Case Study: JSP Firewall Team at The Pentagon

In an era of increasingly coordinated, undetectable, and downright catastrophic cyber-attacks, NTG emerges with invaluable experience improving the defenses of the most targeted institutions in the nation. Now, some of you might be asking, “what does this have to do with the private sector? Government agencies entangled in bureaucracy are hardly at the forefront of technological innovation.”

While this may be true – corporations can typically implement the “latest and greatest” without too much waiting for administrative approval and red tape cutting – consider the challenge of coordinating cyber security programs between dozens of agencies and thousands of end users. A principled approach and a well-planned security strategy surpasses the advent of the newest software and hardware.

DISA Joint Service Provider Sub to GDIT & Leidos

As part of an ongoing effort to bolster the Department of Defense’s (DOD) cybersecurity stance, NTG was selected as a subcontractor to GDIT and later, Leidos, to assess and improve over three million lines of firewall configuration code (essentially the rules that control the information that is allowed to enter or leave the Pentagon’s extensive internal systems). Enter Phil Kish, a seasoned network engineer and cybersecurity wizard with over three decades of expertise protecting the nation’s most sensitive secrets.

Phil and his team successfully reduced those three million lines of code to one million, maintaining the renowned perimeter security at the Pentagon while lending to easier change/move processes, fewer false positives/negatives, and a more efficient system overall.

NTG’s firewall team at the Pentagon is responsible for carrying out numerous add, change, and move requests and troubleshooting network access issues when changes have been made. They handle requests for more than eighty firewalls (both physical and virtual) which comprise perimeter security for an organization comprised of over 65,000 employees. Since late 2017, NTG’s firewall team have been an integral part of the Pentagon’s and the DOD’s security posture.

Defense in Depth

Perhaps unsurprisingly, successful cyber intrusions from the outside into Pentagon networks are incredibly rare. Thanks to Phil’s team and hundreds of others, a would-be attacker would have to surpass layers upon layers of firewalls, intrusion detection systems, and avoid the keen eyes of round-the-clock security operations personnel (NTG also employs the SOC team at the Pentagon). “Defense in Depth” (DID) is a concept at the heart of NTG’s overall cybersecurity philosophy. With DID, several independent layers of security controls are used so that if one fails, others will be operative.

We can think of this like a virtual fortress. In the case of the Pentagon, this virtual fortress is surrounded by incredibly high walls built with the strongest material on the planet. Of course, a determined enough army could breach these walls given enough time and the right tools. But behind these walls is a moat full of angry crocodiles, and throughout the siege, the invading army is being hailed with arrows and stones. And if they manage to get through all of that, there are trapdoors and false floors, and well – you can see how extensive this metaphor can become.

• [Border level intrusion detection systems]
• [Base level firewalls]
• [Base level intrusion detection systems]
• [Extra firewalls for “communities of interest”]
• [Proxies]
• [DISS login for internet access]

Navigating these firewalls and intrusion detection systems can be difficult for those who work on them daily. Imagine trying to navigate that as an outsider.

Given the strength of this perimeter defense, perhaps also unsurprisingly, the real challenge is mitigating threats from within. And with 65,000 employees (many fully remote) across several departments, the challenge can only be met with a dedicated and experienced team like Phil’s.

“Need to Know”

Traditionally, a lot of folks think about cybersecurity in terms of protecting themselves, their organization, and their data from external threats (and there are plenty). The media typically frames high profile attacks as just that: “e.g.: a state-sponsored attacker was able to take over a screensharing tool and access critical systems at a water treatment plant.” Rarely do you hear about the vulnerabilities or mistakes that led to the security event happening.

Network architecture, user behavior, and internal processes are all extremely important aspects of an effective cybersecurity posture. As these considerations come into focus for government agencies, corporations, and organizations that deal with a lot of information exchange, the question isn’t whether security professionals should take them into account, it’s how to examine them as they relate to cybersecurity.

In fact, for the firewall team at the Pentagon, most threats are internal. These “threats” typically are not malicious – they’re mostly born from honest mistakes. But with 65,000 employees, there are a lot of opportunities for mistakes. When these things inevitably occur, response and remediation are swift. It becomes an “all hands-on deck” situation.

Other issues arise with faulty vendor security updates or patches. These issues propagate quickly, and sometimes the firewall team must come up with a quick “band-aid” solution until the vendor identifies and repairs the problem. Even then, remediation is fast – even during the holidays.

“The ‘bad guys’ usually try ‘bad stuff’ when people are on vacation” – Phil Kish

The Future of Network Security

We asked Phil and his team what the future of network security looks like for the DOD. Phil’s immediate response was that Zero Trust Network Access (ZTNA) is evolving in a big way. “The perimeter is the perimeter,” he said. “That’s not going to change much beyond the concept of ‘block everything unless it has to come through.”

The real evolution is happening on the inside. Internal network activity will no longer be someone putting in a request a la “I need this IP to talk to that IP.” Because, even if a network shows employee A is logged in on employee A’s machine with employee A’s account credentials, there are ways for adversaries or untrained users to spoof the system with those credentials in place.

ZTNA introduces a more dynamic ruleset. It allows firewalls to analyze user behavior based on their normal activities. For example, if employee A’s logs show that they printed hundreds of pages on Tuesday when usually, they only print a dozen pages on other Tuesdays, a ruleset would be triggered and force employee A to submit additional forms of identification (MFA). And yes, artificial intelligence and machine learning factor into these dynamic rulesets in a big way.