Feds Move to Secure Net

An anonymous reader writes "eWeek reports:The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington."

So how will they get data in/out ?

[dew-genen-ny]

I'd be interested to see how they propose to use this - ie is it completed closed, or are there specific hosts that have access to public and private. Inevitably there's always some host somewhere that comprimises this type of idea.

Since their interest is in securing the net as a whole, it's a pity they're not practising what they preach, and try and implement a secure solution over the public 'net. Would be a inspiration for other folks.

Re:So how will they get data in/out ?

[gbjbaanb]

almost certainly there will be hosts solely connected to the private network, and never to the public. No doubt this can work for the government who will not allow just anyone to plug a new host in. (perhaps they have a single hosts file ;-)

I think they cannot implement a truly secure solution over the public net as the protocols were never designed with security in mind - ie. anything that happens is a hack or a bodge on top of those insecure protocols. Whilst these may be good enough for you or me in practical terms, the government would want a quantifiably secure system, and the only way you get that is to disconnect yourself from the rest of the world.

There are plenty of systems that do this BTW - I used to work for a company that did credit card processing. They had a single PC connected to the internet and not the lan, all the others were on the internal lan only. I've seen banks not connect to the internet at all.

Thank god I work for a less paranoid company now!

Re:So how will they get data in/out ?

[jpferguson]

I can offer an example from the State Department. (None of this should get me jailed, I don't think.) Someone mentioned working at a credit-card processing company where only one computer was connected to the internet, and the rest solely to the LAN? The State Department applied the same principle of redundant hardware, on a much vaster scale. When I worked there in 2000-2001, each desk had two machines hooked up to a single monitor, mouse and keyboard via a switching box. One machine, covered in green stickers, as the "unclass" box; the other, covered in red, was "class." The unclass machine was hooked up to the internet via ethernet; the class machine was hooked up to State's LAN via ethernet, through a separate series of routers and servers. (The class machine also had a removable hard disk, the type that you unlock, yank out, and toss into your safe every night, along with all of your files.) The only way to transfer information between the two machines was via floppy disk.

The principle was good: all of your internet research and private email was done on the unclass machine; all of your quotidian tasks, including accessing the archives and the cable database, was done on the class machine. Department-Embassy communication went through the State Department's cable system and thus was also unconnected from the public network.

If the government is willing to apply hardware redundancy on a massive scale, they can certainly replicate such a system in those agencies that do not have it already. There are still obvious human errors that can muck up such a system. For example, when rushed, many foreign service officers would e-mail colleagues in the embassies for information. While one wasn't supposed to discuss classified topics on e-mail because of the weaker security, it wasn't always easy to decide where to draw the line. Similarly, if you were writing a report that drew on classified and unclassified data, and much of the unclassified data was online, then it was tempting to slap your floppy disk with a copy of your classified report into the unclassified machine and work on it there, so as to copy and paste material more easily. Still, these are human errors; eliminating them is a different topic. As long as we are willing to think on a scale commensurate with the government's resources, it would be technically difficult to create such a system.

What?

[decarelbitter]

You mean they didn't already have a separate network? Well, I didn't think high of them anyway, but here's yet another reason why.

what took so long?

[turtle-spin]

not being overly experienced myself in design of infrastructure for critical and data sensitive systems, surely this thought of thing is not the newest idea in the book. I would have thought most agencies would already have "critical" and "secure" networks in place to deal with emergency situations like mass DDOS or vulnerability attacks especially with all the paranoia for the last 5 years odd about cyberterrorism..

Re:I would hope so

[MnO-Raphael]

Physical separation of networks _is_ widely used among government and military networks. The reason being very simple: It's the only cost-effective way to guarantee security.

However, even if you lease a private line it would still be in control of a third party, the telephone company for instance. In these cases cryptographic hardware is used to secure the channel.

Something already there?

[stroudie]

I find it surprising that this doesn't exist already - surely this is something like a slightly shinier version of UK Government Secure Intranet which has been operational for some time.

Surely the US government has something equivalent...?

Re:bastards

[mooZENDog]

this is why there's a global ipv4 shortage, cos the bastards at the DoD and other places own most of them

I think that possibly a more relevant explanation of the ipv4 shortage would be that because there are so many new nodes being added, a shortage of addresses was obviously going to happen at some point. What with all the mobile phones and other, smaller devices (i.e. embedded systems in Internet-enabled fridges etc). that are connecting, ipv4 was going to run out at some point.

Besides, ipv6 should sort out that problem... Come 2010 even us poor souls in the UK may have completely switched to the new protocol version. Just in time to see BT finally provide full, half-decent UK broadband coverage (maybe give it a few more years though eh) :)

IPv6?

[janap]

If this "fednet" thing is to be totally separate, they're not staying with IP version 4, are they? The article doesn't say as far as I can make out.

That's about the only realistic route a worldwide migration to IPv6 could take, I think - building an entirely separate infrastructure.

Then we can have that one and they can have the old one back!

Question for the well-informed

[Xner]

Is the extra hassle involved with deploying a completely separate network (digging?) justified in terms of increased security when compared to simply setting up a secure tunnel over an existing long distance link?
These people employ some of the best mathematicians and engineers in the world, they ought to be able to come up with a good implementation.

Not to mention the fact that even a separate link is going to require some informataion-level security as you don't want every tech with a current probe to be able see your network traffic ...

Re:bastards

Heck, it's not the DoD that has all those IPs tied up! It's the universities! I don't know how many times I've come across colleges with a whole Class B, and every single PC has a routable address. And since only the very largest ones have anywhere close to 64K nodes, the vast majority of their space is just plain empty.

You want to make IPv4 last another decade? Take back all the colleges' IP blocks, make them use a single Class C with NAT-ing.

Won't Work for DoD Units

[Highwayman]

I have always been frustrated by the biggest technology issue facing the military or any large organization: deployment. The SIPRNET has been around for ages. However, in all the places I have been assigned, nobody at my level ever has access. This is ridiculous because I have always worked where the proverbial rubber meets the road. VPN, Fortezza cards, and all this is not new, nor revolutionary. The issue is plainly logistics, sustainment, and training. Logistics is an issue because you have to field the equipment. The government already runs scads of custom applications many requiring dedicated computers. If you are able to field the equipment, it will be very difficult to maintain and upgrade because the channels for doing so are often convoluted or repair facilities are hundreds of miles away. Sustainment is a pain because the military is not designed (for the most part) to be stationary. When a large deployment happens, you are lucky to have a telephone let alone Internet capability. Finally, training is always a big problem. Right now most users cannot even perform the most basic computer tasks. As it all revolves around dollars when it comes to manning and training, I find it hard to believe that enough is going to be vested in empowering the end user to have access or know-how. In the end, it will end up where all good ideas end up, only being used at levels above reality by people who already have access to all matter of secure everything. I don't see it getting to the end user any time in the near future. To me this is an operating system issue, if you don't ingrain this crap at the OS level, there is always going to be problems. From sensitive data left in the swap space, to unsecured file systems, and ineffective data destruction utilities, there are dozens of pitfalls for truly running a secure network. Throwing tons of third party applications on top of it is a huge mess. Secondly, the government has become over-reliant on using the Internet. At least for the military, occupations in fixed facilities should mirror operations in deployment situations. The only solution for the military is satellite or high frequency radio. Access to these solutions at the speeds necessary for Internet transactions is years away and very expensive. I won't believe a word of any of this until the Department of Defense stops using Telnet and other insecure software for their day to day business. Way too many personal transactions are conducted via Telnet un-tunneled and unsecured. I have seen this first hand many times and as recently as yesterday. I am tired of the good idea factory coming up with solutions from behind their $3000 dollar oak desks when at my level the IT and security is crap and my personal information is strewn all over who knows where.

Just like the (Swiss) banks then ...

[snowtigger]

I talked to some computer people working in Swiss banks last year. It turned out they have a private network in parallel with the internet.

Every worker has two computers. One for the bank stuff and the other for internet/ordinary stuff.

The internal network has very limited connections to the internet (necessary web-banking connections, but not more). Don't count on Sendmail bugs to get you in here ...

Routers and security

[shreak]

I heard a story few years ago while taking a networks training course. We were talking about packet order and the fact that it's not guaranteed. The instructor mentioned that you could probably expect the order to be maintained if you specified the route and were the only thing transmitting, but still, it is not guaranteed.

Someone in the class had worked on a secure network project where all the routes were static, but when they did load testing the packets would arrive out of order. This worried them (as it should) and they looked into it. It turned out that the routers (switches?) they were using would "cheat" when they detected backup and would send packets to ports off the static routes.

The exptected behavior was that the receiver would bounce the packet back as destination unknown. But this could buy the equipment precious milliseconds and the conjestion might clear.

A cute solution, but not very secure.

Re:One problem

[bigsteve@dstc]

isn't a private WAN such as this more susceptible to a "single point of failure" attack?

It will be less vulnerable because they will have mandated that communications use physically separate switching nodes paths. And you can be sure that they have thought about this.

Re: hey easy with the terrorist word

[HiThere]

They already are. People have been arrested (though, in the cases I heard of, not held) merely for wearing anti-war tee-shirts.

Practically speaking, the Star Chamber has been recreated. That was the imposition of the English monarchy that habeus corpus was specifically created to stamp out. People being arrested without their name being released, without being allowed any outside contacts, and held indefinitely without being charged. Flagrant constitutional violations, but all actions taken by our government.

In *most* of the cases I've heard of there has been decent reason for the person to be arrested. But not for the violation of their rights. And in more than one of the cases I have not been able to determine any reason. (This doesn't mean there wasn't one. The information available it *intentionally* fragmentary.)

What a waste of my tax money

[iamacat]

Private lines don't contribute much to security, as they still go through public phone companies, public land, public airwaves and so on. If your company has confidential data that could be worth a million bucks to someone, you shouldn't trust this kind of security. Let's not even talk about state secrets.

On the other hand, VPN over Internet can be very secure and far cheaper. Not VPN using OpenSSL on Linux boxes, because both OS and the relatively big library could have buffer overflows or some other low-level bugs. But it's easy to build a layered system that will be extremly secure. Say, hardware routers that decrypt and check signature on every incoming packet in hardware before looking at it otherwise. And then AFTER that, a Linux box that does a santity check on what comes through the router, just in case.