Fort N.O.C.'s Security in Obscurity
penciling_in writes "Brock N. Meeks of MSNBC reports
on his recent visit to VeriSign's secret location: 'The unassuming building
that houses the "A" root sits in a cluster of three others; the architecture
looks as if it were lifted directly from a free clip art library. No signs or
markers give a hint that the Internet's most precious computer is inside
humming happily away in a hermetically sealed room. This building complex could
be any of a 100,000 mini office parks littering middle class America.' The
report goes on to say: 'Access to the Network Operations Center, the "NORAD"
of the Internet's traffic monitoring, requires the electronic badge and then a
double biometric hand print scan.' And here are Karl
Auerbach and Robert
Alberti offering their interesting analysis of this report on CircleID."
Sigh. Deep Sigh.
There's more than the 'A' root server. Taking "it" down leaves a whole hurd of other root servers alive. Located all around the world.
The above linked articles are full of that which promoteth growth.
This story is news, but I kept expecting some point of contention in the article, rather than some musings on decorating schemes that were compared to clip art.
I found my point here:
The root server operators "have no contract with anyone, no guarantee of level of service, they could turn [the root servers] off tomorrow with no consequences at all because they are doing it out of the kindness of their heart," said Internet consultant Ambler. "ICANN needs contracts with the root server operators that specify minimum levels of service and minimum levels of security and the root servers need to be paid for that," he said.
Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts, and (b) security is not always "secured" by either contracts or money? I understand the legal protections associated with contracts, but I think there's a chance that the root server operator system, as it stands, could alternatively be viewed as something successful - something, much like the open source software movement, that works, not because of contracts or restrictive covenants, but because people enjoy contributing to something useful for their own and others' use.
I guess amazon.com which went public in 1997 must have been frequented only be researches and nerds for the first 5 years of operation.
Not much. There's a bunch of other root servers scattered around the world; this just happens to be the first one.
I'd like to see some statistics on how many people attempt to invade/evade the physical security checks at Netsol's NOC that require and necessitate facilties on that level. The same goes for most any datacenter - your physical security is awesome, but why?
:)
Aren't most attacks against servers launched over that intarweb thing?
I can't recall the last time someone tried to suicide bomb a root server.
I can only hope that their NOC has multiple fibers coming to the building and that those fibers aren't in the same trench.
The other potential source for a single-point of failure is the OS that the root server uses. If Verisign uses any kind of monoculture, they will not be as secure as we might hope. A hacker or botched OS patch could hose the thing.
Two wrongs don't make a right, but three lefts do.
The design documentation of the Internet is globally available... wait for it.. on the Internet!
If you examine it, you will notice that
a) DNS is not part of the original design
b) as designed, it WON'T survive a nuke
c) nobody intended it to.
What it *was* designed for was a limited fault tolerance - based on the idea that phone companies suck and the guy that runs the next node is an idiot who can't be trusted to tie his own shoes.
Turns out they were right about those last two points, incidentally.