Welcome to GSNMagazine. Skip directly to: main content, navigation, search box.
GSN

Editorial Features | Columns

Don’t Get (TIC)ked-off -- Implementing TIC, the Trusted Internet Connection initiative

Published March 13th, 2008

Markulec-Web

In November 2007, the Office of Management and Budget (OMB) issued a memo on the implementation of Trusted Internet Connections (TIC). The TIC initiative calls for federal agencies to consolidate to a target of 50 Internet points of presence (POPs) across the Federal government. This daunting task looms large when considering there have been estimates on the amount of government Internet POPs that place the number in the thousands, and OMB has set a target completion date of June 2008. The TIC initiative requires that agencies consolidate their Internet connections in order to make federal networks more secure. To that end, OMB has provided guidelines to assist agencies. These guidelines suggest that agencies inventory and document all their gateway connections; assess their architecture, policy, governance and enforcement plans as well as implementation results; and define their target inventory and architecture. TIC compels agencies to gain an in-depth understanding of the breadth of their total Internet presence as it exists today. They must also formulate a plan to consolidate connections into one logical point of Internet access which can serve one or more government entities. This is no small task because June of 2008 also marks the deadline for agencies to make their networks IPv6 enabled. The main challenge for agencies is planning and executing this required consolidation while meeting the demands of normal operations. To address this challenge, federal IT managers need to investigate network assurance technologies. Network assurance tools can illustrate how traffic flows on the network, based on a view of the network’s operational state, which is updated as the network changes. When investigating providers of network assurance technology, federal agencies should review the provider’s assumptions about internal versus external address ranges. This should be followed by a baseline scan using these assumptions as well as a querying of the network routers with SNMP. Doing so allows the reach of the network to be reviewed, so appropriate discovery methods and detection technology placements can be determined.

As a part of this process, external address blocks should be labeled and a full network test should be administered, using agreed upon discovery methods and including any revised locations. This process should lead to a tuned network discovery being performed in order to find all internal and external devices on the network.

Ultimately, the best network assurance technology providers will produce a complete map of routed infrastructure which details all active Internet points of presence, as well as any potential unknown or back-door Internet connectivity. The best of the best will provide multiple location Internet-based scanning to ensure that all routed points of Internet presence are carefully documented from the public Internet. When coupled with the internal scans, these scans provide the most comprehensive view of all possible Internet connectivity for any federal agency.

Agencies should look for the following deliverables:
• An inventory of all existing Internet connections;
• Validation as connections are moved, changed or decommissioned;
• Identification of the true network perimeter to ensure properly managed entry points;
• A determination of where horizon boundaries exist;
• Testing of router and firewall access controls to ensure compliance, even after network changes.

Additionally, agencies should require the provider to work with their internal personnel and contractor employees to develop a plan to consolidate Internet gateways.

Given the looming deadline for the TIC initiative, agencies need to know which criteria should be considered when judging potential partners who can assist them with this transition. Equally important, these partners need to drill down to the appropriate level in the network in order to mine critical data without disrupting ongoing operations or current security measures. Agencies that perform their due diligence during this process will be assured of a smoother transition. They’ll also have a solution to turn to down the road when additional initiatives are announced.


Michael Markulec is executive vice president for technology and operations at Lumeta Inc. He can be reached at:



  • Print
  • Add your comment
  • trackback url: http://www.gsnmagazine.com/cms/trackback/592-1