Slashdot Mirror
US Government to Have Only 50 Gateways
Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks.
"Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."
... or does this summary scream "Throw more money at the problem"?
I mean, really. Perhaps ensuring the standards and procedures are actually adhered to would be a much cheaper and less drastic change.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.
How is this any different?
Cheers
* Carthago Delenda Est *
They got the title wrong. It should read: U.S finally joins "The League of Big Brother Regimes"
I hope the small list of 50 IP-s will be published sooner than later so that I could easily block these suckers from reading the stuff *I* don't want them to read. Just to balance the censorship.
Wouldn't this make DoS easier, not harder?
BRENT ROCKWOOD, EST'd 1975
I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
And now we have a new excuse for the bureaucracy: "Our web site is down because agency XYZ won't let us use the Internet we subcontracted from them."
I've worked in a bureaucracy for a few years. The main reason for proliferation is because of disputes between departments, whether for poor service or arrogant management or both.
In other words, please remove those 4000 IP addresses from your PeerGuardian/firewall blocklist.
You want fun, go home and buy a monkey!
Than the whole US Senate machine level of security:
Netcraft
When the U.S. Justice Department stepped up its investigation of cybercrime, it found spam originating from an unexpected source: hundreds of powerful computers at the Department of Defense and the U.S. Senate. The machines were "zombies" that had been compromised by hackers and integrated into bot networks that can be remotely controlled to send spam or launch distributed denial of service attacks.
(this link also mentions the older Republican access of the Democrat fileserver)
The "gateway" methodology splits the world into inside and outside, not a usefull split, since there are *always* bad guys on the inside.
;)
However, it nicely ensures that spendings on hosting and applications is filtered through a limited number of suppliers, reducing competition and stifling innovation -- the american way
--
Helge
SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
You'll never get enough Zealots out with only fifty Gateways...
games journalism blog
But just give it a chance! I hear the new Maginot-brand routers are great.
Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?
After they do a project this large for their own network they'll have the experience necessary to do this across the board.
If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)
Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.
"Bah!" - Dogbert
Yes, 911, the pretext for all this, was an inside job! Surely, you jest my friend!
The next thing you would say is that Pearl Harbor was allowed deliberately to throw the bomb at 'em Japs or that Hilter was a puppet of the US and the entire WW-2 was pre-planned albeit apparently sketchily - you know the routine elite-versus-commoner struggles that lead to "war and strife"
These things sound like good gossip material but are not so much verifiable.
Hackers have long memories. It works both ways.
Only the Department Of Homeland Security could come up w/ a name like this. They probably think he was one of the original 3 Stooges.
At the time there were only seven connections between the Internet and the MilNet. One of the generals asked how they could be disconnected in times of war.
Before their guide could answer, another general piped up with "Explosive bolts".
Request your free CD of my piano music.
Oh, how sad. Looks like Bush's BitTorrent download speeds are going to suffer.
Now it's gonna take DAYS to finish downloading that steamy video of Hillary Clinton!
http://en.wikipedia.org/wiki/Gary_McKinnon
He was just trying his hand at ET stuff with pre-made scripts and got into Govt machines.
Hackers have long memories. It works both ways.
This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work.
Imagine if bittorrent decided to say "screw the distributed client model", we'll just host 50 giant sites with all the files stored on them. Yeah, that just wouldn't work....
Will you have to take off your shoes and give up your toenail clipper before you can use these gateways? That's how you get real security these days.
Are they abandoning the airgap policy or something?
[Fuck Beta]
o0t!
Bringing everything down to fewer single points of failure sounds like a good way to make DoS attacks more successful. Hopefully they intend on having each of these gateways redundant out the wazoo.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
is designed to keep Americans fenced in? It's not to keep the Mexicans fenced out? Perhaps it is the exception that proves the rule.
9/11 was not an inside job. A small band of Islamic fanatics really did hijack some airplanes and fly them into buildings. Now....
Couple things. They don't have the technology to conquer the west. They don't. We know that. The leaders of the USA know that. We both out number and out gun them. If we really were as threatened by [the Muslims] as the media says, lets evaluate what would happen.
Navy Seals would be dispatched to seize every oil facility in Saudi Arabia. After that. We would carpet bomb and drop fuel air bombs on Saudi Arabia, Iraq, Iran, Yemen, Sudan, Pakistan, and Afghanistan until there was no one left alive.
But we didn't. We didn't because we don't need too and we know it.
"The problem is all inside your router", the chinese said to me. The answer is easy if you brute it logically. They'd like to help you with some information for free. There must be fifty ways to hax0r your server
Yeah because the only sort of threat possible against the US is one from a sovereign state. Non state actors can't possibly organise terrorist attacks.
Neither 9/11 or the 7/7 bombings in London nor the Madrid train bombings killed anyone. Since the governments of Muslim countries are not formally committed to attacking America, there is no threat whatsoever.
Actually I think the US would be a lot safer if it was a conventional war against a state, as you say the US would win that in a matter of hours.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I think roughly once per day there's an headline on /. that is indecipherable. One that either makes no sense whatsoever, or is so specialized, or is so badly written, as to give no clue as to what the actual article is about.
And this is today's.
I said they can't conquer us, I didn't say that they couldn't kill a bunch of people and make our lives miserable. Two different things.
If you want to add some intellectual rigor to your argument you should read Eros and Civilization. It was written in the 50s but it has become more applicable over time, not less (the mark of work worth paying attention to).
After 7 years bleeding us all dry, making us more endangered, lying to us, wasting our time and squandering our advantages against our many real enemies, suddenly Homeland Security has "a sense of urgency"?
They're just going to spend as much money as they possibly can in the last 8 months Bush/Cheney control the Executive, all sent to their cronies, grabbing more power and cutting off as much communications inside the government as they can. They're going to botch this huge job to screw over the government's ability to even connect to the Internet, and the public's ability to connect to it, so the next administration will be locked out when it tries to govern the Bush crony empire that's returned to the private sector for their great reward.
Why should the last 8 months of Bush/Cheney be any different from the first 88 months?
--
make install -not war
Honest to god, I read that and though the US government were going to have 50 old gateway computers. I was like, WTF?
-- Lattyware (www.lattyware.co.uk)
oh, come on.. haven't you been watching the movies? "dangerous tigers" -> AI who can control and actively/heuristically test for the nature of any intrustion -> give a machine the intelligence and power to shut down/quarantine affected systems -> soon it will start caring about the safety of its own hardware first..
i'll agree that skynet was supposedly created to esnure the efficient and speedy reaction of the USMil in case of an attack, but imagining it as having primarily a defense feature of the network itself doesn't seem that different.
One of the problems is that barrier security has diminishing returns as the size of what you are barricading gets bigger.
You wear clothes. Your house probably has a bathroom door. But Seattle or San Diego are probably too big and too intertangled with the world to use perimeter security in a big way, much less large countries with land borders.
There are now onyl 50 targets to take out the entire government network system? Based on how many trojan scans I get from .gov IP's I would say their grasp of network security is slim at best...so reducing the number of gateways to 50 seems like a giant "hack me" sign.
Am I wrong about this?
"If any question why we died, Tell them because our fathers lied."
You know, get some former fast-food manager, high school 100 IQ jock type to check packets, remove checksums from their feet, belittle malformed ones, etc. That will keep us safe from the terrorists.
As Homer would say: "USA! USA!"
The Bush administration has run a very secretive government--pulling public info off websites, classifying embarrassing info, refusing and stalling in response to requests. So I view this not as back room engineering changes, but as a plan to control the information the federal agencies release to the public, with the goals of restricting and filtering out many things now public.
If you look at it this way, many of the drawbacks of the plan (if the goal was to provide info to the public) become features.
I see lots of waivers coming out of this. Let me guess - no additional funding will be provided to the "Small agencies that won't qualify for their own connection". Let me also guess - certain well connected companies will be doing the 50 gateways !
When the DOD did this, no new money was provided for the switch, vendor "H" was the only source of outside assistance, at their usual outrageous prices, and everyone who could waivered out.
I'd like to see the government try to stop all the wifi Point-to-Point antenna pointed across the Rio Grande or the Canadian Border.
I guess we'll have to add create a big rf fence or create a wifi border patrol.
Speaking from experiences with the already consolidated systems, instead of a system issue affecting 50 researchers in an office, it affects 5,000 researchers in a region. This means that often times researchers are having to switch to back channels for simple task such as email because their internal systems are unreliable. This actually ends up reducing the security of systems because researchers end up relying on services that the government doesn't control. These policies are torn between the money savings of outsourcing and the justified policy of not outsourcing government systems, so they hire 5 system administrators from IBM to do a 50 person job. Everyone ends up losing out.
Because a philosophical critique of psychoanalysis is so relevant to a discussion of network firewall topologies...
Advice: on VPS providers
It's normal /. policy not to RTFA, but you didn't even read the summary. Please try harder.
The government is cutting down the number of gateways to the government network, this has nothing to do with the rest of the US' private access. If you had said for example:
"I'd like to see the government try to stop all the wifi Point-to-Point antenna pointed across the street (to private unsecured gateways) or accessed at home using their government issue laptops."
you would have been insightful, but as it stands you (and at least 20 other people) addressed a question that no one asked.
Why does reducing infrastructure equipment have to imply reducing functionality? You obviously don't understand the concept of consolidation. Reducing the # of devices reduces the amount of time managing and monitoring the devices. It makes managing the network easier because firewall rules can be consolidated and made simpler, along with other types of rules used throughout a network. Reducing the # of gateways to the outside world for a gov't agency or network also makes it more secure. People using those networks and the resources outside those networks can still get to those resources but those who maintain that infrastructure can better make sure it is done efficiently and more securely since they have less equipment to worry about.
This is a massive undertaking. I'm working on a consolidation right now for just one of these networks and it is just horrendous what we are up against. The government doesn't always have the same standards of documentation as contractors do which makes it even more unfair for the contractor who comes in to fix what isn't actually broken but it makes you wonder how it works in the first place given the spiderweb that exists. Now for the reality: It isn't about terrorists at all. It is about reducing cost for the taxpayers, THAT'S YOU, if you are a U.S. tax payer. Yes there are costs upfront but why would you be against spending money upfront for much greater savings down the road?
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
..the "What could POSSIBLY go wrong?" tag. Wouldn't you say that one of the possible side effects of this move, is that it allows alleged attackers to concentrate their attacks by a factor of 80? Isn't this the IT equivalent of moving the whole population of Minas Tirith into Helm's Deep? All it took there was one big explosion and all the defenses were toast.
News Flash: Federal Govt. Discovers the Definition of "Attack Surface". 20 Years Too Late. Film at 11.
PS: And no, I don't mean the myopic Wikipedia definition writ large.
Am I the only one who notices this trend of being a couple of years late with good ideas?
This could have worked earlier, say 5 years ago. However, the nature of attacks is such that the whole hard shell, soft centre approach is compromised.
The primary issue is that defence mechanisms are moving up the stack. It started with being on an isolated bit of cable, then it because a routed network to the Internet - with 50 firewalls, that's the hard shell these guys are talking about.
But the problem sit INSIDE the fence, and this means defence must be decentralised. I liked Fred Cohens Deception Toolkit approach (DTK) because (combined with tarpitting) it would create a mass dragnet for anyone trying a scan. Personally I think everyone (and every*thing*) should treat their network conection as if it is live and raw on the Net (not firewalled) and protect accordingly. Only then will you get somewhere.
And it would leave the door open for the coming IPv6 deployment.
Insert
--
Home of the brave, my ass.
So now they'll have to run point to point links to every VA and Social Security office to the closest gateway. At the cost of fiber these days, that'll be an amazingly high cost, when they could get much much less expensive internet through local suppliers. If they want to standardize their security, there are other ways to do this. They could decide on one line of router/firewall and remotely update the configurations.
That is technically correct, which--of course--is the best kind of correct!
"...US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways".
Yes, about par for the course. From memory DEC (my employer at that time) took a similar decision back around 1985 or so. The plan entailed channelling all connections from the company's tens of thousands of computers, linked worldwide by DECnet, through one or at most two gateways to the ARPAnet. The security logic was unassailable even then.
22 years for public officials to follow best commercial practice... looks about right. Fairly quick, actually. It took the best part of a century for politicians to start echoing Frederick Winslow Taylor's ideas about "scientific management". (Although of course, even then they didn't understand them).
I am sure that there are many other solipsists out there.
With only fifty nodes (one for each state?) the FBI/NSA/TSA/(add your own TLA here) can manage homeland surveillance better.
Considering that most attacks origin not from outside but from inside, zentralising these servers would only rise the security problems.