Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bush Wants an Unhackable Private Network

Posted by ryuzaki0 on from the and-i-want-a-cute-smart-girl dept.

Slur points out an article at the New York Times which says that the "Bush administration is considering the creation of a secure new government communications network separate from the Internet that would be less vulnerable to attack and efforts to disrupt critical federal activities," writing "It seems to me money would be better spent getting the next-generation Internet going, for the government to fund more of the existing research and standards boards to create protocols that are invulnerable to the kinds of attacks the government seems to fear, namely massive DOS attacks. Or is there something else a 'net terrorist' could do to 'disrupt the vital flow of information'?" Isn't hard-to-disrupt communication the reason that DARPA got involved in this "Internet" business anyhow? Update: 11/19 22:48 GMT by T : This was mentioned before a little while ago when USA Today wrote about the same concept, but apparently a Digital Pearl Harbor is still being flogged.

13 of 365 comments (clear)

  1. GOVNET analysis from Bruce Schneier by st.+augustine · · Score: 5, Informative

    Bruce Schneier has an informative story about this in the November 15 CRYPTO-GRAM, including some of the pros and cons. Basically, he says it would be better than what they have now, but still not all that great (he points out that the government already has several separate, secure internets, for various purposes, and they were still infected by Melissa and LoveLetter). And that this is one of the few cases where security and convenience might really be inversely proportional.

    --

    -- Some things are to be believed, though not susceptible to rational proof.
    1. Re:GOVNET analysis from Bruce Schneier by alen · · Score: 3, Informative

      Actually one of the networks is currently being migrated from a Unix OS to Windows NT/2000.

    2. Re:GOVNET analysis from Bruce Schneier by cruelworld · · Score: 2, Informative

      RE: Unfortunately, the security measures imposed were sort of stupid: the ethernet cables of the classified net had to be at least so many feet from a phone line (they were worried that induced voltages from ethernet would allow someone on the phone to "tap" the classified net)

      This is actually true. You could and do get enough crosstalk that a good sniffer in van could pull packets off your ethernet.

      RE: keyboards attached to computers attached to the classified net couldn't be traded out to unclassified areas

      Maybe they're worried about trojan hardware? A keyboard gets borrowed out, a small modification is made so that it logs every key pressed and then a week or two later gets "loaned" out again to extract the data.

      remember these are people who get payed to be paranoid.

  2. Isn't this a repeat? by Krimsen · · Score: 2, Informative

    Wasn't this covered back in Sept?

  3. Already exist by firewort · · Score: 5, Informative

    Bush may not know it, but these already exist in the form of SIPRNET, and INTELNET.

    SIPRNET

    SECRET INTERNET PROTOCOL ROUTER NETWORK

    SIPRNET will replace the DSNET-1 during the migration to DISN. It operates at the SECRET Collateral level and can interface with the TROJAN network. It provides higher and selectable data rates at a much lower O&M recurring cost. Inter-site data rates are 512 Kbps and in some cases T-1. Users can connect to the network at selectable data rates that meet the need.

    INTELNET

    NAVAL INTELLIGENCE COMMUNICATIONS SYSTEM

    The NICS is designed to consolidate Naval Intelligence communications systems. The system has three parts. INTELCAST plan calls for each FOCIC or Facility to consolidate up to 12 different message traffic circuits, including OPINTEL, MUSIC, FIST, and DODIIS through INTELDATA extended in an SCI LAN Extension and Stand Alone capability configuration. The SCI LAN encompasses a full suite of SOCRATES equipment, including workstations, secondary imagery dissemination systems, and a mapping and graphics capability. The Stand Alone capability provides a workstation with tailored data bases specific to unit operational orientation. Stand Alone capabilities are being provided to Guard and Reserve units as well as to certain active, lower-echelon units.

    NIPRNET

    UNIFORM INTERNET PROTOCOL ROUTER NETWORK

    The NIPRNET is the consolidation of several service/agencies networks (AFNET, NAVNET, MILNET) with common protocols and standards. It is a product of the DISN near Term Program, which sought a reduction in cost of operation through interoperability and standardization. Connectivity over high-speed trunking is supported by the NIPRNET. It operates at the unclassified level, while the SIPRNET supports classified networks in a similar manner.

    --

  4. answer Re:question by gilroy · · Score: 2, Informative
    Blockquoth the posters:

    Isn't hard-to-disrupt communication the reason that DARPA got involved in this "Internet" business anyhow?

    Yup

    Um, nope.

    While some work had been done on using packet-switching to improve communication reliability after a nuclear attack, that work was purely theoretical and not directly tied to the origin of the ARPAnet. The ARPAnet was explicitly created to allow computer researchers to share files and resources, reducing unnecessary duplication of effort and resources. The nuclear war myth might be better copy, but it's just a myth.


    Check out Where Wizards Stay Up Late for the real story.

    --
    The Mongrel Dogs Who Teach
  5. Re:question by Alien54 · · Score: 3, Informative
    Isn't hard-to-disrupt communication the reason that DARPA got involved in this "Internet" business anyhow?

    But somehow that all went to hell when it got commercialized. How many people here remember the splash made by that first infamous piece of broadcast spam from that lawyer in Arizona?(or was it California?) Or the September that never ended with the advent of Internet access via AOL.

    As soon as all these commercial interests got into it, wham. And this is the information superhighway invented by algore. The bloody mess of spam and commercial jerks. Not Darpa

    --
    "It is a greater offense to steal men's labor, than their clothes"
  6. AUTODIN by pete-classic · · Score: 3, Informative

    AFAIK AUTODIN is still where the "serious business" happens.

    AUTODIN is an ancient, circuit switched network. It's a real bear to operate (I spent four years operating it) but it is genuinely secure. AFAIK the whole "packet switched so it can't be decapitated" thing that the APRANET was supposed to solve was supposed to be an answer to AUTODIN.

    I hope they get something going so they can retire AUTODIN.

    -Peter

  7. Re:Grow up, Georgie by Cally · · Score: 4, Informative

    Feel free to hack into my home network. It's IP range is 192.168.0.1 - 192.168.0.13.


    How wonderful, someone who still thinks NAT equals security!

    I'm not going to spell it out to you, but I suggest you:

    1. tighten up your firewall rules immediately. (You ARE running
    a firewall, aren't you?)and

    2. Start checking your IDS logs closely for the next few days.
    (You ARE running an IDS, aren't you?)


    OK, if you want further hints for your googling: firstly, look for `arp poisoning Dug Song MitM'. Then search the Bugtraq, and perhaps the sec-focus Pen-testing list archives, for info about how to own the OS/platform you're NATing with (ie if you're NATing thru Linux, I mean the Linux box.) Remember to check for known vulnerabilities in the services that show up when you nmap your external interface. Yeah, of course you're completely up to date with all current patches, but I bet that there was a window of vulnerability before you applied each one...

    In general, boasting on Slashdot about how secure one's network is, is a BAD idea.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  8. Uhh, milnet? by Omega · · Score: 2, Informative
    ...the creation of a secure new government communications network separate from the Internet that would be less vulnerable to attack and efforts to disrupt critical federal activities.

    Doesn't MILnet do this already? Isn't this why when the DoD gave up control of ARPAnet, they forked and created MILnet to retain a secure channel?

    Bush needs to lay off the MSN. The U.S. government is already waaaaaaaaaay ahead on this one.

  9. Global Systems integration. by the_real_bayliss · · Score: 1, Informative
    It seems that there is a growing push for integrated technologies. A great example is VoIP integration for the United States Postal Service Office of Inspector General :

    http://www.cisco.com/warp/public/784/packet/apr01/ p22-enterprise.html#title

    Sounds great doesn't it, 40% Cheaper phone calls, more secure network etc, but As more and more technologies and services get incorporated into the one implementation, the number of eggs in the basket continue to grow.

    Just remember, attacks can come from behind the firewall too.

    Just incase you are interested in how the government currently protects their Cisco routers:

    http://nsa2.www.conxion.com/cisco/download.htm

    is an interesting read.

  10. Re:Why not demand IPv6? by marxmarv · · Score: 3, Informative
    None of the major backbones are willing to provide IPv6 connections.
    Bullshit. None of the major backbones are willing to provide IPv6 routing because IPv6 is still experimental for the next several quarters, and I assure you they're as desperate for a gimmick as the rest of the technology sector, or more so. If you think it's so damn easy, buy a Cadence or Synopsys license, take the risk, and do it already.
    Why not start by requiring IPv6 in all government RFPs/RFQs for long-haul comm?
    What does IPv6 use for security? It uses IPsec encapsulation and authentication, exactly the same as IPv4 save that it's not optional in IPv6. What's the advantage? We don't even have an address assignment scheme for IPv6 yet that's known to scale, and IPv6 users and early adopters need to work the bugs out as the scale of the system grows. Do you want routers to die or run impaired just because some non-conforming implementation tries to send a packet formed just wrong? Neither do I, and good infosec does things correctly, not quickly.

    There are ZERO operational advantages to carrying classified information over the public network when you are an organization of this size. You get a lack of control over the availability and of the network as a whole, and a nonzero possibility of leaked information via covert channels. Strictly divorcing the government operations network, properly done and with appropriate physical security applied to end-user terminals, reduces the chance of information leakage to zero and gives the network operator absolute control over availability, reliability, and access.

    If it were such a bad idea, then why do so many large corporations lease lines between offices?

    -jhp

    --
    /. -- the Free Republic of technology.
  11. Unix - Windows Transition by J.J. · · Score: 3, Informative

    It's more like a DoD wide transition from Unix to WinNT/2k. It's all the DoD networks - not just the classified ones.

    I think it's a mistake personally, but I've never researched the reasoning behind the decision. The difficulty in finding unix admins shouldn't matter that much, since the military tends to grown their own anyhow.