"Networks are like roads," Michael Markulec explains. "And we provide the road map."
Markulec's company, Lumeta, is about to start drawing maps that will reveal every intersection, cul-de-sac and IP address in the U.S. military's vast and sprawling NIPRNet (Non-classified Internet Protocol Router Network). The "non-classified but sensitive" network is used around the world by several million U.S. personnel and about 10 million devices, Markulec said.
Lumeta's network-mapping software, IPSonar, will find and identify all devices on the NIPRNet and tell network operators how they are interconnected, Markulec said. "Without that knowledge, you can't manage the network. And if you can't manage it, you can't secure it."
"You can't defend what you don't know," agreed Mark Orndorff, director of Defense Information Systems Agency' Mission Assurance and Network Operations.
Mapping isn't IPSonar's only talent. The software, which is costing the Defense Department more than $10 million, also searches for leaks.
"Our most critical requirement was leak detection," Orndorff said.
The military needs to know where information is entering and leaving the network without authorization.
With attacks on the U.S. Defense Department networks rising rapidly, tightening security has taken on new urgency. DoD networks are probed thousands of times a day and sometimes are penetrated by hackers, botnets, worms, phishers, zombies and more.
In successful attacks, malicious software takes control of computers, servers and other equipment on the network, often to gather information to transmit it out of the network, back to the attackers.
IPSonar is designed to find those leaks and alert network operators.
During the mapping process, Markulec said, IPSonar will undoubtedly discover misconfigured firewalls, connections to other networks that shouldn't be there and modems that are communicating with the outside world but shouldn't be.
These are leaks that leave the NIPRNet vulnerable. It will be up to combatant commanders, the military services and defense agencies to plug the holes, Orndorff said.
The mapping process with IPSonar is surprisingly swift. Markulec said he can't talk much about the NIPRNet, but he described mapping the network of a large bank that includes "a couple hundred thousand" computers and other devices. It would take IPSonar "a couple of hours" to find and identify each component on such a network, he said.
And the results would likely provide eye-opening insight into how dependent modern organizations have become on computer networks.
The scan might reveal that the network used for highly sensitive financial transactions is the same one used for secure communications, e-mail and phone traffic, and to control heating and air conditioning systems, Markulec said.
In addition to identifying company computers, servers and routers, the scan would probably reveal that printers, web cameras, video conferencing equipment, music players and a plethora of wireless devices are sending and receiving information through the network.
"You have a proliferation of devices on networks today and interconnectivity between them," Markulec said. More devices mean more potential security leaks.
In the practice of mapping networks, private industry is well ahead of the government in general and the Defense Department in particular, said John Pescatore, a network and information security expert and vice president at the IT research and consulting firm Gartner.
Until recently, "DoD has maintained that they did not have to map their networks because they know what's on them," Pescatore said.
It might be surprised.
"When you look at what's on a network, almost invariably, 5 to 10 percent of it wasn't on the network last time you looked," Pescatore said.
New additions range from photocopying machines that automatically connect to the Internet to download software updates to new servers added to handle expanding network traffic caused by video teleconferences, social networking and other activity.
"In this day and age, it's getting harder and harder to tell what's on a network. You need software to map it," Pescatore said.
After finding out what's on the network and determining who's talking to whom, and who's talking off the network to the Internet, there is a third level of security that's important: detecting anomalies and atypical activity, he said.
IPSonar has limited capability there. Markulec said IPSonar will alert operators when new devices come on the network or already mapped devices leave. But it will not detect suspicious activity.
And while IPSonar detects devices that have Internet protocol addresses - computers, servers, routers, network hardware, some printers and some mobile devices - it does not detect non-IP devices such as thumb drives, external hard drives and similar devices that could insert malware into a network.
And IPSonar won't fix the problems it finds. "We are a network discovery organization," Markulec said. Network operators have to act on the alerts the software provides.
It may be good that leaks and anomalies aren't automatically shut down, Pescatore said.
"If you were to automatically disable something, odds are it is mission-critical to someone," he said.