Slashdot Mirror
US Government to Have Only 50 Gateways
Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks.
"Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."
... or does this summary scream "Throw more money at the problem"?
I mean, really. Perhaps ensuring the standards and procedures are actually adhered to would be a much cheaper and less drastic change.
If sharing a song makes you a pirate, what do I have to share to be a ninja?
I could be wrong but I think this applies to only government computers and not the whole Country's Internet...
Wouldn't this make DoS easier, not harder?
BRENT ROCKWOOD, EST'd 1975
I meant government computers, kinda hard to post to Wikileaks about the latest scandal when everything you do is being watched, and prolly timed recorded and put through some algorithm to determine your party loyalty.
Cheers
* Carthago Delenda Est *
I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
And now we have a new excuse for the bureaucracy: "Our web site is down because agency XYZ won't let us use the Internet we subcontracted from them."
I've worked in a bureaucracy for a few years. The main reason for proliferation is because of disputes between departments, whether for poor service or arrogant management or both.
Government employees are allowed to own home computers connected to the real internet, where they can stroke pr0n and post wikileaks to their heart's content.
In other words, please remove those 4000 IP addresses from your PeerGuardian/firewall blocklist.
You want fun, go home and buy a monkey!
You'd have to be a dumbass to leak material via your workstation in a government facility. Actually, you wouldn't be a dumbass, you'd be a Guantanamo inmate.
Random Thoughts From A Diseased Mind (Not For Dummies)
Than the whole US Senate machine level of security:
Netcraft
When the U.S. Justice Department stepped up its investigation of cybercrime, it found spam originating from an unexpected source: hundreds of powerful computers at the Department of Defense and the U.S. Senate. The machines were "zombies" that had been compromised by hackers and integrated into bot networks that can be remotely controlled to send spam or launch distributed denial of service attacks.
(this link also mentions the older Republican access of the Democrat fileserver)
The "gateway" methodology splits the world into inside and outside, not a usefull split, since there are *always* bad guys on the inside.
;)
However, it nicely ensures that spendings on hosting and applications is filtered through a limited number of suppliers, reducing competition and stifling innovation -- the american way
--
Helge
SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
You'll never get enough Zealots out with only fifty Gateways...
games journalism blog
I tried to think of counter-examples to your point and I had trouble, but in the process I stumbled across an even better idea. The first thing I thought of was cages at the zoo. To some extent, this example shows your point because the barriers at zoos are designed much more to keep animals in than spectators out. However, despite being designed to keep animals in, they are just as successful at keeping people out. Why is this? Partly it's because zoos make it difficult for people to get inside cages, but mostly it's because inside the cages are dangerous animals. At this point, inspiration struck: if dangerous tigers can keep people out of a cage at the zoo, couldn't they also be used to protect a computer network? Of course they could! Who would risk hacking a network if it meant getting eaten alive by tigers?
As far as a practical implementation, I imagine that behind the network's regular firewall, one would just place a container of tigers (a "Tigerbox") that way. The firewall will work as a general security measure, but if a hacker were to break through into the network, he would be immediately eviscerated by tigers. I suppose that in theory, one could even get rid of the firewall entirely, like you suggest, and protect the network entirely with tigers. I'm not sure how practical this would be, due to the increased number of tigers required. However, it might be feasible in a few years once tigerboxes are more popular and the market begins to flood with cheap commodity tigers.
History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.
Keep the government fenced up sounds like a good idea to me.
I would agree with you, except that this is only about limiting and protecting the users *work* network. As they won't be limiting access to their users' home/private access, I don't think it's an apples-apples comparison.
You stereotypers are all the same...
But just give it a chance! I hear the new Maginot-brand routers are great.
Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?
After they do a project this large for their own network they'll have the experience necessary to do this across the board.
If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)
Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.
"Bah!" - Dogbert
Yes, 911, the pretext for all this, was an inside job! Surely, you jest my friend!
The next thing you would say is that Pearl Harbor was allowed deliberately to throw the bomb at 'em Japs or that Hilter was a puppet of the US and the entire WW-2 was pre-planned albeit apparently sketchily - you know the routine elite-versus-commoner struggles that lead to "war and strife"
These things sound like good gossip material but are not so much verifiable.
Hackers have long memories. It works both ways.
I do have to say I like your idea of Tigerboxes to keep people out of network, but it makes me think of Ghost in the Shell TV series. In that series they had a concept called an "Attack Barrier" that would attack anyone that dived too deep into something they weren't supposed to be in. It could do anything from kill their connection to killing the person doing the dive.
Its not what it is, its something else.
At the time there were only seven connections between the Internet and the MilNet. One of the generals asked how they could be disconnected in times of war.
Before their guide could answer, another general piped up with "Explosive bolts".
Request your free CD of my piano music.
This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work.
Imagine if bittorrent decided to say "screw the distributed client model", we'll just host 50 giant sites with all the files stored on them. Yeah, that just wouldn't work....
Will you have to take off your shoes and give up your toenail clipper before you can use these gateways? That's how you get real security these days.
Are they abandoning the airgap policy or something?
[Fuck Beta]
o0t!
Bringing everything down to fewer single points of failure sounds like a good way to make DoS attacks more successful. Hopefully they intend on having each of these gateways redundant out the wazoo.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
is designed to keep Americans fenced in? It's not to keep the Mexicans fenced out? Perhaps it is the exception that proves the rule.
9/11 was not an inside job. A small band of Islamic fanatics really did hijack some airplanes and fly them into buildings. Now....
Couple things. They don't have the technology to conquer the west. They don't. We know that. The leaders of the USA know that. We both out number and out gun them. If we really were as threatened by [the Muslims] as the media says, lets evaluate what would happen.
Navy Seals would be dispatched to seize every oil facility in Saudi Arabia. After that. We would carpet bomb and drop fuel air bombs on Saudi Arabia, Iraq, Iran, Yemen, Sudan, Pakistan, and Afghanistan until there was no one left alive.
But we didn't. We didn't because we don't need too and we know it.
I would assume internet traffic is spied on at the ISP rather than at the endpoint. Think about it; a whitelist approach to allowing access would render wiretaps impossible if what you are saying were correct.
"The problem is all inside your router", the chinese said to me. The answer is easy if you brute it logically. They'd like to help you with some information for free. There must be fifty ways to hax0r your server
Yeah because the only sort of threat possible against the US is one from a sovereign state. Non state actors can't possibly organise terrorist attacks.
Neither 9/11 or the 7/7 bombings in London nor the Madrid train bombings killed anyone. Since the governments of Muslim countries are not formally committed to attacking America, there is no threat whatsoever.
Actually I think the US would be a lot safer if it was a conventional war against a state, as you say the US would win that in a matter of hours.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I think roughly once per day there's an headline on /. that is indecipherable. One that either makes no sense whatsoever, or is so specialized, or is so badly written, as to give no clue as to what the actual article is about.
And this is today's.
I said they can't conquer us, I didn't say that they couldn't kill a bunch of people and make our lives miserable. Two different things.
History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.
First, there is no consensus that the Great Wall was created to keep citizens in, as nice as a soundbyte as it makes. Second, history does not show what you claim it does. Off the top of my head, European castles, the Maginot Line, the fences around U.S. military bases in Vietnam, the fences Israel uses to restrict Palestinian access to Israel itself, and the fences that the U.S. attempts to use at the Mexican border to keep illegal immigrants out are all examples of fences designed to keep the "other" from coming in.
In fact, fences being used to keep _citizens_ in is relatively uncommon. They are most commonly used to keep the "other" out, to mark property lines, or to keep animals, livestock, or children within a certain area.
But in any case, what exactly is your point? That you can compare the actions of a feudal society's relationship to its people to basics of computer security in a pithy two sentence statement and be insightful? Would you also claim that the edifice of WSUS for patch management is another example of the man trying to keep the federal employees down? Your fence analogy doesn't even hold up - this is a _gate_ - designed for deliberate flow to and fro.
The article does specifically state that the monitoring systems are designed to keep certain information from leaving via the internet (whether intentionally or not) but that doesn't indicate that this is some feudal oppression system to choke the minds of federal employees. They are free to use whatever internet provider they wish when they get home, are they not? It's a firewall on steriods designed to protect government computers and data. Don't try to make it into something that it's not.
After 7 years bleeding us all dry, making us more endangered, lying to us, wasting our time and squandering our advantages against our many real enemies, suddenly Homeland Security has "a sense of urgency"?
They're just going to spend as much money as they possibly can in the last 8 months Bush/Cheney control the Executive, all sent to their cronies, grabbing more power and cutting off as much communications inside the government as they can. They're going to botch this huge job to screw over the government's ability to even connect to the Internet, and the public's ability to connect to it, so the next administration will be locked out when it tries to govern the Bush crony empire that's returned to the private sector for their great reward.
Why should the last 8 months of Bush/Cheney be any different from the first 88 months?
--
make install -not war
Honest to god, I read that and though the US government were going to have 50 old gateway computers. I was like, WTF?
-- Lattyware (www.lattyware.co.uk)
No, you ain't wrong.
Your head a splode
oh, come on.. haven't you been watching the movies? "dangerous tigers" -> AI who can control and actively/heuristically test for the nature of any intrustion -> give a machine the intelligence and power to shut down/quarantine affected systems -> soon it will start caring about the safety of its own hardware first..
i'll agree that skynet was supposedly created to esnure the efficient and speedy reaction of the USMil in case of an attack, but imagining it as having primarily a defense feature of the network itself doesn't seem that different.
One of the problems is that barrier security has diminishing returns as the size of what you are barricading gets bigger.
You wear clothes. Your house probably has a bathroom door. But Seattle or San Diego are probably too big and too intertangled with the world to use perimeter security in a big way, much less large countries with land borders.
How is this any different?
Cheers Um, you left your tin-foil hat on the table here. K thnx.
There are now onyl 50 targets to take out the entire government network system? Based on how many trojan scans I get from .gov IP's I would say their grasp of network security is slim at best...so reducing the number of gateways to 50 seems like a giant "hack me" sign.
Am I wrong about this?
"If any question why we died, Tell them because our fathers lied."
The Bush administration has run a very secretive government--pulling public info off websites, classifying embarrassing info, refusing and stalling in response to requests. So I view this not as back room engineering changes, but as a plan to control the information the federal agencies release to the public, with the goals of restricting and filtering out many things now public.
If you look at it this way, many of the drawbacks of the plan (if the goal was to provide info to the public) become features.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Yes, I'm pretty sure they won't try to do this under OS X.
Faster! Faster! Faster would be better!
They got the title wrong.
No, you've got your tinfoil hat on too tight. This has nothing to do with private internet access. This is about the IT systems used by the federal government, which currently connect to the internet on 4000 wildly disparate gateways. It's very hard to keep track of that, and to consistently handle the attacks that come in on a regular basis. So, they're very wisely tightening things up. Your comment is just another example of shrill, uninformed, ideallogically fragile whiny nonsense. But thanks for reminding everyone that there are people like you out there. It helps focus the mind on the upcoming election cycle.
Don't disappoint your bird dog. Go to the range.
I see lots of waivers coming out of this. Let me guess - no additional funding will be provided to the "Small agencies that won't qualify for their own connection". Let me also guess - certain well connected companies will be doing the 50 gateways !
When the DOD did this, no new money was provided for the switch, vendor "H" was the only source of outside assistance, at their usual outrageous prices, and everyone who could waivered out.
I'd like to see the government try to stop all the wifi Point-to-Point antenna pointed across the Rio Grande or the Canadian Border.
I guess we'll have to add create a big rf fence or create a wifi border patrol.
We don't log our dhcp services. We allow tor. We host tons of medical, legal, and financial information on you and other americans. The federal IT director doesn't want to change it due to 'budget constraints'. Your government at work, people.
Because a philosophical critique of psychoanalysis is so relevant to a discussion of network firewall topologies...
Advice: on VPS providers
It's normal /. policy not to RTFA, but you didn't even read the summary. Please try harder.
The government is cutting down the number of gateways to the government network, this has nothing to do with the rest of the US' private access. If you had said for example:
"I'd like to see the government try to stop all the wifi Point-to-Point antenna pointed across the street (to private unsecured gateways) or accessed at home using their government issue laptops."
you would have been insightful, but as it stands you (and at least 20 other people) addressed a question that no one asked.
Yes I got it wrong... but you could have pointed that out less enthusiastically... :-)
Thanks anyway.
You got the point of TFA wrong. This is for the U.S. government only, not for the public at large.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Why does reducing infrastructure equipment have to imply reducing functionality? You obviously don't understand the concept of consolidation. Reducing the # of devices reduces the amount of time managing and monitoring the devices. It makes managing the network easier because firewall rules can be consolidated and made simpler, along with other types of rules used throughout a network. Reducing the # of gateways to the outside world for a gov't agency or network also makes it more secure. People using those networks and the resources outside those networks can still get to those resources but those who maintain that infrastructure can better make sure it is done efficiently and more securely since they have less equipment to worry about.
This is a massive undertaking. I'm working on a consolidation right now for just one of these networks and it is just horrendous what we are up against. The government doesn't always have the same standards of documentation as contractors do which makes it even more unfair for the contractor who comes in to fix what isn't actually broken but it makes you wonder how it works in the first place given the spiderweb that exists. Now for the reality: It isn't about terrorists at all. It is about reducing cost for the taxpayers, THAT'S YOU, if you are a U.S. tax payer. Yes there are costs upfront but why would you be against spending money upfront for much greater savings down the road?
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
You're wrong on that. The Great Wall was designed for two purposes:
1. Keep HORSES out of China. China had a capable military but also a vast border. The more nomadic horse riding people up north were able to make raids into China and be gone before the Chinese army could respond. The Europeans had the same issue with the Vikings. While people can scale walls, horses can't. Cavalry without horses is useless. The point of the Great Wall is to make such raids very difficult.
2. Signal the Chinese army when there is an invasion. There was a system of smoke signals used by the Chinese army (a lot like the signal of fires used by Gondor to signal Rohan in LoTR) that was much, much faster than any means of communication at the time. That way the Chinese army can respond in time to prevent raids into China.
China had very little need to keep its people in when its country was so much more prosperous than its northern neighbors. It's much easier going into Mexico than returning to the US for the exact same reason.
EvilCON - Made Famous by
And they could even do the security audits for you. Just imagine, not only do they do firewall duty, but you have your own in-house tiger team! *runs like Hell*
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
We only use Ligerboxes where I'm at. Your so behind the curve!
~S
..the "What could POSSIBLY go wrong?" tag. Wouldn't you say that one of the possible side effects of this move, is that it allows alleged attackers to concentrate their attacks by a factor of 80? Isn't this the IT equivalent of moving the whole population of Minas Tirith into Helm's Deep? All it took there was one big explosion and all the defenses were toast.
Perhaps, but you can buy your tigers direct - though I hear they're inferior Chinese tigers, and you'll never actually get your mail-in rebate on them.
Actually, AFAIK (i.e. read it somewhere, not even remotely sure if it's true, but does make sense) the Great Wall was in fact meant to do neither; or rather, a bit of both. It kept the invaders in. Sure, they'd get over it pretty easily on their way in, and it was impossible to keep constant watch over in any case, but once they'd done their raiding and whatnot they'd have soldiers after them and wouldn't be able to get back over the wall fast enough to escape them, thus discouraging invasions by making it pretty much impossible to get away with your loot and your life.
Nobody expects the British Columbia Human Rights Tribunal.
In fact, fences being used to keep _citizens_ in is relatively uncommon.
Except in New Jersey. You have to pay a toll to escape.
[End Of Line]
Am I the only one who notices this trend of being a couple of years late with good ideas?
This could have worked earlier, say 5 years ago. However, the nature of attacks is such that the whole hard shell, soft centre approach is compromised.
The primary issue is that defence mechanisms are moving up the stack. It started with being on an isolated bit of cable, then it because a routed network to the Internet - with 50 firewalls, that's the hard shell these guys are talking about.
But the problem sit INSIDE the fence, and this means defence must be decentralised. I liked Fred Cohens Deception Toolkit approach (DTK) because (combined with tarpitting) it would create a mass dragnet for anyone trying a scan. Personally I think everyone (and every*thing*) should treat their network conection as if it is live and raw on the Net (not firewalled) and protect accordingly. Only then will you get somewhere.
And it would leave the door open for the coming IPv6 deployment.
Insert
Yes I got it wrong... but you could have pointed that out less enthusiastically
I would have done so very simply, had you not so enthusiastically piled on the Orwellian melodrama in the first place yourself.
Don't disappoint your bird dog. Go to the range.
Your analogy makes no sense. Where's the car metaphor, for Pete's sake?
--
Home of the brave, my ass.
So now they'll have to run point to point links to every VA and Social Security office to the closest gateway. At the cost of fiber these days, that'll be an amazingly high cost, when they could get much much less expensive internet through local suppliers. If they want to standardize their security, there are other ways to do this. They could decide on one line of router/firewall and remotely update the configurations.
That is technically correct, which--of course--is the best kind of correct!
Yeah, but what happens if you've got the SF zoo running your datacenter, and some script kiddie comes along and starts taunting them? What are you going to do about all the damn tigers running amok on your network?
I prefer rogues to imbeciles because they sometimes take a rest.
Yeah, but what if your datacenter is run by the SF zoo, and some script kiddie comes along and starts taunting your tigers? What are you going to do about all the tigers running amok on your network?
I prefer rogues to imbeciles because they sometimes take a rest.
"...US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways".
Yes, about par for the course. From memory DEC (my employer at that time) took a similar decision back around 1985 or so. The plan entailed channelling all connections from the company's tens of thousands of computers, linked worldwide by DECnet, through one or at most two gateways to the ARPAnet. The security logic was unassailable even then.
22 years for public officials to follow best commercial practice... looks about right. Fairly quick, actually. It took the best part of a century for politicians to start echoing Frederick Winslow Taylor's ideas about "scientific management". (Although of course, even then they didn't understand them).
I am sure that there are many other solipsists out there.