Slashdot Mirror
NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries
GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."
The DoD owns those... NIPR is mostly bureaucratic military stuff, while SIPR is the secure one. Good luck with the Pentagon letting folks like HHS, DOI, DOE, congress-critters, or (heh) your local utility co-op getting latched onto to those.
Speaking of "realistic security policies", just to even think of hooking into NIPR, you have to harden your boxes to the these specs (ever had to put all of /usr onto its own partition and lock the whole thing read-only? I guess it all depends on your definition of "realistic"). SIPR's requirements are only 'slightly' more anal.
Quo usque tandem abutere, Nimbus, patientia nostra?
Partitioning is a pipe dream; any network with a significant number of users will have uncontrolled exchanges with the internet.
The only way to have reasonable security is to keep certain subsystems separate and accessible only via specific gateways; no user is ever logically placed on those segments, and they are only ever accessed over very few very specific interfaces.
I used to work at a bank, and I really wished for something like this. Imagine a network with no home connections, nothing moving across it but VPNs. VPNs from bank to bank, power company to government, etc. Every node would be authenticated. No worms.
In this type of network, I can turn the logging on my firewall to the max, and anything that even looks at my bank's firewall with a ping can be reported to the agency that runs the show. Once it is confirmed that they're going where they should not, they're kicked off the network.
The issue I had is that because there are so many cases where bank A needs to talk to bank B, and neither want to have the T1 line under their name. If the Internet goes down, no money can be moved and there are big problems. Making a walled place for this would be great.
People need to understand that you can EITHER have security OR the ability to be anonymous. If you want one, you're losing the other.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
You beat me to it, that's exactly what I was going to write.
Saying something as stupid as this "secure zone" proposal should be enough to get banned from ever working in a high responsibility government job again. "Secure zones" already exist, if they aren't being used correctly by the government is because people like Keith Alexander aren't doing their job.
> ever had to put all of /usr onto its own partition and lock the whole thing read-only?
No, because SunOS5 had this on installation, back about 1990. With symbolic links and such, it was really quite simple. You remounted /usr as RW only when you had to remake the kernel, and then rebooted after (once a month or less often). In fact, our /usr was on a separate disk that had a hardware RO/RW switch on it.
This stuff was worked out long ago. Then, it was ignored because someone decided to build from scratch with no more (prior) thoughts of security than a HAL-9000 had.