Linux in the Department of Defense

Hi Folks:

Linux as used in the Department of Defense. However,
some of its implications are applicable to other
organizations as well.

Tony

**
A Network Appliance Platform for Linux Applications at
the US Department of Defense
U.S. military requirements for network devices are
growing more and more demanding, making a flexible
Linux-based platform the foundation of choice.

By Bill Kalogeros, Director, Federal Sales, Bivio
Networks, LinuxWorld.com, 01/22/07

Emerging trends in software applications used by the
Department of Defense and civilian federal agencies
such as the Department of Homeland Security — most
notably the need to accurately manage, secure and
control network traffic at wire speeds — present these
agencies with new network infrastructure development,
deployment and integration challenges. These trends,
particularly when executed down to the “packet level”,
are driving the need for a new class of network
infrastructure device — network appliance platforms
with new features and capabilities that can support
policy-centric applications.

Some of the most innovative network security, traffic
analysis and management, VoIP, and mobility
applications are Linux-based and available to the
federal government as open-source, packet-handling
software solutions. Open source, Government
Off-the-Shelf (GOTS) and Commercial Off-the-Shelf
(COTS) applications require a policy-centric network
infrastructure that can execute deep packet inspection
and processing at multi-gigabit speeds on a single
platform. Thus, network infrastructure devices
deployed by the government must have the ability to
securely share the same data stream at wire speed
either in an inline or passive manner — or both — with
a mix of open source and GOTS/COTS applications.

Department of Defense’s Net-Centricity Initiative
As the Department of Defense continues to evolve its
use of Linux-based open source technologies, the
ability of the network platform to secure the network
and manage all associated risks will be of critical
importance. Modern warfare places very particular
requirements on network communications infrastructure.
Correlating data and information from multiple sources
to gain a common operational picture of the
battlefield is often a difficult task.

he Department of Defense will use next-generation
infrastructure devices to resolve this problem with
network-centricity, in turn easing the flow of
information among sensors, computational nodes and
even different communication grids. When this
information is consolidated and fused in real-time,
the result will be a shorter sensor-to-war fighter gap
and much faster deployment of key assets — space
satellites, naval battle groups, unmanned aerial
vehicles, attack aircraft, ground vehicles, and
special forces personnel — by all branches of the
armed services to ensure the protection and
situational awareness of the war fighter. Clearly,
network-centricity requires the use of network
appliance platforms that can securely move extremely
large amounts of data at wire speed.

The Defense Information Systems Agency (DISA) is
transforming itself to better support
network-centricity. One of its more widely known
initiatives is the Global Information Grid-Bandwidth
Expansion (GIG-BE) program, which will vastly improve
the current network infrastructure and allow the
Department of Defense to better control the data flows
and access points to the Internet. With the
implementation of GIG-BE, government agencies are
transitioning from independent networks to an
interconnected infrastructure requiring unprecedented
multi-gigabit, highly secure communications across
multiple organizations and agencies.

Other significant initiatives, specifically in the
area of information assurance, will contribute to a
secure network-centric environment. Information
assurance applications such as code identification and
lawful intercept require high-speed solutions and
increase the bandwidth requirements of the Department
of Defense.

As network-centricity evolves, access to the network
and the information it supports will become more
ubiquitous than ever. This increase in network usage
poses several challenges:

• The inherent security threat posed by a larger user
population.

• A greater appetite for mission-critical information
driving increased access requests, expanding bandwidth
demands and rapid information processing requirements.

• The need to accurately understand how bandwidth is
being used and who is using it.

• The need to reprogram in real-time network
information assurance sensors for different
information assurance missions.
Civilian agencies face similar issues

The issues that civilian federal agencies such as the
Department of Homeland Security address from an
information assurance perspective are very similar to
those that Department of Defense organizations handle
on a daily basis. Both are required to protect their
networks, and must acquire and analyze information in
as close to real-time as possible (situational
awareness) so they can identify, assess and mitigate
any security threat targeted to the network(s).

In some ways, the Department of Homeland Security has
a more difficult time addressing information assurance
than does the Department of Defense. For example, the
Department of Homeland Security does not have the
benefit of the GIG infrastructure, yet it has to
control and secure many access points to the Web.
Organizationally, it is challenging for the Department
of Homeland Security to manage the different
organizations it works with, having to fuse 22
separate civilian agencies into Department of Homeland
Security's four major directorates. Many federal
agencies and sub-agencies consolidated under the
Department of Homeland Security have their own access
to the Web through their own networks or through the
consolidation process of several disparate networks
(both legacy and IP). This network consolidation may
inadvertently create additional security holes from an
information assurance standpoint.

New network application requirements call for a new
network appliance platform
The fastest growing policy-centric network
applications are in the areas of information
assurance, security, VoIP, multimedia, wireless and
IPv6. These emerging software-based packet-handling
applications demand new requirements from the network
platforms used to implement them — requirements that
traditional hardware is unable to meet. Chief among
these new challenges is the demand to securely handle
deep-packet inspection and processing at wire speed,
high network bandwidth and application agility in a
single platform.

Existing hardware has traditionally focused on
sub-gigabit bandwidth point products and at best would
scale in a single dimension. For example, network
technology has focused on bandwidth scaling, while
server technology has focused on computational
scaling. The result is an increasing gap between the
network and computational demands of packet handling
applications and the ability of existing platforms to
satisfy them. As 1GE and 10GE become the new
connectivity standards, this gap will only increase.
What the Department of Defense, the Department of
Homeland Security, and other intelligence and civilian
agencies need are a platform that is architected to
reconcile the seemingly mutually exclusive network
requirements of performance and flexibility.

Finally, “programmability” is now a necessity in
today’s network environment. Linux-based programmable
networks can be used to rapidly and dynamically
create, deploy, and manage new services and
applications. In addition, multiple security
applications must be able to co-exist on the same
programmable platform and share data streams.
Traditional hardware solutions, including ASIC-based
platforms, limit such rapid application, development,
integration and device programmability. A new network
appliance platform is required!

Putting it all together: New platform requirements
Looking at all the trends — and all the requirements —
the picture of a new network appliance platform
emerges. The platform must be able to provide
multi-application support, share common information
across agencies, have multi-dimensional
application-scaling capabilities, perform deep packet
inspection and processing, offer increased network
bandwidth, provide application agility, and survive
network attacks. And the platform should meet all of
these requirements within the framework of a 100%
secure network environment.

Federal departments and agencies require platforms
with certain key capabilities:

1. A single operational platform that allows for
maximum flexibility in matching the needs of the
overall information assurance/computer network defense
mission, even as the specific mission goals change.

2. The ability to share the same data stream in an
inline or passive (or both) manner with multiple IO/IA
applications, which can be a mix of open source, COTS
and GOTS.

3. The ability to more efficiently leverage multiple
sensors through a single data stream, which provides
greater informational awareness and greatly
contributes to the information security capabilities
and information superiority goals of the Department of
Defense while reducing overall operational costs.

4. The ability to securely operate both GOTS and COTS
applications on the same operational platform, without
memory or resource contentions, increasing overall
productivity.

5. The ability to automatically and dynamically
reconfigure network assets, as new requirements or
threats arise real-time

In addition, to save power and rack space at each
location, the platform should be energy-efficient and
compact.

In summary, government agencies and the associated
networks they manage (GIG, information assurance) can
greatly benefit from high-performance, programmable
network appliance platforms that combine a scalable
hardware architecture with a standard Linux execution
environment and a comprehensive set of network
features. By deploying open source, GOTS and COTS
applications on these network appliance platforms,
agencies can achieve dramatic increases in performance
at a reduced cost. In addition, such platforms can
perform deep packet processing at multi-gigabit
speeds. Industry leading network appliance platforms
employ innovative scaling and clustering technology
that can deliver multi-dimensional scaling of
networking, computational and application resources,
allowing agencies to securely share and distribute a
common data stream across multiple applications and/or
to multiple agencies.

Kalogeros, federal director for Bivio Networks, has
more than 20 years of networking, information security
and telecommunications experience. He has held
management positions for vendors serving the federal
market sector and his expertise in the federal market
has allowed him to brief members of the United States
Senate, DISA, Canada's Department of National Defense,
and the Transportation Security Administration on
homeland security and defense in depth strategies.
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Jan 27 13:16:22 2007