Fort N.O.C.'s Security in Obscurity
penciling_in writes "Brock N. Meeks of MSNBC reports
on his recent visit to VeriSign's secret location: 'The unassuming building
that houses the "A" root sits in a cluster of three others; the architecture
looks as if it were lifted directly from a free clip art library. No signs or
markers give a hint that the Internet's most precious computer is inside
humming happily away in a hermetically sealed room. This building complex could
be any of a 100,000 mini office parks littering middle class America.' The
report goes on to say: 'Access to the Network Operations Center, the "NORAD"
of the Internet's traffic monitoring, requires the electronic badge and then a
double biometric hand print scan.' And here are Karl
Auerbach and Robert
Alberti offering their interesting analysis of this report on CircleID."
Although the article says that the location is a secret, a link from the article to www.root-servers.org happily tells you that server A is in Dulles.
It's cool to see someone write about the building you used to work in! I worked in this building, a bit more than 2 years ago. I was in Network Solutions' consulting arm, whose DC office was in that building, two floors under the NOC. The security really is as spectacular (and low-key) as you'd expect. You would NOT believe the camera surveillance they have facing outwards...you can see some of it, but you can't see some of them at all. And the cameras themselves are startlingly cool...there's a small strip mall across a major highway from the facility, with a clear line of sight. One of the security guys showed me how far the zoom worked, as he zoomed in on a guy smoking in front of a bookstore in the strip mall...about half a mile away. It was still a clear picture.
When 9/11 happened, we were not allowed back into the building for a couple of days, but all they had to stand up as barriers were road cones. Luckily, they're finally moving to a location that isn't just obscure and secure, but armored, as I hear their Mountain View, CA location is.
For your security, this post has been encrypted with ROT-13, twice.
If this building were destroyed by a nuclear weapon, what would be the impact on the Internet?
Back in the good old days, if you had a recent copy of hosts.txt all this was irrelevant :-).
But it's been most of a decade since just anyone could download it.
Nope, VeriSign was never in Palo Alto. It was dotCom era, rents in Palo Alto were way high by that time. VeriSign started in Redwood Shores and then moved to Mountain View. These days they own the old Netscape campus.
The operations center is another matter, those are in unmarked buildings at several locations. If you look at some of the displays of root server locations you will see blobs in the San Francisco and Washington D.C. areas. Well duhh! Who would have guessed that the DNS servers would be so close physically to MAE West and MAE East?
The Circle ID stories are both slashdotted. So we can't hear if Karl and co are saying 'nah, we don't need high bandwidth roots capable of a good slashdotting' which if they were would be somewhat ironic.
The point that the article does not really mention is that at the moment running the DNS roots is done on a voluntary basis. ICANN is getting a free ride here. After the DDoS event in 2002 it was clear that 1) the roots were a major target 2) There was a big difference in the quality of service.
Given the importance of the roots shouldn't we actually invest something so the people running them can afford to do the job well? VeriSign can afford to run its systems the way it does because it has revenue from other sources. How do you justify the cost of a high end four way server to be dedicated to root ops if you are a non-profit? ICANN could at least pay for hardware and bandwidth.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Microsoft - or SCO (if it had the cash) - could go out and try to buy all the root servers. There is nothing to stop the root operators from selling out.
Nor is there anything that prevents root server operators from giving preference to queries coming from paying IP addresses.
All of that is hypothetical, but without legally enforceable obligations, we're just hoping that nothing changes for the worse.
And things *do* change - for example, back in the 1980's SCO was a fun company here in Santa Cruz.