Finding the balance between network access and security
StoryOctober 15, 2008
Bob Fortna
Juniper Networks
Security and collaboration are delivered by network access management technology, and support of the DoD's vision for military transformation and net-centricity.
As the need for increased security grows within U.S. Department of Defense (DoD) communications networks, defense IT network managers face growing pressure to provide solutions that enable the right people to access the right information at the right time.
Secure network access is essential to modern military operations. The past decade has brought numerous technological advancements and a plethora of new handheld mobile computing devices that allow DoD personnel and contractors remote access to resources. This exploding "edge" of defense networks presents a whole new world of challenges when combined with increasingly sophisticated and coordinated security threats and wide ranges of security clearances of warfighters, defense personnel, and various partners.
How can defense IT managers field networks that protect sensitive data while ensuring the right people can access it quickly, securely, reliably, and remotely?
Greater access, greater threats
Technology that enables warfighters to communicate from virtually anywhere in the world has significantly improved battlespace operations and management, and opened doors for greater collaboration throughout the defense logistics and outsourcing chains. However, such expanded networks often weaken the traditional model of trusted internal users surrounded by physical network security.
Today's defense networks must support a dynamic and diverse user community, including warfighters, suppliers, partners, and remote workers who work from their office desktops, home laptops, or mobile devices in all manner of field conditions. Defense IT teams must therefore ensure the physical and informational security of an interconnected global network.
These security demands are exacerbated by an increasingly mixed workforce with varying clearances requiring access to unified networks, using increasingly sophisticated mobile devices. Network security is further threatened by the growing number and volume of mission-critical and collaborative applications. The adoption of new business applications, the "Webification" of existing applications, and increasing demands for converged networks transporting voice, data, and high-volume video and geospatial images are fueling the demand for higher-bandwidth defense networks.
Military personnel who share the same networks (and, in many cases, terminals) to access vital information face these challenges throughout their workday. As in the Defense Department's Global Information Grid (Figure 1) or other networks, defense personnel of various ranks and security levels must access a safe, global DoD network, regardless of where they are located, for a number of mission-critical applications. It is at this intersection of collaboration and security where network-wide visibility and control are necessary to manage changing risks.
Figure 1
(Click graphic to zoom by 2.3x)
|
|
Example: CAC authentication
An example that illustrates the above critical elements in a wireless communications environment is provided in the area of Common Access Card (CAC) authentication. CAC authentication is required to access defense networks, with strong data encryption required for wireless access (i.e., conforming to NIST FIPS 140-2 standards).
Sidebar 1
(Click graphic to zoom)
|
|
The Juniper Networks Odyssey Access Client (OAC) supports FIPS 140-2 encryption and CAC authentication for wireless devices. Juniper Networks OAC FIPS Edition helps to secure user authentication and network connectivity, ensuring users connect to the appropriate wireless network in an appropriate manner, that user or device credentials are not compromised, and that data transmitted is secure and private. The latest versions of OAC FE also work seamlessly with Juniper Networks Unified Access Control (UAC) to enforce endpoint security policies such as the state of the user's personal firewall, anti-virus software, and operating system patches. The security health of the endpoint device is routinely and dynamically monitored by OAC, serving as the UAC Agent, which forwards these findings to a downstream policy server at the heart of UAC. The policy server then determines the level of access granted to the wireless endpoint. For instance, unhealthy endpoints can be dynamically placed onto a quarantine network or simply denied access.
Such innovative approaches to Adaptive Threat Management are demonstrating their ability to secure wireless networks serving defense users and their partners. Such solutions will help meet increasing demands for secure, high-bandwidth collaboration networks for a variety of defense applications, from logistics and supply management to battlefield operations.
Redefining the secured perimeter
Defense IT and network managers need to create a responsive and trusted environment for delivering intelligence in support of military operations. Remote, wireless access to high performance networks where security is paramount and collaboration is among trusted partners is now a hard requirement of defense systems. A comprehensive access management strategy, integrated with rigorous network security solutions, can enable responsive and trusted network environments to better serve and protect the warfighter and logistical partners.
These balanced approaches between access and security will enable significant improvements in trusted collaboration throughout defense networking systems - and between defense users and those in other federal agencies and international organizations.
Bob Fortna is vice president of the defense sector for Juniper Networks. Bob is an active participant in the Armed Forces Communications and Electronics Association (AFCEA) and currently serves on the AFCEA Executive Committee and board of directors. He can be contacted at bfortna@juniper.net.
Juniper Networks
571-203-1723
www.juniper.net
Editor's Note: As of 10/22/08, changes were made to this article to correct errors included by the author in the original material. - Chris Ciufo
