Max security inmates help lock down prison network

With 23 hours a day to test the system, inmates serve as a red team

When the Colorado Department of Corrections designed a high-speed network to deliver services to the cells of prisoners who are locked up for most of the day, they needed to make sure it was secure.

“We kept it very open and simple,” said John Jubic, the Department of Corrections’ end-user solutions manager. “The security behind it isn’t simple.”

As it turned out, when the facility opened in September 2010, the prisoners were both a security liability and asset. “They were our beta testers,” Jubic said. “With 23 hours a day to work on it, they broke it a lot.”

Related coverage:

IP network delivers services to max-security prisoners, without having to move them

NC city mixes access with authentication

At the user end of the system is a hardened, metal kiosk that houses a thin-client computer in each cell, with a keyboard, mouse and headset for the prisoner. It connects to a 1 gigabit/sec network and authenticates through a RadiantOne Virtual Directory Server that authorizes access for each prisoner based on a profile in the prison’s management system. The network is isolated from the Internet, and services hosted outside are delivered through reverse proxy servers. Prisoners receive virtual visits in their cells from friends and family through the kiosks.

The Department of Corrections stripped functionality from applications such as a soft phone for voice-over-IP telephone service. Keyboards functions were locked down through group policies for prisoners. But prisoners found holes in the system.

Although the prison is a maximum security facility for administrative segregation — basically, solitary confinement — not all of the prisoners are violent offenders. “They have done something” within the corrections system “to earn their way here,” Jubic said. They also have a lot of time on their hands. “You give somebody 23 hours a day to bang on that keyboard.”

For instance, the inmates discovered that if they opened more than 200 windows in Internet Explorer at a time, it would cause a buffer overflow, Jubic said. “Once they caused the buffer overflow, group policy stopped completely,” and access was restored to additional function keys on the keyboards.

At one point, the prisoners accessed the virtual visitation system and made video visits to one another.

The prisoners never got outside the system to access the Internet, and new scripts were written to harden security. It has been several months since prisoners have breached system security, Jubic said.

The Colorado Corrections Department learned a number of lessons from standing up its in-cell services program. On the security side, keep the client thin to minimize the impact of security breaches. The Colorado system uses a Citrix Provisioning Server to load a fresh operating system image every time the computer is booted up. “You don’t want to do it any other way,” Jubic said. “If they beat you they can change things,” and refreshing the OS limits the impact.

Also, put functionality in the hardware when possible rather than the software. The initial solution for delivering television service to the kiosks was browser based and downloaded an executable to display the video. “I would not buy a product that works like that,” Jubic said. “Put the executable on the PC itself.”

On the administrative side, leverage existing systems so that administrators do not have to duplicate records or migrate data. Any extra work created by a new system will create resistance from the staff, Jubic said.

And finally, “take your time building it,” he said. Test everything and keep applications separate. This is an area where virtualization is a virtue. “If you virtualize your apps, it makes it a lot easier.”