Slashdot Mirror


US Government to Have Only 50 Gateways

Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks. "Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."

6 of 150 comments (clear)

  1. DoS??? by DNAGuy · · Score: 4, Interesting

    Wouldn't this make DoS easier, not harder?

    --

    BRENT ROCKWOOD, EST'd 1975

    1. Re:DoS??? by MiniMike · · Score: 3, Interesting

      With all of the traffic that's going to be funneled through them, would a DoS be necessary?

    2. Re:DoS??? by v1 · · Score: 4, Interesting

      It would certainly reduce the number of machines to target, but if 50 machines are to cover the duties of 4,000, you know they will have some horsepower. The obvious reality is it will be a distributed load system, so each of those 50 gateways will be an entire building of machines.

      Nothing new here really. Most of those 4,000 gateways are already at least several racks of hardware. I doubt that the vulnerability to distributed attacks will go up as a result of lowering the number of vectors. If anything, having 50 standardized and more carefully monitored gateways will probably further harden them against attacks. (is YOUR gateway patched?)

      Of course the other viewpoint is if all 50 of them are being administrated by the same group or a group under central control, when a vulnerability DOES surface, (and they alway so) they will probably ALL be vulnerable since they are standardized.

      Assuming they have their heads screwed on straight, they will at least be using somewhat of a variation of several hardware and software vendors to prevent this. As it is now, if a serious problem is discovered in a high end bit of router hardware, it may force downtime on maybe 300 gateways while traffic routes around them. If all 50 are using the same, what do you do then? Flip the kill switch and take down the entire country's internet whilst you fix it?

      I want to hear that phonecall. "Hello, Cisco. We're calling in regard to this morning's zero-day bug 433-86b in regard to your model 822 enterprise gateways. We're down, we need a fix now. No, DOWN. The entire country. Yes, really."

      I'd be interested to know how China handles their great firewall. Are there details posted anywhere? Somehow I don't think they'd terribly mind taking down the entire country's internet for a day or two for national security though. (and "for reasons of national security" is very loosely interpreted in China it would seem)

      --
      I work for the Department of Redundancy Department.
  2. One could lead to the other... by Cheerio+Boy · · Score: 4, Interesting

    Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?

    After they do a project this large for their own network they'll have the experience necessary to do this across the board.

    If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)

    Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.

    --

    "Bah!" - Dogbert
  3. Re:What does gateway limiting *really* help? by OeLeWaPpErKe · · Score: 4, Interesting

    No this really helps. This will *really* help a lot with dumb bad guys on the outside (like, say the storm botnet).

    If the connections between different departments are also forced to go through only these 50 departments, that would ensure a further layer of protection.

    It is *much* easier to defend a centralized infrastructure (like this) then to defend something random.

    This is the same like in real life. Defending a castle is much simpler than defending the village. Yes castle failures are more spectacular and do more damage, but they occur so much less that it's worth to build them anyway. Breaches in the security of a "village" are constant, unfollowable and you cannot prevent them.

    So from security standpoint ... good move !

  4. Re:Great Wall of China by Anonymous Coward · · Score: 3, Interesting

    We don't log our dhcp services. We allow tor. We host tons of medical, legal, and financial information on you and other americans. The federal IT director doesn't want to change it due to 'budget constraints'. Your government at work, people.