Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Move to Secure Net

Posted by CmdrTaco on from the can-i-have-a-static-ip? dept.

An anonymous reader writes "eWeek reports:The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington."

21 of 137 comments (clear)

  1. I would hope so by Blaine+Hilton · · Score: 5, Informative

    Many companies have data centers in multiple locations with private lines connecting them. I would have hoped the government would have thought of this much sooner. Reminds me of a few months ago when they were saying the FBI has not been able to hire many computer experts because they could not pass the required physical tests.

    1. Re:I would hope so by gbjbaanb · · Score: 5, Funny

      don't forget that those physical tests are 'standing up straight', 'sitting still without fidgeting', and 'looking at things outside without squinting'.

      Its a good job they didnt do psychological tests too - 'talking to other people without using IM' - or they'd have no computer experts at all!

    2. Re:I would hope so by MnO-Raphael · · Score: 5, Interesting

      Physical separation of networks _is_ widely used among government and military networks. The reason being very simple: It's the only cost-effective way to guarantee security.

      However, even if you lease a private line it would still be in control of a third party, the telephone company for instance. In these cases cryptographic hardware is used to secure the channel.

    3. Re:I would hope so by Black+Copter+Control · · Score: 4, Funny
      A long time ago, a friend of mine asked a client at CSIS (Canadian Security and Intelligence Service) what kind of firewall they used.
      "We don't use a firewall
      We use an air gap."
      Made sense to me... Now if they'd only stop losing their laptops....
      --
      OS Software is like love: The best way to make it grow is to give it away.
  2. So how will they get data in/out ? by dew-genen-ny · · Score: 4, Interesting

    I'd be interested to see how they propose to use this - ie is it completed closed, or are there specific hosts that have access to public and private. Inevitably there's always some host somewhere that comprimises this type of idea.

    Since their interest is in securing the net as a whole, it's a pity they're not practising what they preach, and try and implement a secure solution over the public 'net. Would be a inspiration for other folks.

    --
    tom-george.comBecause geeks rate higher t
    1. Re:So how will they get data in/out ? by decarelbitter · · Score: 4, Funny

      One word: sneakernet.

    2. Re:So how will they get data in/out ? by gbjbaanb · · Score: 5, Interesting

      almost certainly there will be hosts solely connected to the private network, and never to the public. No doubt this can work for the government who will not allow just anyone to plug a new host in. (perhaps they have a single hosts file ;-)

      I think they cannot implement a truly secure solution over the public net as the protocols were never designed with security in mind - ie. anything that happens is a hack or a bodge on top of those insecure protocols. Whilst these may be good enough for you or me in practical terms, the government would want a quantifiably secure system, and the only way you get that is to disconnect yourself from the rest of the world.

      There are plenty of systems that do this BTW - I used to work for a company that did credit card processing. They had a single PC connected to the internet and not the lan, all the others were on the internal lan only. I've seen banks not connect to the internet at all.

      Thank god I work for a less paranoid company now!

    3. Re:So how will they get data in/out ? by jpferguson · · Score: 4, Interesting
      I can offer an example from the State Department. (None of this should get me jailed, I don't think.) Someone mentioned working at a credit-card processing company where only one computer was connected to the internet, and the rest solely to the LAN? The State Department applied the same principle of redundant hardware, on a much vaster scale. When I worked there in 2000-2001, each desk had two machines hooked up to a single monitor, mouse and keyboard via a switching box. One machine, covered in green stickers, as the "unclass" box; the other, covered in red, was "class." The unclass machine was hooked up to the internet via ethernet; the class machine was hooked up to State's LAN via ethernet, through a separate series of routers and servers. (The class machine also had a removable hard disk, the type that you unlock, yank out, and toss into your safe every night, along with all of your files.) The only way to transfer information between the two machines was via floppy disk.

      The principle was good: all of your internet research and private email was done on the unclass machine; all of your quotidian tasks, including accessing the archives and the cable database, was done on the class machine. Department-Embassy communication went through the State Department's cable system and thus was also unconnected from the public network.

      If the government is willing to apply hardware redundancy on a massive scale, they can certainly replicate such a system in those agencies that do not have it already. There are still obvious human errors that can muck up such a system. For example, when rushed, many foreign service officers would e-mail colleagues in the embassies for information. While one wasn't supposed to discuss classified topics on e-mail because of the weaker security, it wasn't always easy to decide where to draw the line. Similarly, if you were writing a report that drew on classified and unclassified data, and much of the unclassified data was online, then it was tempting to slap your floppy disk with a copy of your classified report into the unclassified machine and work on it there, so as to copy and paste material more easily. Still, these are human errors; eliminating them is a different topic. As long as we are willing to think on a scale commensurate with the government's resources, it would be technically difficult to create such a system.

  3. What's the News? by Anonymous Coward · · Score: 5, Funny

    The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials.

    TOP STORY: A single government branch sets up an internal network, separate from the internet. Tonight at eleven, find out what kind of routers they bought.

    1. Re:What's the News? by the+uNF+cola · · Score: 5, Funny

      I think it's akin to having your child say his/her first words. I'm impressed with the gov't. Next thing you know, they'll stop using default passwords ;)

      --

      --
      "I'm not bright. Big words confuse me. But Wanda loves me and that should be enough for you." - Cosmo

  4. Fulltext for offline browsing & quickref'ing by Anonymous Coward · · Score: 5, Informative


    from http://www.eweek.com/article2/0,3959,922570,00.asp

    March 10, 2003

    Feds Move to Secure Net

    ByDennis Fisher

    SAN DIEGO--The White House and the new Department of Homeland Security have begun in earnest the process of implementing the plan to secure the nation's critical networks--starting with extensive changes in the federal security infrastructure.

    The most significant move is the development of a private, compartmentalized network that will be used by federal agencies and private-sector experts to share information during large-scale security events, government officials said at the National Information Assurance Leadership conference here last week.

    The system is part of the newly created Cyber Warning Information Network, a group of organizations including the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office and others that have some responsibility for the security of federal systems. The private-sector Information Sharing and Analysis Centers will also be included.

    The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, seen on left, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington.

    Sachs, speaking at the conference here, which was put on by The SANS Institute, pointed to last week's handling of the critical vulnerability in the Sendmail Mail Transfer Agent package as a prime example of how such back-channel communication between vendors, researchers and the government can help protect end users. Researchers at Internet Security Systems Inc., in Atlanta, discovered the vulnerability in mid-February and immediately notified officials at the White House and the Department of Homeland Security.

    The government quietly spread the word among federal agencies and, along with ISS, began contacting the affected vendors. After the vendors developed patches, the fixes were deployed quickly on critical government, military and private-sector machines before the official announcement of the vulnerability.

    However, some in the security community say that until the CWIN is fully operational and proven, they'll continue to use existing methods.

    "I would not have used CWIN for Sendmail. There are too many questions about something that has not been fully deployed," said Pete Allor, manager of the threat intelligence service at ISS and director of operations at the Information Technology ISAC. "I'd like to know who I'm transmitting information to and the rules for dissemination.

    "My two biggest concerns are having private-sector information on a government network and if Congress withdraws the [Freedom of Information Act] exemption, there won't be any reason for private companies to use [the CWIN]," Allor said. While speculation exists, to date no bill has been introduced to remove the FOIA exemption in the Homeland Security Act.

    As part of the plan to improve security, the CIO of each federal agency is, by statute, now accountable for the security of that agency's network. This is a significant change, considering the lack of responsibility permeating government security efforts.

    "This is the first time this has ever happened," Sachs said. "It used to be that it was their job, but they just said, 'Yeah, I guess we're secure.'"

    The internal structure of the government's security apparatus is also undergoing some major changes, officials said. The President's Critical Infrastructure Protection Board, formerly part of the Office of Cyberspace Security, is now part of the Homeland Security Council. But that may not be where it ends up. There are indications that the board may end up as part of the Department of Homeland Security.

  5. And this wasn't in place before? by smoon · · Score: 4, Funny

    The company I work for has had a 70+ node WAN with separate IP address space from the Internet for about 5 years, and before that a 6-7 node WAN running IPX.

    This seems so utterly obvious that I'm completely mystified as to why this is a news-worthy article. Or is this just a joke?

    Yipee! The feds have an 'intranet'. I hope I don't pee my pants with excitement!

    --
    "But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
  6. if true : do stuff; by watzinaneihm · · Score: 5, Funny

    1 Start a network for army
    2 Open it to Universities
    3 Open it to everyone
    4 Watch while "terrorists" start to spread viruses on it
    5 Start network for the Feds
    .....Rinse and repeat.

    --
    .ACMD setaloiv siht gnidaeR
  7. Something already there? by stroudie · · Score: 4, Interesting

    I find it surprising that this doesn't exist already - surely this is something like a slightly shinier version of UK Government Secure Intranet which has been operational for some time.

    Surely the US government has something equivalent...?

  8. US Military already has it's own private network by ItaliaMatt · · Score: 5, Informative

    The military has it's own private and secure data/voice network. They have their own private IP's and everything. Any time people working on the unclassified network need to move data to the classified network they have to use "sneaker-net" and make damn sure the data isn't infected with a virus. Perhaps this is what the Department of National Security is modeling it's data network after.

  9. SIPRNET / NIPRNET , jerky... by fire-eyes · · Score: 4, Insightful

    Uh, look up what SIPRNET and NIPRNET are... been around for a long long time...

    --
    -- Note: If you don't agree with me, don't bother replying. I won't read it.
  10. The real reason... by Bazzargh · · Score: 4, Funny

    everybody from outside who came onto their Unreal Tournament server kicked their ass.

    7 nodes? What is this - an FBI LAN party?

  11. Re:You mean... by 6hill · · Score: 4, Insightful

    One would assume the actual hardware would be under lock and key and behind a pair of burly Marines, to discourage any stray installers of WiFi cards etc. One would also assume there are software safety measures that would prevent the stray installer from importing dangerous data or viruses via sneakernet. And finally, one would assume that deviating from the strict rules of conduct will result in reprimands/jail time/caning (delete as applicable) depending on how dangerous or stupid the said stray installer acted.

    As for patching, that's fine for security levels up to a certain degree, but there are unpatched and undiscovered bugs around any given time, as the submissions history on /. will tell you.

  12. Won't Work for DoD Units by Highwayman · · Score: 4, Interesting

    I have always been frustrated by the biggest technology issue facing the military or any large organization: deployment. The SIPRNET has been around for ages. However, in all the places I have been assigned, nobody at my level ever has access. This is ridiculous because I have always worked where the proverbial rubber meets the road. VPN, Fortezza cards, and all this is not new, nor revolutionary. The issue is plainly logistics, sustainment, and training. Logistics is an issue because you have to field the equipment. The government already runs scads of custom applications many requiring dedicated computers. If you are able to field the equipment, it will be very difficult to maintain and upgrade because the channels for doing so are often convoluted or repair facilities are hundreds of miles away. Sustainment is a pain because the military is not designed (for the most part) to be stationary. When a large deployment happens, you are lucky to have a telephone let alone Internet capability. Finally, training is always a big problem. Right now most users cannot even perform the most basic computer tasks. As it all revolves around dollars when it comes to manning and training, I find it hard to believe that enough is going to be vested in empowering the end user to have access or know-how. In the end, it will end up where all good ideas end up, only being used at levels above reality by people who already have access to all matter of secure everything. I don't see it getting to the end user any time in the near future. To me this is an operating system issue, if you don't ingrain this crap at the OS level, there is always going to be problems. From sensitive data left in the swap space, to unsecured file systems, and ineffective data destruction utilities, there are dozens of pitfalls for truly running a secure network. Throwing tons of third party applications on top of it is a huge mess. Secondly, the government has become over-reliant on using the Internet. At least for the military, occupations in fixed facilities should mirror operations in deployment situations. The only solution for the military is satellite or high frequency radio. Access to these solutions at the speeds necessary for Internet transactions is years away and very expensive. I won't believe a word of any of this until the Department of Defense stops using Telnet and other insecure software for their day to day business. Way too many personal transactions are conducted via Telnet un-tunneled and unsecured. I have seen this first hand many times and as recently as yesterday. I am tired of the good idea factory coming up with solutions from behind their $3000 dollar oak desks when at my level the IT and security is crap and my personal information is strewn all over who knows where.

  13. The Feds are auditing what should be on Internet by MyNameIsFred · · Score: 4, Informative

    For all those saying I can't believe the Feds don't have a separate network -- golly gee yes they do and have had such separate networks for years. What the Feds are doing is auditing which systems are connected to which networks. If it was originally assumed that the public Internet was safe enough, those assumptions are being checked. If it is decided that those assumptions were wrong, that a system is threatened, it is moved to a private internet. Considering the size of the Federal government it should surprise no one that history, changes in the internet and other factors should justify such an audit. Its not like private companies don't do the same thing on occassion. The difference is this time politics are involved. Its a way to wave the flag and see we're doing something for homeland security. Three years ago, the press would have ignored this.

  14. Just like the (Swiss) banks then ... by snowtigger · · Score: 4, Interesting

    I talked to some computer people working in Swiss banks last year. It turned out they have a private network in parallel with the internet.

    Every worker has two computers. One for the bank stuff and the other for internet/ordinary stuff.

    The internal network has very limited connections to the internet (necessary web-banking connections, but not more). Don't count on Sendmail bugs to get you in here ...