Slashdot Mirror
Feds Move to Secure Net
An anonymous reader writes "eWeek reports:The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington."
Many companies have data centers in multiple locations with private lines connecting them. I would have hoped the government would have thought of this much sooner. Reminds me of a few months ago when they were saying the FBI has not been able to hire many computer experts because they could not pass the required physical tests.
I'd be interested to see how they propose to use this - ie is it completed closed, or are there specific hosts that have access to public and private. Inevitably there's always some host somewhere that comprimises this type of idea.
Since their interest is in securing the net as a whole, it's a pity they're not practising what they preach, and try and implement a secure solution over the public 'net. Would be a inspiration for other folks.
tom-george.comBecause geeks rate higher t
The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials.
TOP STORY: A single government branch sets up an internal network, separate from the internet. Tonight at eleven, find out what kind of routers they bought.
You mean they didn't already have a separate network? Well, I didn't think high of them anyway, but here's yet another reason why.
from http://www.eweek.com/article2/0,3959,922570,00.as
March 10, 2003
Feds Move to Secure Net
ByDennis Fisher
SAN DIEGO--The White House and the new Department of Homeland Security have begun in earnest the process of implementing the plan to secure the nation's critical networks--starting with extensive changes in the federal security infrastructure.
The most significant move is the development of a private, compartmentalized network that will be used by federal agencies and private-sector experts to share information during large-scale security events, government officials said at the National Information Assurance Leadership conference here last week.
The system is part of the newly created Cyber Warning Information Network, a group of organizations including the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office and others that have some responsibility for the security of federal systems. The private-sector Information Sharing and Analysis Centers will also be included.
The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, seen on left, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington.
Sachs, speaking at the conference here, which was put on by The SANS Institute, pointed to last week's handling of the critical vulnerability in the Sendmail Mail Transfer Agent package as a prime example of how such back-channel communication between vendors, researchers and the government can help protect end users. Researchers at Internet Security Systems Inc., in Atlanta, discovered the vulnerability in mid-February and immediately notified officials at the White House and the Department of Homeland Security.
The government quietly spread the word among federal agencies and, along with ISS, began contacting the affected vendors. After the vendors developed patches, the fixes were deployed quickly on critical government, military and private-sector machines before the official announcement of the vulnerability.
However, some in the security community say that until the CWIN is fully operational and proven, they'll continue to use existing methods.
"I would not have used CWIN for Sendmail. There are too many questions about something that has not been fully deployed," said Pete Allor, manager of the threat intelligence service at ISS and director of operations at the Information Technology ISAC. "I'd like to know who I'm transmitting information to and the rules for dissemination.
"My two biggest concerns are having private-sector information on a government network and if Congress withdraws the [Freedom of Information Act] exemption, there won't be any reason for private companies to use [the CWIN]," Allor said. While speculation exists, to date no bill has been introduced to remove the FOIA exemption in the Homeland Security Act.
As part of the plan to improve security, the CIO of each federal agency is, by statute, now accountable for the security of that agency's network. This is a significant change, considering the lack of responsibility permeating government security efforts.
"This is the first time this has ever happened," Sachs said. "It used to be that it was their job, but they just said, 'Yeah, I guess we're secure.'"
The internal structure of the government's security apparatus is also undergoing some major changes, officials said. The President's Critical Infrastructure Protection Board, formerly part of the Office of Cyberspace Security, is now part of the Homeland Security Council. But that may not be where it ends up. There are indications that the board may end up as part of the Department of Homeland Security.
not being overly experienced myself in design of infrastructure for critical and data sensitive systems, surely this thought of thing is not the newest idea in the book. I would have thought most agencies would already have "critical" and "secure" networks in place to deal with emergency situations like mass DDOS or vulnerability attacks especially with all the paranoia for the last 5 years odd about cyberterrorism..
The company I work for has had a 70+ node WAN with separate IP address space from the Internet for about 5 years, and before that a 6-7 node WAN running IPX.
This seems so utterly obvious that I'm completely mystified as to why this is a news-worthy article. Or is this just a joke?
Yipee! The feds have an 'intranet'. I hope I don't pee my pants with excitement!
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
1 Start a network for army
.....Rinse and repeat.
2 Open it to Universities
3 Open it to everyone
4 Watch while "terrorists" start to spread viruses on it
5 Start network for the Feds
.ACMD setaloiv siht gnidaeR
I find it surprising that this doesn't exist already - surely this is something like a slightly shinier version of UK Government Secure Intranet which has been operational for some time.
Surely the US government has something equivalent...?
The military has it's own private and secure data/voice network. They have their own private IP's and everything. Any time people working on the unclassified network need to move data to the classified network they have to use "sneaker-net" and make damn sure the data isn't infected with a virus. Perhaps this is what the Department of National Security is modeling it's data network after.
Wonder if they're testing the TIA project on their intraweb ;)
I will now redundantly add my name to the end of my post. You know, in case you forgot me or something.
You forgot:
6 (Warning: Unreachable code): Profit!
Also, they'll use decimal IPv4 addresses -- which would explain a lot about the Uplink game...
Uh, look up what SIPRNET and NIPRNET are... been around for a long long time...
-- Note: If you don't agree with me, don't bother replying. I won't read it.
this is why there's a global ipv4 shortage, cos the bastards at the DoD and other places own most of them
:)
I think that possibly a more relevant explanation of the ipv4 shortage would be that because there are so many new nodes being added, a shortage of addresses was obviously going to happen at some point. What with all the mobile phones and other, smaller devices (i.e. embedded systems in Internet-enabled fridges etc). that are connecting, ipv4 was going to run out at some point.
Besides, ipv6 should sort out that problem... Come 2010 even us poor souls in the UK may have completely switched to the new protocol version. Just in time to see BT finally provide full, half-decent UK broadband coverage (maybe give it a few more years though eh)
---
"An eye for an eye leaves the whole world blind" - Gandhi
If this "fednet" thing is to be totally separate, they're not staying with IP version 4, are they? The article doesn't say as far as I can make out.
That's about the only realistic route a worldwide migration to IPv6 could take, I think - building an entirely separate infrastructure.
Then we can have that one and they can have the old one back!
These people employ some of the best mathematicians and engineers in the world, they ought to be able to come up with a good implementation.
Not to mention the fact that even a separate link is going to require some informataion-level security as you don't want every tech with a current probe to be able see your network traffic ...
Pathman, Free (as in GPL) 3D Pac Man
everybody from outside who came onto their Unreal Tournament server kicked their ass.
7 nodes? What is this - an FBI LAN party?
And the nodes will be also connected to internet? If this is true, a worm that goes thru internet (i.e.if in some moment comes a sendmail worm and a company have a postfix in the dmz that receives and forward the main to the internal sendmail would be vulnerable also) could pass between the two networks, I remember how much damage do CodeRed2 and Nimda in not properly secured internal networks. In this case, if the networks are connected to the two networks, a worm could enter from one point and try to infect the other (at least email will be the common point between them.
But, if they are only connected between them and NOT connected to internet (neither by mail), they are not solving the problem with this, only isolating some critical (?) part of the network so worms like this one will not infect their window shares and things like that (at least, until a worm that combines several ways to spread enter there)
Heck, it's not the DoD that has all those IPs tied up! It's the universities! I don't know how many times I've come across colleges with a whole Class B, and every single PC has a routable address. And since only the very largest ones have anywhere close to 64K nodes, the vast majority of their space is just plain empty.
You want to make IPv4 last another decade? Take back all the colleges' IP blocks, make them use a single Class C with NAT-ing.
And ask them if they run a vuln version of sendmail, can i use "secret-gateway.mil.org" then?
Its all part of a cunning plot by cigarette man to put all the p0rn on the net someplace we cant get it.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
One would assume the actual hardware would be under lock and key and behind a pair of burly Marines, to discourage any stray installers of WiFi cards etc. One would also assume there are software safety measures that would prevent the stray installer from importing dangerous data or viruses via sneakernet. And finally, one would assume that deviating from the strict rules of conduct will result in reprimands/jail time/caning (delete as applicable) depending on how dangerous or stupid the said stray installer acted.
As for patching, that's fine for security levels up to a certain degree, but there are unpatched and undiscovered bugs around any given time, as the submissions history on /. will tell you.
I have always been frustrated by the biggest technology issue facing the military or any large organization: deployment. The SIPRNET has been around for ages. However, in all the places I have been assigned, nobody at my level ever has access. This is ridiculous because I have always worked where the proverbial rubber meets the road. VPN, Fortezza cards, and all this is not new, nor revolutionary. The issue is plainly logistics, sustainment, and training. Logistics is an issue because you have to field the equipment. The government already runs scads of custom applications many requiring dedicated computers. If you are able to field the equipment, it will be very difficult to maintain and upgrade because the channels for doing so are often convoluted or repair facilities are hundreds of miles away. Sustainment is a pain because the military is not designed (for the most part) to be stationary. When a large deployment happens, you are lucky to have a telephone let alone Internet capability. Finally, training is always a big problem. Right now most users cannot even perform the most basic computer tasks. As it all revolves around dollars when it comes to manning and training, I find it hard to believe that enough is going to be vested in empowering the end user to have access or know-how. In the end, it will end up where all good ideas end up, only being used at levels above reality by people who already have access to all matter of secure everything. I don't see it getting to the end user any time in the near future. To me this is an operating system issue, if you don't ingrain this crap at the OS level, there is always going to be problems. From sensitive data left in the swap space, to unsecured file systems, and ineffective data destruction utilities, there are dozens of pitfalls for truly running a secure network. Throwing tons of third party applications on top of it is a huge mess. Secondly, the government has become over-reliant on using the Internet. At least for the military, occupations in fixed facilities should mirror operations in deployment situations. The only solution for the military is satellite or high frequency radio. Access to these solutions at the speeds necessary for Internet transactions is years away and very expensive. I won't believe a word of any of this until the Department of Defense stops using Telnet and other insecure software for their day to day business. Way too many personal transactions are conducted via Telnet un-tunneled and unsecured. I have seen this first hand many times and as recently as yesterday. I am tired of the good idea factory coming up with solutions from behind their $3000 dollar oak desks when at my level the IT and security is crap and my personal information is strewn all over who knows where.
For all those saying I can't believe the Feds don't have a separate network -- golly gee yes they do and have had such separate networks for years. What the Feds are doing is auditing which systems are connected to which networks. If it was originally assumed that the public Internet was safe enough, those assumptions are being checked. If it is decided that those assumptions were wrong, that a system is threatened, it is moved to a private internet. Considering the size of the Federal government it should surprise no one that history, changes in the internet and other factors should justify such an audit. Its not like private companies don't do the same thing on occassion. The difference is this time politics are involved. Its a way to wave the flag and see we're doing something for homeland security. Three years ago, the press would have ignored this.
You are right in that most colleges are assigned more address space than they use. My school of 1600 has a handful of class C nets, and maybe 30 systems that actually need to be routable.
I disagree that forcing them to squeeze into less space is going to buy much of an extension to ipv4, however. In fact I think it's the wrong idea entirely. Any system where saving address space is such a high priority needs to be changed, especially since an alternative already exists in ipv6.
Even forcing all the schools to use a Class C network would buy only a few hundred million addresses, which is a drop in the pond at the rate that the net is growing worldwide, what with phones, PDAs, and toasters needing their own network connections these days.
I notice in the article that the Feds et al. were notified of the sendmail security flaw before the official release. Um. Not that I have anything against the FBI perusing my pr0n collection (Leanna Hart -- Locker Room.avi is quite good if y'all are listening), but this scares the fuck out of me.
Sachs, speaking at the conference here, which was put on by The SANS Institute, pointed to last week's handling of the critical vulnerability in the Sendmail Mail Transfer Agent package as a prime example of how such back-channel communication between vendors, researchers and the government can help protect end users. Researchers at Internet Security Systems Inc., in Atlanta, discovered the vulnerability in mid-February and immediately notified officials at the White House and the Department of Homeland Security.
The government quietly spread the word among federal agencies and, along with ISS, began contacting the affected vendors. After the vendors developed patches, the fixes were deployed quickly on critical government, military and private-sector machines before the official announcement of the vulnerability.
The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington.
Let me guess:
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
192.168.0.6
192.168.0.7
The revolution will not be televised. It won't be on a friggin blog either
Cyber Warning Information Network (CWIN) looks to be an expensive, slower, and less effective version of CERT.
.org sides, i.e. Eric Allman) and CERT was contacted. CERT alerted various Unix, Linux and BSD vendors that a new sendmail security fix was coming and to get ready to package it. Sendmail shared their fix with vendors and everyone announced a fix at roughly the same time. Thanks to the hard working people at CERT. Nobody played "I'm fixed, screw the rest of you" or other selfish self-centered games.
These is the group that "handled" the recent announcement of a new sendmail vulrenability. Except what they did was this: ISS, a info-security company looking for browie points reported to Office of Cyberspace Security at the White House and Homeland Security, who told FedCERT which passed that along to military and federal government IT people. Except all they could do was turn off sendmail, since a fixed wasn't yet available!
Then Sendmail (.com and
So the DHS made three phone calls (or emails) and spent the rest of their time writing up press releases about their great job, so the "press release == news" media could spout how great and cyber-aware DHS is. Though ISS, Sendmail Inc./ Consortium, and CERT did all the real work.
I talked to some computer people working in Swiss banks last year. It turned out they have a private network in parallel with the internet.
...
Every worker has two computers. One for the bank stuff and the other for internet/ordinary stuff.
The internal network has very limited connections to the internet (necessary web-banking connections, but not more). Don't count on Sendmail bugs to get you in here
I heard a story few years ago while taking a networks training course. We were talking about packet order and the fact that it's not guaranteed. The instructor mentioned that you could probably expect the order to be maintained if you specified the route and were the only thing transmitting, but still, it is not guaranteed.
Someone in the class had worked on a secure network project where all the routes were static, but when they did load testing the packets would arrive out of order. This worried them (as it should) and they looked into it. It turned out that the routers (switches?) they were using would "cheat" when they detected backup and would send packets to ports off the static routes.
The exptected behavior was that the receiver would bounce the packet back as destination unknown. But this could buy the equipment precious milliseconds and the conjestion might clear.
A cute solution, but not very secure.
It will be less vulnerable because they will have mandated that communications use physically separate switching nodes paths. And you can be sure that they have thought about this.
They already are. People have been arrested (though, in the cases I heard of, not held) merely for wearing anti-war tee-shirts.
Practically speaking, the Star Chamber has been recreated. That was the imposition of the English monarchy that habeus corpus was specifically created to stamp out. People being arrested without their name being released, without being allowed any outside contacts, and held indefinitely without being charged. Flagrant constitutional violations, but all actions taken by our government.
In *most* of the cases I've heard of there has been decent reason for the person to be arrested. But not for the violation of their rights. And in more than one of the cases I have not been able to determine any reason. (This doesn't mean there wasn't one. The information available it *intentionally* fragmentary.)
I think we've pushed this "anyone can grow up to be president" thing too far.
And then we'll be able to see what John Aschroft really thinks about naked statuary pr0n.
On the other hand, VPN over Internet can be very secure and far cheaper. Not VPN using OpenSSL on Linux boxes, because both OS and the relatively big library could have buffer overflows or some other low-level bugs. But it's easy to build a layered system that will be extremly secure. Say, hardware routers that decrypt and check signature on every incoming packet in hardware before looking at it otherwise. And then AFTER that, a Linux box that does a santity check on what comes through the router, just in case.
umm.. if it's a completely separate network from the internet.. how is it going to have ANY effect whatsoever? I mean they won't even be able to look at what's out there! Am i missing something here?
Reinard
Also, this network may not be very expensive - most of the traffic is likely to be email or occasional software distributions, and just about everything except a major Windows patch can run fine over a 56kbps frame connection.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks