Slashdot Mirror
US Government to Have Only 50 Gateways
Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks.
"Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."
Are you kidding?
Trying to maintain standards and practices across 4,000 gateway points vs 50. Let alone the agency bureaucracy that would be involved in doing site checks and working across various agency boundaries would be a nightmare. It would take eons to get those things in place to do consistent auditing and management to ensure standards and procedures are followed, let alone actually do them. Might as well consolidate bandwidth costs and number of checkpoints down to 50 in the process.
I could be wrong but I think this applies to only government computers and not the whole Country's Internet...
Wouldn't this make DoS easier, not harder?
BRENT ROCKWOOD, EST'd 1975
I meant government computers, kinda hard to post to Wikileaks about the latest scandal when everything you do is being watched, and prolly timed recorded and put through some algorithm to determine your party loyalty.
Cheers
* Carthago Delenda Est *
I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
Government employees are allowed to own home computers connected to the real internet, where they can stroke pr0n and post wikileaks to their heart's content.
In other words, please remove those 4000 IP addresses from your PeerGuardian/firewall blocklist.
You want fun, go home and buy a monkey!
You'd have to be a dumbass to leak material via your workstation in a government facility. Actually, you wouldn't be a dumbass, you'd be a Guantanamo inmate.
Random Thoughts From A Diseased Mind (Not For Dummies)
Than the whole US Senate machine level of security:
Netcraft
When the U.S. Justice Department stepped up its investigation of cybercrime, it found spam originating from an unexpected source: hundreds of powerful computers at the Department of Defense and the U.S. Senate. The machines were "zombies" that had been compromised by hackers and integrated into bot networks that can be remotely controlled to send spam or launch distributed denial of service attacks.
(this link also mentions the older Republican access of the Democrat fileserver)
You'll never get enough Zealots out with only fifty Gateways...
games journalism blog
I tried to think of counter-examples to your point and I had trouble, but in the process I stumbled across an even better idea. The first thing I thought of was cages at the zoo. To some extent, this example shows your point because the barriers at zoos are designed much more to keep animals in than spectators out. However, despite being designed to keep animals in, they are just as successful at keeping people out. Why is this? Partly it's because zoos make it difficult for people to get inside cages, but mostly it's because inside the cages are dangerous animals. At this point, inspiration struck: if dangerous tigers can keep people out of a cage at the zoo, couldn't they also be used to protect a computer network? Of course they could! Who would risk hacking a network if it meant getting eaten alive by tigers?
As far as a practical implementation, I imagine that behind the network's regular firewall, one would just place a container of tigers (a "Tigerbox") that way. The firewall will work as a general security measure, but if a hacker were to break through into the network, he would be immediately eviscerated by tigers. I suppose that in theory, one could even get rid of the firewall entirely, like you suggest, and protect the network entirely with tigers. I'm not sure how practical this would be, due to the increased number of tigers required. However, it might be feasible in a few years once tigerboxes are more popular and the market begins to flood with cheap commodity tigers.
I would agree with you, except that this is only about limiting and protecting the users *work* network. As they won't be limiting access to their users' home/private access, I don't think it's an apples-apples comparison.
You stereotypers are all the same...
But just give it a chance! I hear the new Maginot-brand routers are great.
Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?
After they do a project this large for their own network they'll have the experience necessary to do this across the board.
If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)
Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.
"Bah!" - Dogbert
I do have to say I like your idea of Tigerboxes to keep people out of network, but it makes me think of Ghost in the Shell TV series. In that series they had a concept called an "Attack Barrier" that would attack anyone that dived too deep into something they weren't supposed to be in. It could do anything from kill their connection to killing the person doing the dive.
Its not what it is, its something else.
No this really helps. This will *really* help a lot with dumb bad guys on the outside (like, say the storm botnet).
... good move !
If the connections between different departments are also forced to go through only these 50 departments, that would ensure a further layer of protection.
It is *much* easier to defend a centralized infrastructure (like this) then to defend something random.
This is the same like in real life. Defending a castle is much simpler than defending the village. Yes castle failures are more spectacular and do more damage, but they occur so much less that it's worth to build them anyway. Breaches in the security of a "village" are constant, unfollowable and you cannot prevent them.
So from security standpoint
Let me see...
With 50 gateways, if the internal network is built correctly (unlike say a how certain cable company does their's), then I can not think of any real net negatives except the complexity of the internal network now. But, given the serious issues the 4000 has, the complexity of the internal network is a relatively non-existent issue.
InnerWeb
Freud might say that Intelligent Design is religion's ID.
"Unfortunately, what they've decided to do is put the data even more at risk by subcontacting to a whole bunch of subvendors without having an idea of how to secure their data much less decide who is doing a good job."
I think you misread. What they said is:
"Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."
I think that means they are keeping it in house so to speak and causing small agencies to contract with large agencies for Internet access. This actually makes a lot of sense and is the way smaller agencies already work for some of the other services they need.
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.
First, there is no consensus that the Great Wall was created to keep citizens in, as nice as a soundbyte as it makes. Second, history does not show what you claim it does. Off the top of my head, European castles, the Maginot Line, the fences around U.S. military bases in Vietnam, the fences Israel uses to restrict Palestinian access to Israel itself, and the fences that the U.S. attempts to use at the Mexican border to keep illegal immigrants out are all examples of fences designed to keep the "other" from coming in.
In fact, fences being used to keep _citizens_ in is relatively uncommon. They are most commonly used to keep the "other" out, to mark property lines, or to keep animals, livestock, or children within a certain area.
But in any case, what exactly is your point? That you can compare the actions of a feudal society's relationship to its people to basics of computer security in a pithy two sentence statement and be insightful? Would you also claim that the edifice of WSUS for patch management is another example of the man trying to keep the federal employees down? Your fence analogy doesn't even hold up - this is a _gate_ - designed for deliberate flow to and fro.
The article does specifically state that the monitoring systems are designed to keep certain information from leaving via the internet (whether intentionally or not) but that doesn't indicate that this is some feudal oppression system to choke the minds of federal employees. They are free to use whatever internet provider they wish when they get home, are they not? It's a firewall on steriods designed to protect government computers and data. Don't try to make it into something that it's not.
You make a series of pretty huge assumptions here, many of which are unlikely.
1) you assume that the 50 gateway points will be managed properly.
2) you assume that access to those gateway points will be managed effectively.
3) you assume that the underlying network design is intelligently put together.
Since this is government work, I would throw in an entirely different set of assumptions:
1) The contractor doing the work will be foreign.
2) The contractor doing the work will have less than solid training in putting together nationwide internet scale networks.
3) The underlying networks will mostly have already been compromised.
4) The project will take at least 2 times longer than predicted to complete.
5) The project will be considered complete before most of the network guru's here on slashdot would consider it complete.
6) The project will likely introduce a 2 or 3 point of failure potential rather than a 50 point of failure potential. If you have trouble imagining such a poor design, you haven't experience with government contracts.
I think the missing tag here is "whatcouldpossiblygowrong?". Knowing that something major WILL go wrong, as with all federal projects, you have to weigh the risk of moving forward against the risk of not moving forward. The realistic risk of moving forward is:
1) a significant portion of the networks will go down and leave several agencies without the capability of getting anything done.
2) a downtime in the network will present a very real and very dangerous national security issue.
The risk of not moving forward?
1) Data currently deemed secure is widely compromised. (in fact, this has probably already happened)
It's an arguably good idea on the surface. But really, shouldn't the nation that brought the world the internet have the most well thought out and effective network infrastructure in the world? A change to the underlying network is a solid idea. This change? This change is the result of small minded thinking and government work.
smitty, you know I love you, but I don't think I agree.
Since we're supposed to be the government (of, by and for, you know) the more places we can interface with it the better.
We've been trained by 27 years of "Conservative" control of government and media to see "government" as some alien entity over which we have no control and which only acts to make our lives unpleasant. St. Ronald was the first to really market this erroneous notion, and it really disrespects the clever and elegant plan our founding fathers laid out for us.
This meme of "drowning government in a bathtub" is so ubiquitous that even some smart people are lazily spreading it, as you have done.
If you've recently driven on a US highway, or if you're one of the unlucky ones under whom a bridge recently collapsed in Minnesota, you know first-hand what happens when "the commons" are neglected.
The strangest thing about this whole story is that we are constantly told that the US is a "Christian Nation" yet the idea of "care in common" which is anathema to Republicans is a most Christian notion. But I guess it's to be expected when hypocrisy is the new black.
You are welcome on my lawn.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
I see lots of waivers coming out of this. Let me guess - no additional funding will be provided to the "Small agencies that won't qualify for their own connection". Let me also guess - certain well connected companies will be doing the 50 gateways !
When the DOD did this, no new money was provided for the switch, vendor "H" was the only source of outside assistance, at their usual outrageous prices, and everyone who could waivered out.
You make a series of pretty huge assumptions here, many of which are unlikely. 1) you assume that the 50 gateway points will be managed properly. 2) you assume that access to those gateway points will be managed effectively. 3) you assume that the underlying network design is intelligently put together.
I think the assumption is more along the lines of:
50 gateway points are more likely to be managed properly than 4000 points.
Those 50 points will have a great deal of attention and resources allocated to them, about 80 times the amount per point of the previous 4000 points.
When the government really cares about a project (read military) they can be very intelligent, just look at the stealth bomber. They are only haphazard when it is a project that exists only to please the public (read medi-care, or social security)
We are all just people.
We don't log our dhcp services. We allow tor. We host tons of medical, legal, and financial information on you and other americans. The federal IT director doesn't want to change it due to 'budget constraints'. Your government at work, people.
Why does reducing infrastructure equipment have to imply reducing functionality? You obviously don't understand the concept of consolidation. Reducing the # of devices reduces the amount of time managing and monitoring the devices. It makes managing the network easier because firewall rules can be consolidated and made simpler, along with other types of rules used throughout a network. Reducing the # of gateways to the outside world for a gov't agency or network also makes it more secure. People using those networks and the resources outside those networks can still get to those resources but those who maintain that infrastructure can better make sure it is done efficiently and more securely since they have less equipment to worry about.
This is a massive undertaking. I'm working on a consolidation right now for just one of these networks and it is just horrendous what we are up against. The government doesn't always have the same standards of documentation as contractors do which makes it even more unfair for the contractor who comes in to fix what isn't actually broken but it makes you wonder how it works in the first place given the spiderweb that exists. Now for the reality: It isn't about terrorists at all. It is about reducing cost for the taxpayers, THAT'S YOU, if you are a U.S. tax payer. Yes there are costs upfront but why would you be against spending money upfront for much greater savings down the road?
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
The times are changing my friend.
Are they abandoning the airgap policy or something?Put simply, yes, it's a bit scary and myself and various coworkers (as contractors) have questioned the change in perspective but the government seems to be moving away from air gaps, at least in 1 agency that I know of which will go unnamed for privacy and security considerations. I think classified systems will be the last to be merged but already production and non-production systems are being merged. The idea, as TFA says, is to just put security monitoring devices and filters everywhere possible to keep the classified data safe. We're talking more levels of filters and access controls than have ever been used in the past.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Actually, AFAIK (i.e. read it somewhere, not even remotely sure if it's true, but does make sense) the Great Wall was in fact meant to do neither; or rather, a bit of both. It kept the invaders in. Sure, they'd get over it pretty easily on their way in, and it was impossible to keep constant watch over in any case, but once they'd done their raiding and whatnot they'd have soldiers after them and wouldn't be able to get back over the wall fast enough to escape them, thus discouraging invasions by making it pretty much impossible to get away with your loot and your life.
Nobody expects the British Columbia Human Rights Tribunal.
You are welcome on my lawn.