FEW events come fitted with a global-sized bull's-eye the way the Olympic Games do. From an information technology perspective, securing the data pouring through the event's network is nearly as formidable a task as physically securing the event's venues, spectators and athletes.
Almost two months removed from the Salt Lake City Winter Games, the network security infrastructure that kept the Olympics safe from internal and external threats is a success story that any enterprise would do well to emulate, according to the consultants who kept the pipes safe from intruders.
"I'd say this implementation would translate well to the enterprise. Most large corporations would be envious of this security setup," said Bob Cottam, chief technology integrator for SchlumbergerSema, a New York-based consultancy. "There are not a lot of projects that have the world looking at them."
Schlumberger Network Solutions, SchlumbergerSema's security practice, designed and installed the network security for the Games following a two-month analysis of the network in May and June 2001, said Lee Robertson, chief of IT security at Schlumberger Network Solutions.
Robertson oversaw a strategy that included defining policies and procedures for access and user privileges, creation of an Internet Response Team that would react to any Net-based attacks, and installation of security tools, like an intrusion detection system, and enhancements of existing security services. Robertson's team also took responsibility for educating and training users based on their level of access.
"We try to avoid a forklift approach," Robertson said. "We try to leverage the existing infrastructure and capitalize on what is there."
Three phases, one secure network
Robertson explained that there were three phases to the project that were based on SNS' initial analysis of the network.
Labeled "Defense in Depth," this phase centered on establishing policies based on principles of minimum access and least privilege. Here, engineers also examined the infrastructure and the existing security capabilities of network devices.
"We looked end-to-end and applied security here and enhanced security there," Robertson said. "It was here where we established policies for access all the way from the system to the application level."
"Policies and Procedures" was the next phase, Robertson said. Recommendations from the analysis of the network were acted upon here through a change management and configuration management strategy. Also, the Internet Response Team (IRT) was created during this phase.
"If the network is attacked, the IRT responds based on predefined scenarios that defined different attacks and what the response would be," Robertson said.
The final phase, labeled "Network Management and Intrusion Detection," included the installation of hardware on the network, including HP OpenView Network Node Manager and an intrusion detection system.
"Here, the network was compartmentalized," Robertson said. "If the network is attacked, we can shut down certain portions of it and isolate incidents."
The three phases were implemented over several months and preceded education and training of users. The project then entered operations phase once the Games begin, Robertson said.
Games network stood alone
The Winter Games' internal network is not exposed to the external cracker threats that, say, MSNBC's official Games Web site was. Crackers were constantly trying to dent the defenses of those high-profile sites hoping to garner some attention by defacing the site.
The Salt Lake internal network was standalone, Cottam said. SNS' focus was on internal threats, so much so that even physical access to the data center was limited to essential personnel -- even Cottam was prohibited from entering.
"All the data from the events at the Games went through this network, from 10 venues spread out across a wide area network and several local area networks," Cottam said. "We were worried about internal malicious intent, so we set up various traps and alarms."
Internal threats were addressed in the "Defense in Depth" phase, Robertson said.
"We established user access there and which users had access to what applications," he said. "If a user tried something beyond what they had access for, their actions would kick off e-mail and pager alerts and we'd know almost instantly if a user tried to do something they could not do."
Robertson said that SNS drilled down to port-level security measures.
"For example, if someone tried to disconnect one of our computers and connect theirs, it would not connect," Robertson said. "We have a very quick response time, less than two minutes in most cases, where we see the event and activate a response team. Before long, someone would be over that person's shoulder."
SchlumbergerSema will do network security for the 2004 Summer Games in Athens, Greece and the 2006 Winter Games in Turin, Italy. Already, it is applying lessons learned in Utah to the next Olympics.
Robertson and Cottam said that refinement of the IDS tops the agenda, in particular, cutting down on the number of false positives, a problem common to IDS.
"False positives are always an issue," Cottam said. "We're analyzing traffic patterns from several dozen IDS deployed throughout the enterprise and none can be configured the same way because they see different data. Better compartmentalization of the networks is necessary to configure the IDS better."
Refinement of the Internet Response Team will be an ongoing issue, Robertson said.
"There are new attack scenarios all the time," Robertson said. "We have to analyze them and discuss all the possibilities and how we will defend against them."