[ISN] Navy Improves Network Security by Blocking Access to Commercial Webmail

InfoSec News isn at c4i.org
Mon Oct 24 09:09:53 EDT 2005


http://www.news.navy.mil/search/display.asp?story_id=20684

By Chief Journalist (SW/AW) Joseph Gunder
Naval Network Warfare Command Public Affairs
Story Number: NNS051020-17
Release Date: 10/20/2005

NORFOLK, Va. (NNS) -- The Navy has begun enforcing policies set forth
in its Information Technology User Acknowledgement Form by blocking
access to Web-based commercial e-mail sites (webmail) from Department
of the Navy-funded networks. That means it's no longer possible for
anyone using Navy information technology to access commercial webmail
from providers such as Yahoo, Hotmail, AOL and others.

The new policy enforcement has taken effect throughout the Navy and
applies to computer systems on ships and ashore, both in the United
States and overseas.

ONE-NET (OCONUS Navy Enterprise Network) started blocking webmail
access Oct. 18 for overseas users. Both NMCI (Navy/Marine Corps
Intranet) for U.S.-based users and IT-21 for afloat users have been
blocking since Oct. 12.

"Navy Networks are a weapon system and must be defended with the same
rigorous standards as other weapon systems," explained Vice Adm. James
P. McArthur, commander, Naval Network Warfare Command (NETWARCOM).  
"People and mission are at risk without access to assured, secure,
complete, accurate and timely information."

The restrictions on commercial webmail are necessary to protect the
Navy's networks from multiple threats while maintaining operational
security on all of its systems that are connected to the Department of
Defense's Global Information Grid.

According to Chief Warrant Officer Karen Williams, an Information
Assurance implementation policy writer for NETWARCOM, webmail could
provide a window for malicious software to enter a government computer
system.

"Any pop-up ad that appears in a webmail message could potentially
contain a virus when it opens," she said. "An attachment that comes in
from a webmail message could possibly bypass all the safeguards all
the way to the user's computer." In addition, just opening a Web
browser window to these commercial webmail sites can leave a computer
open to outside attack.

The policy was put into effect July 16 through a message from the
Department of the Navy's Chief Information Office about "Effective use
of Department of Navy Information Technology Resources."

A Navy Telecommunication Directive issued July 25 directed that every
Navy network user must fill out, sign and date a Navy Enterprise
Information Technology User Acknowledgement Form prior to receiving
access to government-provided IT services and systems (i.e., being
granted a network account with e-mail). This User Acknowledgement form
was to be completed for all Network users by Oct. 1.

An educated user base is an essential part of Navy's defense-in-depth
strategy. "Everybody was supposed to have had Information Assurance
(IA) training by Oct. 1 to ensure we have smart users," Cathy Baber,
branch head for policy and procedures at NETWARCOM said, "and no one
else will be allowed access to the network until they have gone
through a minimum level of training."

"As for popular commercial Web sites and search engines, the only part
of those sites that are being blocked are the commercial Web-based
e-mail elements," explained Neal Miller, deputy director of the
Enterprise Management Directorate at NETWARCOM. "And it's only from
government-provided official business networks. It's exclusively about
securing our shared asset, the government enterprise network."

"You can still go to a search engine to look on the web and surf,"  
said Baber. "This won't prevent any of that."

Ships have had various levels of protection in place since 1999, but
they were largely based on managing bandwidth and were set at the
discretion of commanding officers. Some ships have been blocking
webmail for years for bandwidth and operational security reasons. The
Marine Corps has been prohibiting access to commercial webmail since
December 1999 on the Marine Corps Enterprise Network.

Sailors will still be able to send e-mail from their military accounts
to a commercial account. But Baber stressed that users should never
have their military e-mail set up to autoforward messages to their
personal account. Autoforwarding to a personal account is a major
operational security risk.

Baber said the policy prohibiting autoforwarding was put in the User
Acknowledgement Form to ensure all users were aware of their
responsibilities.

Network users are the first line of network cyber defense.

Though many commercial webmail providers claim to use the latest
up-to-date anti-virus protection, Baber said that there's no assurance
that everything is safe or meets the Navy's security standards.

There are options to help minimize the impact of not having access to
commercial webmail, according to Baber. "Sailors on some large-deck
ships may have access to certain computers in the ship's library that
aren't connected to the Navy backbone that will allow commercial
e-mail to be viewed," Baber said. "This lessens risk to our official
business networks.

Baber said that any legacy networks are required to comply with the
Navy's new policy.

"If there is a legacy network that has its own DNS (domain name
system) server, it is required to implement blocking of these
addresses, as well."

For more information, please contact your local Information Assurance
Manager (IAM), or go to https://infosec.navy.mil.

For related news, visit the Naval Network Warfare Command Navy
NewsStand page at www.news.navy.mil/local/nnwc/





More information about the ISN mailing list