Feds Move to Secure Net 137
An anonymous reader writes "eWeek reports:The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington."
So how will they get data in/out ? (Score:4, Interesting)
Since their interest is in securing the net as a whole, it's a pity they're not practising what they preach, and try and implement a secure solution over the public 'net. Would be a inspiration for other folks.
What? (Score:3, Interesting)
what took so long? (Score:3, Interesting)
Re:I would hope so (Score:5, Interesting)
However, even if you lease a private line it would still be in control of a third party, the telephone company for instance. In these cases cryptographic hardware is used to secure the channel.
Something already there? (Score:4, Interesting)
Surely the US government has something equivalent...?
Re:So how will they get data in/out ? (Score:5, Interesting)
I think they cannot implement a truly secure solution over the public net as the protocols were never designed with security in mind - ie. anything that happens is a hack or a bodge on top of those insecure protocols. Whilst these may be good enough for you or me in practical terms, the government would want a quantifiably secure system, and the only way you get that is to disconnect yourself from the rest of the world.
There are plenty of systems that do this BTW - I used to work for a company that did credit card processing. They had a single PC connected to the internet and not the lan, all the others were on the internal lan only. I've seen banks not connect to the internet at all.
Thank god I work for a less paranoid company now!
Re:bastards (Score:3, Interesting)
I think that possibly a more relevant explanation of the ipv4 shortage would be that because there are so many new nodes being added, a shortage of addresses was obviously going to happen at some point. What with all the mobile phones and other, smaller devices (i.e. embedded systems in Internet-enabled fridges etc). that are connecting, ipv4 was going to run out at some point.
Besides, ipv6 should sort out that problem... Come 2010 even us poor souls in the UK may have completely switched to the new protocol version. Just in time to see BT finally provide full, half-decent UK broadband coverage (maybe give it a few more years though eh)
IPv6? (Score:3, Interesting)
That's about the only realistic route a worldwide migration to IPv6 could take, I think - building an entirely separate infrastructure.
Then we can have that one and they can have the old one back!
Question for the well-informed (Score:3, Interesting)
These people employ some of the best mathematicians and engineers in the world, they ought to be able to come up with a good implementation.
Not to mention the fact that even a separate link is going to require some informataion-level security as you don't want every tech with a current probe to be able see your network traffic ...
Re:bastards (Score:3, Interesting)
You want to make IPv4 last another decade? Take back all the colleges' IP blocks, make them use a single Class C with NAT-ing.
Won't Work for DoD Units (Score:4, Interesting)
Just like the (Swiss) banks then ... (Score:5, Interesting)
Every worker has two computers. One for the bank stuff and the other for internet/ordinary stuff.
The internal network has very limited connections to the internet (necessary web-banking connections, but not more). Don't count on Sendmail bugs to get you in here
Routers and security (Score:3, Interesting)
Someone in the class had worked on a secure network project where all the routes were static, but when they did load testing the packets would arrive out of order. This worried them (as it should) and they looked into it. It turned out that the routers (switches?) they were using would "cheat" when they detected backup and would send packets to ports off the static routes.
The exptected behavior was that the receiver would bounce the packet back as destination unknown. But this could buy the equipment precious milliseconds and the conjestion might clear.
A cute solution, but not very secure.
Re:One problem (Score:2, Interesting)
It will be less vulnerable because they will have mandated that communications use physically separate switching nodes paths. And you can be sure that they have thought about this.
Re: hey easy with the terrorist word (Score:3, Interesting)
Practically speaking, the Star Chamber has been recreated. That was the imposition of the English monarchy that habeus corpus was specifically created to stamp out. People being arrested without their name being released, without being allowed any outside contacts, and held indefinitely without being charged. Flagrant constitutional violations, but all actions taken by our government.
In *most* of the cases I've heard of there has been decent reason for the person to be arrested. But not for the violation of their rights. And in more than one of the cases I have not been able to determine any reason. (This doesn't mean there wasn't one. The information available it *intentionally* fragmentary.)
What a waste of my tax money (Score:3, Interesting)
On the other hand, VPN over Internet can be very secure and far cheaper. Not VPN using OpenSSL on Linux boxes, because both OS and the relatively big library could have buffer overflows or some other low-level bugs. But it's easy to build a layered system that will be extremly secure. Say, hardware routers that decrypt and check signature on every incoming packet in hardware before looking at it otherwise. And then AFTER that, a Linux box that does a santity check on what comes through the router, just in case.
Re:So how will they get data in/out ? (Score:4, Interesting)
The principle was good: all of your internet research and private email was done on the unclass machine; all of your quotidian tasks, including accessing the archives and the cable database, was done on the class machine. Department-Embassy communication went through the State Department's cable system and thus was also unconnected from the public network.
If the government is willing to apply hardware redundancy on a massive scale, they can certainly replicate such a system in those agencies that do not have it already. There are still obvious human errors that can muck up such a system. For example, when rushed, many foreign service officers would e-mail colleagues in the embassies for information. While one wasn't supposed to discuss classified topics on e-mail because of the weaker security, it wasn't always easy to decide where to draw the line. Similarly, if you were writing a report that drew on classified and unclassified data, and much of the unclassified data was online, then it was tempting to slap your floppy disk with a copy of your classified report into the unclassified machine and work on it there, so as to copy and paste material more easily. Still, these are human errors; eliminating them is a different topic. As long as we are willing to think on a scale commensurate with the government's resources, it would be technically difficult to create such a system.