GovIT Government IT Business & Procurement » News

How to choose a next-generation firewall

Travis Wheeler — Tue, 31 Jan 2012 17:51:11 +0000

So what should you look for in a true enterprise-class NGFW? Consider these criteria: 1. Scanning 2. Application intelligence 3. Performance 4. Manageability 5. Reporting

Scanning
Like first-generation firewalls, NGFWs include stateful inspection capabilities. But what sets them apart from their predecessors is the ability to perform deep packet inspection (DPI). Many NGFW vendors advertise DPI capabilities, but a close examination of their products shows limitations that minimize protection. Many NGFWs have to proxy files in order to scan them for malware at the gateway. This can severely degrade network performance, on some firewalls up to 95%.

Proxy-based firewalls with limited memory can be quickly exhausted by a few large files or a medium number of smaller files transferred simultaneously. When all memory is consumed, these firewalls resort to either passing files through without inspection or blocking all files that cannot be inspected. To avoid bringing the network to halt, some vendors opt to allow packets through without scanning them.

Some vendors also fail to scan large files or certain protocols. Their file scanning capabilities are limited by file size, and they only scan a small portion of protocols for malware. When evaluating NGFWs, look for one that can: • Scan files of all sizes for viruses, malware, botnets and other threats • Decrypt, scan and re-encrypt SSL packets • Scan a wide range of protocols in addition to raw TCP traffic across all ports

Application intelligence
A fundamental benefit of NGFWs is the ability to control applications and optimize what runs on the network. Different NGFWs address these capabilities to various degrees. A viable NGFW should:

• Scan applications against a growing database of signatures • Provide real-time visualization into the network • Take custom applications into account • Extend application intelligence and control to wireless endpoints

An NGFW’s effectiveness is only as good as the number of applications that it can detect and control. A robust signature database for an NGFW should include thousands of unique applications and application components, and update new signatures daily. Moreover, an NGFW should go beyond simply permitting administrators to allow, block or log applications to provide a comprehensive set of application management capabilities such as application bandwidth management.

You also cannot control and optimize what you cannot see. When evaluating NGFWs, you must consider whether they allow you to see application and user traffic in real-time using integrated, on-box visualization, forensic analysis tools and dashboards. With most NGFWs, it may not be so easy to bring your company’s custom applications under control. A viable NGFW should be able to identify your company’s custom applications and prioritize them over other traffic. In addition, it should allow you to create your own custom signatures based traffic attributes or traffic characteristics unique to your application.

Increasingly, companies are experiencing a proliferation of wireless endpoints on the network edge. If this is the case for your company, consider a NGFW’s ability to provide powerful application intelligence, control and visualization for wireless users. It does little good to control traffic for only wired users while ignoring the large number of users with laptops who rely solely on the wireless network. Look for an NGFW that integrates a wireless switch and controller, allowing the provisioning and management of distributed wireless deployment while providing application intelligence and control to the WiFi edge. Ideally, the NGFW should be able to subjugate all wireless traffic to application intelligence policies to maintain wireless bandwidth efficiency.

Performance

Gartner states that NGFWs “support in-line, bump-in-the-wire configuration without disrupting network operations.” In other words, they introduce minimal latency. The tight integration of IPS with other capabilities is key to making this happen. A single-pass engine enables seamless policy implementation and enforcement without introducing latency or dropping performance to unacceptable levels. This is important because enabling NGFW services should not bring a network to a standstill.

NGFWs using stateful packet inspection have to proxy each file and each network connection in order to enable DPI, thus degrading performance significantly. Instead, choose an NGFW that provides real-time DPI.

Manageability
A scalable and proven distributed management solution is vital to achieving both security and strong ROI as your company begins deploying security to multiple sites.

For instance, some vendors have a management platform but lack large-scale deployments of their distributed management solution. Wide-scale deployment is often a testament to ease of management. Still other vendors lack a cohesive distributed management platform. This complicates the management process and adds to the solution’s total cost of ownership (TCO).

Reporting
Your NGFW should provide support for NetFlow/IPFix. NetFlow and IPFix are two industry standards for reporting on network traffic flows to external collectors. Traditionally deployed for switches and routers, NetFlow exports data such as IP address source and destination, source and destination ports, Layer 3 protocol type and class of service. However, both IPFix and NetFlow Version 9 can be extended to export additional data off the network device such as application data, user data and URL data.

NGFWs promise to help companies regain control over their networks through the integration of intrusion prevention, stateful inspection and deep packet inspection capabilities. But vendors’ offerings vary widely in their approach to scanning network traffic. Take the time to confirm that your NGFW delivers what you need.

Full article by Patrick Sweeney, CRN

Virtualization could save Feds $30 billion by 2015

Travis Wheeler — Tue, 31 Jan 2012 17:21:02 +0000

Implementing virtualization technology could save the federal government more than $30 billion by 2015, though lack of funding and technical challenges could impede adoption of the technology among all levels of government, according to a new survey.

The use of virtualization is growing among federal, state, and local governments, with the feds slightly ahead of their state and local counterparts in implementing the technology.

Server virtualization–driven primarily by data-center consolidation happening at the federal and regional level–is trumping desktop virtualization, with 82% of federal and 77% of state and local IT pros surveyed saying their agencies have implemented it.

Both federal and state/local pros surveyed said that virtualized workloads in the data center would nearly double in the next four years, from 37% to 63%. Moreover, savings from federal investment in the technology–which is currently about $15 billlion–is expected to reach $23.6 billion by 2015, according to MeriTalk, which surveyed 302 federal, state and local government IT decision makers for the report.

Comparatively, IT pros reported much more modest plans for desktop virtualization, but the feds could still realize $7.5 billion in savings from it by 2015, according to the survey.

Currently, only 7% of federal agencies and 8% of state/local agencies plan to virtualize all applications for all users, though respondents showed more support for selective application virtualization.

For example, 12% of federal IT pros surveyed said their agencies will virtualize all applications for select users or departments, while 9% said the same at the state/local level. And 28% of federal IT pros and 15% of state/local pros said their agencies or departments would virtualize select applications for all users.

Still, priority-wise, the survey shows desktop virtualization remains on the back burner and presents a “vast, untapped savings potential,” according to MeriTalk. Fifty-seven percent of federal IT pros and 63% of state/local pros said that server virtualization goals are more important than desktop goals, while only 37% of federal and 31% of state/local pros said the goals were equally important.

Despite the investment in and benefits from virtualization so far, there are challenges to continued implementation of the technology, according to MeriTalk.

Budgetary concerns are one of the main issues, with 30% of federal IT pros and 41% of state/local pros reporting that they don’t have the budget to meet their agency’s or department’s virtualization goals.

Technical challenges also are slowing down the adoption of the technology, according to the survey. Government IT pros cited migrating legacy applications to a virtualized environment as the top challenge for their virtualization goals, while network security and technical support requirements came in at No. 4 on the list of challenges.

Full article by Elizabeth Montalbano, Information Week

What’s ahead in 2012 for cloud, mobile apps, cyber?

Travis Wheeler — Wed, 18 Jan 2012 18:06:59 +0000

Expect disruptive technologies – cloud computing, mobility, social computing, big data and smart analytics, IT appliances, and cybersecurity – to become more tightly woven into mission-critical systems and processes in 2012 as government and private organizations look for ways to innovate and also operate more cost efficiently.

That’s one of Unisys’ predictions for 2012 based on its work with clients around the world.

Among the company’s predictions: Cloud computing will continue to be the top IT investment priority in 2012.

Both government agencies and businesses in 2012 will accelerate their use of cloud-based software-as-a-service (SaaS) for e-mail and collaboration solutions, to further reduce costs and simplify operations, the findings said.

Organizations will begin the process of broadly assessing their applications portfolio to take greater advantage of cloud-computing opportunities.

Also, they will make greater use of new mobile device and application-management tools to better manage their agencies and businesses.

In addition, more organizations will implement predictive security operations as cyber threats grow in number and sophistication. Dedicated analysts and advanced data-analytics software will identify threats before they cause significant damage, the study found.

According to the Unisys findings, we can expect to see the creation of protected silos within data operations to prevent access to sensitive information in cases where their network perimeters have been breached.

As mobile devices are proliferating, increasingly becoming the new computing platform of choice for employees and customers, it is becoming the preferred channel for doing business.

Unisys predicts that IT organizations will devote significant resources in 2012 toward developing new applications and reengineering business processes to take advantage of this growing opportunity.

Full article by David Hubler, Washington Technology

Flat IT budget forces new approaches

Travis Wheeler — Wed, 21 Dec 2011 00:16:07 +0000

Budget pressures are forcing agency chief information officers to consider alternative ways of paying for information technology, according to the Obama administration’s point man on the issue.

CIOs don’t have the resources to continue investing heavily in legacy systems and simultaneously fund new, innovative technology initiatives, federal CIO Steven VanRoekel said in an interview this week.

“[They] have to do more with less,” said VanRoekel. But “how do you innovate on a flat or declining budget?”

Using the private sector as an example, VanRoekel said one way to generate additional funds is the “cut and invest strategy,” or decrease funding for the maintenance of legacy systems and invest that money in new projects. Some agencies, such as the Transportation Department, are using this approach.

Transportation has an online catalogue of its IT applications and services, and users can rate the performance of the technology, VanRoekel said. Based on user feedback and other analytics, such as usage rates, the CIO decides whether to cut funding for low-performing IT applications and systems.

“We don’t typically do that in government,” VanRoekel said. “[But] it is definitely something we have to do; drive out the old in favor of promoting the new.”

He is looking at how Transportation’s efforts can be expanded governmentwide. If agencies can find savings in a single fiscal year, they will be able to reinvest the money, he said.

For next year, VanRoekel said his primary focus will be agencies’ execution of his Shared First policy, which requires agencies to share IT systems, procurements and expertise. Before making a new investment, agencies must first considering using existing services, both inside their agencies and across government, VanRoekel added at an industry and government forum on Friday.

By March 1, agencies have to develop a Shared First plan that outlines at least two areas, such as email or help desk support, that can be consolidated into a shared environment, according to a draft policy released last week. Agencies have until December 2012 to consolidate those services.

When asked about the private sector’s role in executing Shared First, VanRoekel said in large part industry will provide the goods and services that agencies will be sharing, but in a more coordinated way.

For example, the Commerce Department is consolidating numerous contracts for purchasing computers down to a single contract in order to drive down costs through bulk purchases. And the Agriculture Department consolidated 21 email systems and reduced costs by moving to the cloud. Expected savings: $6 million per year.

Full article by Nicole Johnson, Federal Times

Congress approves $1.4 billion military health IT budget

Travis Wheeler — Tue, 20 Dec 2011 18:52:02 +0000

Congress fully funded the Military Health System’s information technology systems for fiscal 2012 as part of a multiagency appropriations act passed this weekend, but a separate measure limits how the Defense Department can spend the money.

The omnibus spending package includes $1.4 billion for military health IT. The fiscal 2012 Defense Authorization Act passed last week, however, restricts spending on a next-generation electronic health record system until the Pentagon has met specific requirements.

MHS requested a fiscal 2012 research budget of $86.5 million and an operations budget of $4.6 million for its next-generation electronic health record called EHR Way Ahead; the authorization act allows Defense to spend only 10 percent of those funds until the secretary reports to Congress that MHS has developed an architecture that is cost-effective and interoperable.

In addition, the secretary’s report must define the role of the Defense-Veterans Affairs Interagency Program Office in developing a joint electronic health record the two departments agreed on this May.

The omnibus appropriations act also included a $3.1 billion information technology budget for the Veterans Affairs Department in 2012, $50 million below the amount VA requested in January.

The bill restricts VA from spending any of its fiscal 2012 IT budget until it certifies to Congress that its projects meet Office of Management and Budget capital planning requirements and conform to established enterprise life-cycle standards.

Full article by Bob Brewin, NextGov

Defense sees $680 million in annual savings from data center consolidation

Travis Wheeler — Wed, 30 Nov 2011 18:37:15 +0000

Consolidating myriad data centers could save the Defense Department as much as $680 million a year by 2015, the Pentagon said in a recent report.

The effort is part of a governmentwide data center consolidation that will save $5 billion by 2015, federal Chief Information Officer Steven VanRoekel predicted in October.

Defense will realize more than $1 billion a year in savings by 2016 from an overall information technology efficiency program, “of which data center consolidation is a significant part,” said the report, released Wednesday by Defense CIO Teri Takai.

These preliminary cost savings estimates have not been validated by the Defense comptroller and do not include the initial costs for consolidation, such as capital investment, application migration and new software. Lack of a final budget has delayed development of data center consolidation plans for 2012, according to the report.

“Funding is a major risk factor to data center consolidation. Although significant savings are expected in future years, those savings cannot be borrowed to fund required investments for consolidating data centers,” the report said.

The department was set to have shuttered 55 data centers by the end of September, the report said, three more than initially were slated for closure in fiscal 2011.

Defense plans to reap additional savings by consolidating its software and hardware purchases, the report disclosed. Widely used commercial software will be purchased through the decade-old Defense Enterprise Software Initiative, managed by the Navy, which will combine software licenses held by the four services and new Defensewide licenses based on “advantageous pricing” for the department as a whole, the report said.
In addition, Defense plans to aggregate purchases of desktop and laptop computers, servers, monitors and printers to gain similar economies of scale through large contracts managed by the Army, Air Force and Marine Corps.

The Defense Information Systems Agency has emerged as the first choice for data and application hosting for the Air Force, Army and the Defense Logistics Agency, according to the report.

The Army plans to close 185 data centers, though the services will maintain a limited but unspecified number of data centers to support local installations.

The Navy plans to slash the number of data centers it operates by 50 percent by 2015, the report said. The service in July barred all new investments in data centers.

The Marine Corps will achieve economies of scale by hosting enterprise services and applications new Kansas City, Mo.-based central data center that opened this summer.

While the report detailed that data center consolidation will be an in-house Defense project — with DISA as the first choice for application hosting — it added that the Pentagon will consider all options to save money, including commercial data centers.

Full article by Bob Brewin, NextGov

Federal cloud procurements not ‘gloom and doom’ for small vendors

Travis Wheeler — Fri, 18 Nov 2011 17:21:33 +0000

With federal agencies expected to adopt cloud services on a much larger scale in the coming years, some small federal IT contractors are worried how they will fit into the new ecosystem.

“What is the impact on small providers? Will they get locked out?” was a question asked at the AFCEA Bethesda panel discussion on the federal transitions to cloud and service environments on Nov. 16.

The panelists, while explaining that the transition is still in the very early stages, suggested that the outcome may be fine for smaller federal IT contractors.

“The picture is not gloom and doom,” said Steve Cooper, acting chief information officer for the Federal Aviation Administration.

While many of the federal cloud adoptions to date have involved large companies, such as Amazon and Google, there is room in the market for smaller vendors, the panelists said.

One factor that could help is that the cost of entry into the federal IT market has been lowered through cloud services, suggested panel moderator David McClure, associate administrator for the General Services Administration. The smaller vendors will compete more with cloud service providers, large and small, and not as much with IT hardware producers and manufacturers, which are industries that have high barriers to entry, he said.

“I do not see this as a bleak outlook. I see a robust interest among small companies and start-up companies,” McClure said.

Even though federal agencies are transitioning to cloud services, they will still need experts who can develop custom applications to fulfill the agencies’ missions, said Barry Brown, executive director for enterprise data management and engineering at Customs and Border Protection.

In addition, the small vendors would be wise to consider teaming strategies, added Cooper.

“You can team up with partners,” Cooper said. “It is not all or nothing.”

Also, some smaller vendors are gaining a foothold in the federal market by purchasing cloud computing services by themselves, and then layering custom services on top of that, for sale to meet an agency’s needs, Cooper said.

“Small companies are buying infrastructure as a service and platforms as a service, and adding capabilities,” Cooper said

Full article by Alice Lipowicz, Washington Technology

Is small business ready for DHS’ $3B FirstSource II contract?

Travis Wheeler — Fri, 04 Nov 2011 17:45:34 +0000

Homeland Security Department officials unveiled the details of their new seven-year, $3 billion FirstSource II contract.

The FirstSource II draft Request for Proposals was released Oct. 31. The final RFP is expected no later than December 31, officials said.

FirstSource I, a $2 billion contract launched in 2007, is expiring and its replacement will concentrate on commodity purchasing through value-added resellers, William Thoreen, director of the Acquisition Division in the Office of Procurement Operations, told 600 small business owners Tuesday at the Ronald Reagan Building.

“We really believe FirstSource II is going to become a very important piece of our portfolio both for IT and strategic sourcing,” he said.

Under FirstSource I, DHS has bought commodities through value-added resellers, including the purchase of computers, desktops, laptops, network cards, routers through small businesses, Thoreen said.

“The scope of the commodities we buy under it is very broad because we need a lot of different IT commodities,” Thoreen said, and added that FirstSource II will also include VAR purchases of new IT commodities.

“We have learned an incredible amount from that [initial] award and we are going to incorporate a lot of changes in FirstSource II that makes sense for us and we hope makes sense for you,” he said.

For one, “FirstSource II targets specific [small-business] categories that will help our program managers meet their individual goals,” Thoreen said.

FirstSource II “is going to be different. It will provide opportunities for small businesses to partner up for us. The most important thing is that it succeeds in fulfilling our mission needs. We’re not just contracting for contracting sake; there are mission needs and they need to be primary,” Thoreen said.

DHS CIO Richard Spires summed up the dilemma of most of his peers in government. “I’ve got more things coming at me than ever, more demands,” he said. “And I’m going to have less dollars – a pretty classic problem, right? – we’re feeling the squeeze right now.”

Spires said the new contract would address four DHS priorities: infrastructure rationalization, overall IT improvement, elimination of duplication and balancing the CIO workforce, which has grown to 260 employees during the past few years, to meet the new realities.

Full article by David Hubler, Washington Technology

Defense cyber chief: The cloud is the military’s next Internet

Travis Wheeler — Fri, 28 Oct 2011 17:30:04 +0000

Military networks and software must be tied to the cloud to defend Defense Department computers against adversaries, the Pentagon’s cyber chief said Wednesday night.

Currently, Defense data reside on three main systems that cannot be centrally secured, creating disparate levels of protection that serve as entryways for ever evolving malicious software, according to military officials. The top brass envision fixing this setup with a cloud — a common network infrastructure capable of spotting and blocking threats remotely for all the military’s databases, PCs and other electronics.

Gen. Keith Alexander, chief of U.S. Cyber Command, called the cloud approach “active defense,” adding that “hunting on our networks has got to change.” He was speaking to computer security officials from the public and private sectors at a conference organized by the Security Innovation Network. “We have to find a way to communicate dynamically and pass those signatures around,” Alexander said, referring to the digital fingerprints of malware that are loaded into antivirus software to detect threats.

So far intruders have caused more economic than physical pain but that may change soon, he said.

Exploitation of sensitive data has generated “the greatest transfer of wealth that’s gone on in history,” Alexander said. Cybercrime saps about $114 billion worldwide annually, according to security firm Norton. In 2007, Russia was suspected of orchestrating a network overload in Estonia that disrupted government and commercial systems for two weeks.

But “what I’m concerned about is destruction,” where, for example, malware directs industrial systems controlling dams to explode “in the not too distant future,” Alexander said.

He said the cloud can serve as a shield against such attacks by more quickly identifying signs of network manipulation. Statistics indicate most intrusions are discovered by personnel between six and nine months after an initial breach, Alexander said. Automating surveillance through a central service, or in the cloud, would speed response times, he explained.

“How do we create the next set of architecture that is more defensible and can ensure the integrity of our data? I think it’s in the cloud,” Alexander said.

Estonian officials in attendance backed the U.S. commander’s faith in the cloud for national security.

“I believe Gen. Alexander was right. You can’t contain cyber in a box,” Jaak Aaviksoo, Estonia’s education and research minister and former defense minister, told Nextgov. “You have to reach out in a proactive way.”

Alexander did not specify which military division will administer the centralized security arrangement. The Defense Information Systems Agency is reported to be a likely Defensewide cloud supplier.

Full article by Aliya Sternstein, NextGov

Cloud, telework and security to top IT budgets in 2012

Travis Wheeler — Mon, 24 Oct 2011 18:44:16 +0000

Technologies that support the federal transition to cloud computing and increased telework will be the most lucrative opportunities for government information technology vendors in 2012, along with new technologies that ensure the security of data that travel through those systems, according to a vendor presentation Thursday.

Federal information technology shops largely escaped massive budget cuts in the April deal to avert a government shutdown and the July deal to raise the federal debt ceiling, with most IT budgets seeing only minor cuts or even slight increases. That’s the result of a general sense in the executive branch and Congress that IT projects — if implemented effectively and efficiently — can play a major role in lowering overall spending by reducing real estate and energy costs and cutting down on employee busy work.

IT budgets will be squeezed by uncertainty, however, according to the presentation from the Immix Group, a government business consulting firm.

That uncertainty comes from possible future cuts from the powerful super committee, which is charged with slashing an additional $1.5 trillion form the federal budget by January, and from the difficulty of long-term planning while the government is operating under a continuing resolution rather than a full-fledged budget.

As a result, most new government IT contracts will be for large ongoing projects, Immix said, such as Health and Human Services Department contracts to stand up a nationwide electronic health record system and an FBI program to build a next-generation database for criminal fingerprints and other identifying information, both multiyear projects that run into the hundreds of millions of dollars.

Other major projects that are likely to produce contractor work during fiscal 2012 include an Internal Revenue Service program to modernize its taxpayer accounts database and a project to build a joint electronic health record system for the Defense and Veterans Affairs departments.

Agency spending on cloud computing is spurred by a governmentwide plan to transition about one-fourth of the federal IT footprint to the cloud by 2015, a plan officials have estimated will save the government about $5 billion annually. Agencies are required to move one system to the cloud by the end of this year and two more by mid-2012, but budget cuts could jeopardize that plan.

Telework spending has been spurred by the 2010 Telework Enhancement Act, which officials say will increase worker efficiency during snowstorms and building closures and save the government substantial money on real estate and energy costs.

Full article by Joseph Marks, NextGov