowa
 Mike Cunningham, West Virginia         Bob Wakelee, DIS Program Office
 Richard Hollway, Oregon                Dan Winkless, New Mexico
 Gail Kalen, Florida

 As leader of the WRD Security Team, Mike McNally presented a plan to the 
WRD Computer Policy Advisory Committee (CPAC) at its May meeting for 
testing and implementing firewall technology on network routers at 
strategic locations throughout the Division.  The CPAC endorsed the plan 
and it is summarized in this memorandum.  In addition, the USGS IT 
Security Manager is strongly recommending that firewalls be implemented as 
soon as possible to minimize certain risks associated with Internet 
connectivity.  Firewalls control access to services offered to computers 
outside the Local Area Network (LAN) in order to minimize those risks. 

 By incorporating the use of firewall technology into the WRD computer 
security infrastructure we can provide the following types of protection 
to our internal network:

Ø  Hide vulnerable systems from the Internet
Ø  Block unauthorized incoming traffic
Ø  Provide an audit and alarm system for intrusion detection by logging 
   traffic to and from the internal network
Ø  Hide information like system names, network topology, network device 
   types, and user Ids from the Internet
Ø  Reduce our susceptibility to "denial of service" attacks, system 
   penetration and attack reconnaissance.

What is a firewall

A firewall can be thought of as a filter, or access control mechanism, 
that acts as a barrier between two or more segments of a network or 
overall IT architecture.  The firewall can examine the traffic in the 
following ways to decide what traffic to permit or deny and/or log:

Ø  If the traffic pattern is suspect according to a known database of traffic 
   signatures then that traffic may be dropped according to how the firewall is 
   configured.
 
Ø  If the traffic is part of an application session that is understood by the 
   firewall, for instance FTP, it may be denied if the application is being
   used in suspect ways. 

Ø  Traffic is filtered according to the source IP/port and destination IP/port.  
   Normally all traffic leaving the network is allowed back by default. 


 Firewall limitations

The proposed firewall solution has the following limitations with regard 
to security:

Ø  Communication between computers on the LAN is not filtered. 

Ø  Viruses and similar types of malicious code such as Melissa or I-LOVE-YOU 
   are not filtered, so it does not protect against this threat. 
 
Ø  Accidental or deliberate disclosure of information by authorized users.

Ø  Illicit use or modification of data by authorized users.

Ø  Unauthorized access to systems of information by anyone who is already 
   inside the firewall.

Ø  Threats to the integrity of information that arise before data reaches the 
   firewall or after it leaves the LAN.


TEST CHOICES
-------------------

Router Based Solution -- low cost, very effective. 
The Wide Area Network Support Team will place a special version of the 
router operating system, called Cisco IOS Firewall Feature Set, on the 
router.  The firewall support team will then work with the test sites to 
develop the rule sets according to their "acceptable level of risk".  The 
rules will be applied and logs of the activities will be sent to the 
computer of choice.  This will allow the Systems Administrator to view the 
activity on the router.  Members of the support team will do all 
modifications to the firewall controls. This is important as invalid 
router configurations affect everyone on the network. Provisions will be 
made for off-hours support.

Stand-Alone dedicated firewall from Watchguard -- medium cost, very 
effective. 
Includes web site blocking, fully encrypted administration, VPN 
termination (allows a user to work remotely fully encrypted to the 
firewall) and also affords the Systems Administrator the ability to manage 
their own controls.


What We Already Know

The WRD Indiana District has used their router, running a specialized 
version of the operating system called Cisco IOS Firewall Feature Set, to 
perform the firewall function since December 1999 without any detectable 
reduction in network traffic throughput and only minor cases of disruption 
to use of services while developing the rule sets.  Vulnerability testing 
has shown a significant improvement in security without any modification 
to any hosts.  Several test Districts within the Northeast Region, that 
have had many disruptions to service due to attacks, have had limited 
traffic filtering implemented on their routers.  The result is a 
significant decrease in computer downtime due to scans or attacks.



The Test/Goal

The next step is to thoroughly test firewall technology at several WRD 
sites and then to make an assessment of its effectiveness.  It will also 
be necessary to assess the amount of resources needed to implement 
firewall technology nationally and to support the technology on an 
on-going basis once it is implemented.  During the testing phase, results 
will be shared with the USGS IT Security Team as well as WRD System 
Administrators.  Since there are many possible firewall solutions, it 
behooves WRD to coordinate with the bureau in selecting the most 
cost-effective approach.  Our work could serve as the prototype for other 
bureau facilities.


WRD Test Sites

The following sites are already running firewalls:
Ø  Illinois, New Jersey, Indiana, West Virginia

The following sites will have firewalls installed within the next two 
months:
Ø  Iowa, Kansas, Maryland, New Mexico, New York, North Carolina, Oregon 
and Washington


An update on the progress of the project will be supplied by October 2000.

Please submit comments and concerns to GS-W Security, or contact Mike 
McNally at 703-648-5612.