Air Force takes evasive action against hackers

The U.S. Air Force is overhauling the networks at 110 air bases in order to combat hackers intent on breaking into national defense systems.

The effort, spearheaded by the Information Warfare Center at Kelly Air Force Base, will mean installing a network control center at each base to monitor LANs and desktops to ensure service levels and take back control of sprawling LANs. In addition, the Air Force will cut off the multiple Internet-access points that exist at some bases in order to centralize access through firewall gateways.

Langley Air Force Base is the first airbase now getting the network overhaul, according to Information Warfare Center technical director Larry Merritt. He said the changes are long overdue because systems administrators are not even sure what their networks look like because of the unchecked LAN growth, forgotten modem pools and decentralized Internet access.

"We figure about 70% of Air Force unclassified [computer] systems are connected to the Internet," Merritt said . "But we do not have a good capability to map what our networks look like--and without it, you're just flailing around."

Many large Air Force bases operate their own vast telecommunications systems, complete with central switches, for populations the size of small cities. "We need to be able to continuously monitor our systems, like AT&T or MCI," Merritt said . "You need to be able to do a real-time risk assesment, and display it so it makes sense to the managers."

To that end, the Air Force Network Control Center plan calls for installing network management systems such as Hewlett-Packard Co.'s HPOpenView, at each base. Another project called "Barrier Reef" will put firewall gateways for authentication and encryption at each base, too. Some bases lack tough firewall security.

"We're going to test the strength of the network, even using some of the hacker tools like CRACK," said Merritt, alluding to the well-known password-breaking code that hackers have posted on the Internet.

It's unclear how long or how costly it will be to complete this round of security upgrades.

The Air Force has pioneered the way in another security area called intrusion detection, the effort to detect whether suspicious activity is occuring within the intranet. The Air Force has already installed its own homemade intrusion-detection system at various network points to report information back on suspicious activity.

But out of 100 million suspicious events reported to take place internally on the network, only about 70 will actually be an actual intrusion, Merritt said .

The Air Force would like to install a series of efficient network sensors to collect and report suspicious activities on a distributed basis, but there is little equipment on the market today with that kind of sophistication.

"The bad news is that the intrusion-detection equipment you have out there is not good enough," Merritt said . "Hackers just seem to be getting more technical and more sophisticated."

Help may be on the way. One vendor, Network General, Inc., plans to release a distributed security-sensor system called CyberCop by year-end. CyberCop used sensor-detection technology from The Wheelgroup, whose founders came from the Air Force.

And the Defense Advanced Research Projects Agency (DARPA) is funding research in this area, too, as a start toward building a national cyberdefense system.

"At the national level, we're looking at a framework of detectors which would be all over the place, reporting to central detectors, and then to national reporting centers," said Terese Lund, DARPA program manager. In theory, sensors placed on military and commercial networks might one day guard cyberspace like a satellite-monitoring system in outer space.

One DARPA-funded project is EMERALD, which standards for the Star Trek-sounding "Event Monitoring Enabling Responses to Anomalous Live Disturbances."

According to researchers at SRI International, Inc. developing EMERALD, it is software for analysing a large stream of data for everything from IP packets to individual application services to determine if someone were trying to attack.

"The monitors can be deployed to local services, from IP traffic to application-level messages," said Phillip Porras, an SRI International computer science laboratory researcher.

Importantly, EMERALD is being designed with open APIs so that network-intrusion detection equipment might be interoperable. That way, users would not be locked into buying one vendor's sensor products.