by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : January 2014
CASE STUDY NETWORK MONITORING 26 GCN JANUARY 2014 • GCN.COM With more than 35,000 facilities op- erating across the country, understanding the U.S. Postal Service's networks---let alone securing them---is a ma- jor challenge. "One of the things that frus- trated me was when we looked at how we implemented fire- wall rules, I could never tell what I had allowed and I hadn't allowed," said Chuck McGann, corporate information security officer for USPS. Keeping track of firewall policy sounds simple, but rules tend to build up over time and changes are not always properly documented. Rules can contra- dict and supersede each other, leaving security status unclear. "When you have 125,000 fire- wall rules, that's the difficulty," McGann said. "The manual la- bor involved is incredible," to manage these. In his quest for visibility, McGann tested the RedSeal 6 network monitoring platform to evaluate firewall rules and liked what he saw. Originally in- tended to help with compliance audits for Sarbanes-Oxley Act and Payment Card Industry se- curity requirements, the evalua- tors decided the platform could be used to improve operational security and overall situational awareness. "It's a security tool, a compliance tool, a manage- ment tool and an incident re- sponse tool," McGann said. COMPLIANCE DRIFT RedSeal is a monitoring tool in- tended to help protect networks from "drift" between audits when systems are periodically assessed for compliance to secu- rity regulations. A system that is in compliance at one point can quickly move away before the next audit. RedSeal builds a to- pology map of the network and uses data from vulnerability scans to assess risks and priori- tize fixes. Known vulnerabilities are categorized according to their seriousness, but the actual risk they pose also depends on their location in a network and the network architecture. Although the platform is of- fered through the Homeland Security Department's Continu- ous Diagnostic and Mitigation program, like most tools of this kind it is not truly continuous. It generates periodic snapshots of a network's condition, but does it often enough to provide use- ful information in maintaining security. "Most of our large custom- ers do it on a daily basis," said Kimberly Baker, public sector general manager for RedSeal Networks. This provides greater assur- ance of ongoing security while maintaining regulatory com- pliance, which falls in with the shift in federal government to- ward making compliance a by- product of operational security. The Postal Service is a hybrid animal in terms of regulatory requirements: Not quite gov- ernment and not quite private sector. Its networks operate in the .com domain rather than the .gov, but it reports to Con- gress. In its annual report for 2012, USPS claims more retail locations than McDonalds and Starbucks combined. (That number includes kiosks and third party retailers that sell postage stamps and other USPS products.) "We are not required to com- ply with FISMA," the Federal Information Security Manage- ment Act, McGann said. "How- ever, we have made the decision that we would align our policies with FISMA as closely as finan- When the Postal Service found itself trying to keep up with 125,000 firewall rules, it found a tool that merged security, compliance and incident response --- all in one A jackknife for network security compliance BY WILLIAM JACKSON