Blogger: Dan Blum

One of our service directors likes to quote William Gibson: “The future is here, it’s just unevenly distributed.”

At Microsoft’s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In a session on identity management strategy, for example, Microsoft discussed a variety of initiatives. These range from Card Space (futuristic implementation of user-centric Information Card specifications) to ADFS (present day enterprise federation support, though unfortunately lacking full SAML capabilities) to self-service password reset exposed through Office (decidedly backward-looking as this functionality has been available from many vendors through browsers for many years).

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a  way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it’s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Finally, I was impressed by a presentation on IPSec, PKI and NAP by a Brazilian university IT manager named Rodrigo Imaginario. Starting three years ago, the university combined its student and administrative networks into a single network. Yet servers running ERP and containing administrative content (such as grading information) need to be protected from a subset of students going through their hacking stage. Imaginario implemented a logical security zoning overlay on top of the network using IPSEC in Windows. In the restricted zone, servers only accept connections from Kerberos-authenticated IPSEC clients in the administrative domain. Today, the authentication is being upgraded to use PKI for secure, all campus wireless networking. Imaginario indicated the university took the Windows IPSEC route approach because no additional software had to be purchased. Configuration was difficult, he said, but will get easier with Windows Server 2008. This sounds like an idea whose time has come.

Blogger: Dan Blum

One of our service directors likes to quote William Gibson: ???The future is here, it???s just unevenly distributed.???

At Microsoft???s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In a session on identity management strategy, for example, Microsoft discussed a variety of initiatives. These range from Card Space (futuristic implementation of user-centric Information Card specifications) to ADFS (present day enterprise federation support, though unfortunately lacking full SAML capabilities) to self-service password reset exposed through Office (decidedly backward-looking as this functionality has been available from many vendors through browsers for many years).

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a  way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it???s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Finally, I was impressed by a presentation on IPSec, PKI and NAP by a Brazilian university IT manager named Rodrigo Imaginario. Starting three years ago, the university combined its student and administrative networks into a single network. Yet servers running ERP and containing administrative content (such as grading information) need to be protected from a subset of students going through their hacking stage. Imaginario implemented a logical security zoning overlay on top of the network using IPSEC in Windows. In the restricted zone, servers only accept connections from Kerberos-authenticated IPSEC clients in the administrative domain. Today, the authentication is being upgraded to use PKI for secure, all campus wireless networking. Imaginario indicated the university took the Windows IPSEC route approach because no additional software had to be purchased. Configuration was difficult, he said, but will get easier with Windows Server 2008. This sounds like an idea whose time has come.

Hovering somewhere overhead, a tiny robot points its camera at the van and takes note of its color scheme and markings. An even bigger drone, thousands of feet above its hovering kin, maintains a God’s-eye vigil on the whole hunt.

Everything these robots see is radioed to monitors thousands of miles away -- and into the targeting systems of a B-52 bomber winging, silent and nearly invisible, several miles overhead.

This scenario, played out at a remote Nevada facility last week, was the first major test of the Army’s $160-billion, 20-year plan to build a high-tech family of networked robots and hybrid-electric armored vehicles. The “Future Combat Systems” program, co-managed by Boeing and consultants SAIC, aims to equip roughly a third of the Army with 14 new vehicle types that are connected constantly to a vast communications net.

The theory behind the FCS is that dispersed, intelligent robotic systems plugged into a universal communications network can help small numbers of U.S. troops riding in new vehicles to control huge swaths of terrain. Any ship, airplane or tank fitted with the FCS network devices will be able to see everything the others see.

The SkyNet-like network and dynamic coordination “is the most important thing,” Brigadier General James Terry says.

This is “a big deal for joint fires,” Army spokesman Paul Mehney told Wired.com.

“Joint fires” is mil-speak for getting all the military services to share info and coordinate their attacks. That kind of teamwork is a big factor in the U.S. military’s combat prowess. And if FCS works out as planned, the five U.S. military branches will team up better than ever.

Did the test work? Kinda.

The robots spotted the van; their targeting data bounced to a nearby unit of specially-equipped Humvees, then across the network to an Air Force intelligence cell in Langley, Virginia, then back to the B-52 -- all in just seconds. The bomber simulated dropping a guided bomb to “destroy” the van.

The Nevada test proved it was possible, according to Mehney.

But one critic says the test essentially was rigged -- that the conditions were too easy.

“There is ‘works’ and then there is ‘works,’” John Pike, an analyst with Globalsecurity,org, told Wired.com.

“A considerable fraction of the FCS network hardware does not currently exist,” Pike said. And the integration of that hardware that does exist has been touch-and-go.

In February, when testers “flipped the switch” for the first time on the network radios, there was a collective sigh of relief that the radios even worked -- this according to one FCS insider who spoke on background.

Last week’s desert test comes at a critical time for Future Combat Systems. Mounting criticism from the GAO plus the growing cost of fixing and upgrading the Army’s current war-weary vehicle fleet -- $120 billion over 10 years, according to the GAO -– has put the squeeze on the futuristic program. “It is not yet clear if or when the Army and [its contractors] can develop, build, and demonstrate the … network,” the Government Accountability Office reported in March.

One powerful congressman, nominally a supporter of FCS, has proposed injecting extra money into the program in order to rescue some of its technologies before canceling the rest.

Rep. John Murtha (D-PA), chair of the defense appropriations subcommittee, promised an extra $20 billion this year for FCS, provided the Army could use the money to wrap up the program quickly. “We need to accelerate FCS if we ever want to see anything accomplished,” Matt Mazonkey, a Murtha staffer, told Wired.com.

The Army is still preparing its response to Murtha’s query, Mehney said. Regardless, the service’s position on FCS has never wavered. The Army says that FCS is on-budget, on-schedule, and with continued funding will deliver on its promises to connect the ground service to itself and to all the other military branches.

And to ensure smooth progress despite a combined $900 million budget cut last year, the Army this month asked Congress to “re-appropriate” $250 million of other Army funds into FCS coffers.