The UK is a bit limited in the number of areas you could build such plants. Plenty of countryside but not a lot of suitable mountainous areas and not a lot of will to develop the ones we do have into industrial sites.
There is little chance that UK govt would get rid of all the grey IT VB/Office hacks they have running business critical services. The larger, better funded organisations have been trying to centralise and standardise their IT for years and those guys have barely even started scraping the surface. It'd take decades and cost far more than £200mil.
You can make it accessible without putting it on the public Internet.
A lot of the companies who run SCADA devices will already have some form of MPLS WAN, most providers can give you DSL links onto that network rather than Internet. Lets you reach the device but doesn't let the rest of the world.
Or if that's not an option then stick a cheap VPN endpoint infront of it and run the comms over IPSec.
But Skype is running on the internal network, of course it can punch holes in the NAT device. The concern is for unsolicited access from the outside which will not make it through NAT.
How exactly do you think Skype will work through a stateful firewall? It'll result in exactly the same techniques being used, the client will send an outbound "dummy" packet to allow the relevant incoming UDP traffic when the router things it's part of the same connection. Sure there will be 1/10000 customers who can go onto their firewall and open the incoming port, most people will not so these hacks will be around for a long time to come.
In terms of investors with shares who get dividends, UK dividends come with a "tax credit" that can be subtracted from the individuals tax bill. I think the general idea is the tax credit is the amount of corporation tax that the original company has paid so it avoids being double taxed. Not sure if the USA does something similar.
It is a nice idea to move the taxation onto the individuals. But I think it's a bit of a huge solution to a problem where a simpler fix would be to stop letting companies claim international consultancy as deductible and put a bit more rigor into checking their international costs for tax deductibles, e.g. if Facebook Cayman rents Facebook Ireland a $3k server for $300k/year then it's not quite right and can be looked at under the current laws for tax avoidance.
The UK is currently in the process of developing & deploying a network for government agencies to use called the PSN (public services network). It's sort of a replacement for the GSI. It runs on IPv4, most likely using the DWP address space discussed here.
Pretty much all the UK telcos & several global network manufacturers are involved with the PSN so it's a real missed opportunity that they didn't go with IPv6 for it.
That's the classical definition but the meaning is evolving, these days I would say it's more accurate to consider hardware forwarding decisions is switching and software/CPU-based forwarding is routing.
As for the original question, lots of networking kit uses Linux behind the scenes. Checkpoint splat platform is Linux (IPSO is FreeBSD), I think Mcafee Sidewinder is too, Cisco ASA was a Linux kernel with an IOS-like shell stuck on it (not sure about the new ones). Bluecoat SGOS is very Linux-like but not sure how close it is in reality.
The difficulty is the lack of hardware forwarding, Enterprise networking kit doesn't generally use fast busses or big backplanes to shift packets, it uses proprietary ASICs to handle the packet processing and forwarding at line rate. You can't just buy a top end server, stick TCP-offloading 10Gbps NICs in it and expect it to firewall at 10Gbps. Although that said a lot of "enterprise" firewalls that are sold as 1Gbps struggle to hit 200Mbps and they still sell plenty of boxes.
There's a lot of comments saying "use a decent firewall and you're sorted".
On any non-trivial network, if the only security in place is a firewall on the boundary then you're probably one of the 3/4 of easily exploitable networks mentioned in the article.
Viruses, social engineering, playing with applications that are allowed through (e.g. HTTPS web apps), dial-ins, wireless, abusive staff, there is a never ending list of attack vectors if you only pay attention to the perimeter. Like the article says: 43% of respondents view planting a rogue member of staff inside a company as one of the most successful hacking methodologies..
The hub itself wouldn't generate any BPDUs, but since it just repeats electrical signals on the wire then it would be forwarding those from the next switch back up the loop (likely to be the same physical switch) so BPDU guard would still shut the port down.
There are other loop protections, Cisco switches send loopback packets onto the line and will shut the link down if they see their own loopback packet again. It's a default setting so should work even if BPDU guard (and storm control etc) aren't enabled, unless it's specifically turned off with the "no keepalive" command.
My 1990 Celica did it with the original floor mat.
Happened twice in a couple of years, they did have clips in the floor to hold it in place but after 18 years the plastic had broken and the mat could slide around.
I believe you only need the infrastructure server if you want Virtual Center (to manage a load of ESX boxes from a central point), you can manage standalone ESXi boxes individually via their web interfaces.
VirtualBox is also great for network labs as you can bind physical NICs to seperate virtual machines. You can't do that with any others until you start getting into ESX territory afaik.
As an example you can run Checkpoint or Olive on it and link it in with Dynamips, get an entire enterprise network running on your desktop. Maybe not everyones idea of fun but a comparable hardware lab setup would run to many thousands of pounds.
I'd second your comments about the Atom too, it runs XP blazingly fast.
If you have a power outage in a data center you can have all of the servers instantly pop up in the backup data center without even dropping any sessions.
It's probably a good idea to block the ICMP redirect messages too.
Personally I lock it right down to just echo, echo reply, time exceeded and destination unreachable. PMTU still works, you still get invalid connections dropped properly and you can monitor connectivity.
Does anyone know of any situation where ICMP redirects are valid any more? Seems to me that dynamic routing protocols and IP-redundancy protocols like VRRP have removed any use for them....other than doing MITM attacks on people not filtering ICMP that is;-)
The thing that gets me is that they obviously do know where some of the cables go. If it was just a standalone terminal server then they wouldn't need it as evidence. So it's connected to something important in terms of this case, e.g. a core router. In that case they already know where one end of the cable is, how hard is it to trace the rest?
Then I RTFA and it all became clear. To date, DTIS has paid out $182,000 to Cisco contractors and $15,000 in overtime costs
Incompetant management offering high hourly contract rates does not equal a fast simple solution to a problem;-)
They could always do something crazy like track the MAC to a port and go trace the cable to find the device, I guess that wouldn't make such a good story though.
If they're using Cisco switches and it's linked via copper then they could probably work out where it is without leaving their seats, use the inbuilt tdr to find out how long the cable is, then use the location of the switch and a bit of common sense to work out where the device is likely to be.
If it's a terminal server then it's not likely to be hanging off a 3km long fibre somewhere in a duct under the city. It'll be within serial cable distance of all the other kit, more than likely in their main computer room with some bloody great octal cables hanging out the back. I suspect it'd take someone clued up approx 5 minutes to identify it as it will look rather different to any of their other routers purely due to the cabling run to/from it.
The more I read about this "ebil admin" story the less I believe any of it.
Now granted it doesn't need to look neat to function correctly. I've seen servers die because their power cables were dislodged by the weight of badly installed cables, also seen servers go offline when network cables get crushed and damaged. I'd say there is a fairly strong argument that it does need to look neat to function correctly, for permanent installs anyway.
This network was only built to last a few days so I doubt they're too worried;-)
Been a while since I've set up a Linux router but won't the following work on any Linux distro:
Set up a box with two ADSL cards in it, set two default routes via the next hop IPs for the connections on each card. By default it should load balance across the two. If one drops then it'll realise the next hop isn't reachable (as it's on same subnet as the interface which has now vanished) and remove that route.
I seem to remember that Linux can set routes via interfaces, that would work even better than using next hop.
Downside with this is it won't deal with an ISP that stops passing traffic but doesn't drop the DSL. I also don't know how Linux will load balance in this situation, I'd guess per-packet rather than doing "sticky" connections which may give you some issues.
Slashdot Mirror
The UK is a bit limited in the number of areas you could build such plants. Plenty of countryside but not a lot of suitable mountainous areas and not a lot of will to develop the ones we do have into industrial sites.
That's exactly what it'll be this time too.
There is little chance that UK govt would get rid of all the grey IT VB/Office hacks they have running business critical services. The larger, better funded organisations have been trying to centralise and standardise their IT for years and those guys have barely even started scraping the surface. It'd take decades and cost far more than £200mil.
You can make it accessible without putting it on the public Internet.
A lot of the companies who run SCADA devices will already have some form of MPLS WAN, most providers can give you DSL links onto that network rather than Internet. Lets you reach the device but doesn't let the rest of the world.
Or if that's not an option then stick a cheap VPN endpoint infront of it and run the comms over IPSec.
The problem with hiding the SSID is not so much how it affects the wireless network but how it affects the wireless client machines.
Once joined to that WLAN, the machine will broadcast probes containing that SSID everywhere it goes.
That may also leave the clients open to MITM if an attacker sets up another AP with the same SSID. Not sure if this works in practice.
But Skype is running on the internal network, of course it can punch holes in the NAT device. The concern is for unsolicited access from the outside which will not make it through NAT.
How exactly do you think Skype will work through a stateful firewall? It'll result in exactly the same techniques being used, the client will send an outbound "dummy" packet to allow the relevant incoming UDP traffic when the router things it's part of the same connection. Sure there will be 1/10000 customers who can go onto their firewall and open the incoming port, most people will not so these hacks will be around for a long time to come.
In terms of investors with shares who get dividends, UK dividends come with a "tax credit" that can be subtracted from the individuals tax bill. I think the general idea is the tax credit is the amount of corporation tax that the original company has paid so it avoids being double taxed. Not sure if the USA does something similar.
It is a nice idea to move the taxation onto the individuals. But I think it's a bit of a huge solution to a problem where a simpler fix would be to stop letting companies claim international consultancy as deductible and put a bit more rigor into checking their international costs for tax deductibles, e.g. if Facebook Cayman rents Facebook Ireland a $3k server for $300k/year then it's not quite right and can be looked at under the current laws for tax avoidance.
The UK is currently in the process of developing & deploying a network for government agencies to use called the PSN (public services network). It's sort of a replacement for the GSI. It runs on IPv4, most likely using the DWP address space discussed here.
Pretty much all the UK telcos & several global network manufacturers are involved with the PSN so it's a real missed opportunity that they didn't go with IPv6 for it.
I take it "on the job" doesn't have the same meaning on that side of the pond, because 54 days worth is in no sense of the word "mere".
That's the classical definition but the meaning is evolving, these days I would say it's more accurate to consider hardware forwarding decisions is switching and software/CPU-based forwarding is routing.
As for the original question, lots of networking kit uses Linux behind the scenes. Checkpoint splat platform is Linux (IPSO is FreeBSD), I think Mcafee Sidewinder is too, Cisco ASA was a Linux kernel with an IOS-like shell stuck on it (not sure about the new ones). Bluecoat SGOS is very Linux-like but not sure how close it is in reality.
The difficulty is the lack of hardware forwarding, Enterprise networking kit doesn't generally use fast busses or big backplanes to shift packets, it uses proprietary ASICs to handle the packet processing and forwarding at line rate. You can't just buy a top end server, stick TCP-offloading 10Gbps NICs in it and expect it to firewall at 10Gbps. Although that said a lot of "enterprise" firewalls that are sold as 1Gbps struggle to hit 200Mbps and they still sell plenty of boxes.
You should take Russia seriously because if you shut off your nuclear generation then you'll end up dependant on their gas to keep your lights on.
That $350 doesn't include transceivers which you need at both ends.
I would think about $4k/port is more realistic for an average install (which won't be using Linksys).
It has been implemented in IS-IS, used in some service provider networks.
Same thing for Plus, they've put a FAQ up which states they were subject to court orders to turn over their customers details, here.
There's a lot of comments saying "use a decent firewall and you're sorted".
On any non-trivial network, if the only security in place is a firewall on the boundary then you're probably one of the 3/4 of easily exploitable networks mentioned in the article.
Viruses, social engineering, playing with applications that are allowed through (e.g. HTTPS web apps), dial-ins, wireless, abusive staff, there is a never ending list of attack vectors if you only pay attention to the perimeter. Like the article says: 43% of respondents view planting a rogue member of staff inside a company as one of the most successful hacking methodologies..
The hub itself wouldn't generate any BPDUs, but since it just repeats electrical signals on the wire then it would be forwarding those from the next switch back up the loop (likely to be the same physical switch) so BPDU guard would still shut the port down.
There are other loop protections, Cisco switches send loopback packets onto the line and will shut the link down if they see their own loopback packet again. It's a default setting so should work even if BPDU guard (and storm control etc) aren't enabled, unless it's specifically turned off with the "no keepalive" command.
It's a shame they blew up with the ship, if they'd dropped then we'd now be reading the headline "eve pirates legally steal $1200".
My 1990 Celica did it with the original floor mat.
Happened twice in a couple of years, they did have clips in the floor to hold it in place but after 18 years the plastic had broken and the mat could slide around.
I believe you only need the infrastructure server if you want Virtual Center (to manage a load of ESX boxes from a central point), you can manage standalone ESXi boxes individually via their web interfaces.
VirtualBox is also great for network labs as you can bind physical NICs to seperate virtual machines. You can't do that with any others until you start getting into ESX territory afaik.
As an example you can run Checkpoint or Olive on it and link it in with Dynamips, get an entire enterprise network running on your desktop. Maybe not everyones idea of fun but a comparable hardware lab setup would run to many thousands of pounds.
I'd second your comments about the Atom too, it runs XP blazingly fast.
Handy for upgrades but also great for redundancy.
If you have a power outage in a data center you can have all of the servers instantly pop up in the backup data center without even dropping any sessions.
It's probably a good idea to block the ICMP redirect messages too.
Personally I lock it right down to just echo, echo reply, time exceeded and destination unreachable. PMTU still works, you still get invalid connections dropped properly and you can monitor connectivity.
Does anyone know of any situation where ICMP redirects are valid any more? Seems to me that dynamic routing protocols and IP-redundancy protocols like VRRP have removed any use for them....other than doing MITM attacks on people not filtering ICMP that is ;-)
Good point that it may not be IP connected.
The thing that gets me is that they obviously do know where some of the cables go. If it was just a standalone terminal server then they wouldn't need it as evidence. So it's connected to something important in terms of this case, e.g. a core router. In that case they already know where one end of the cable is, how hard is it to trace the rest?
Then I RTFA and it all became clear.
To date, DTIS has paid out $182,000 to Cisco contractors and $15,000 in overtime costs
Incompetant management offering high hourly contract rates does not equal a fast simple solution to a problem ;-)
They could always do something crazy like track the MAC to a port and go trace the cable to find the device, I guess that wouldn't make such a good story though.
If they're using Cisco switches and it's linked via copper then they could probably work out where it is without leaving their seats, use the inbuilt tdr to find out how long the cable is, then use the location of the switch and a bit of common sense to work out where the device is likely to be.
If it's a terminal server then it's not likely to be hanging off a 3km long fibre somewhere in a duct under the city. It'll be within serial cable distance of all the other kit, more than likely in their main computer room with some bloody great octal cables hanging out the back. I suspect it'd take someone clued up approx 5 minutes to identify it as it will look rather different to any of their other routers purely due to the cabling run to/from it.
The more I read about this "ebil admin" story the less I believe any of it.
Now granted it doesn't need to look neat to function correctly.
I've seen servers die because their power cables were dislodged by the weight of badly installed cables, also seen servers go offline when network cables get crushed and damaged. I'd say there is a fairly strong argument that it does need to look neat to function correctly, for permanent installs anyway.
This network was only built to last a few days so I doubt they're too worried ;-)
Been a while since I've set up a Linux router but won't the following work on any Linux distro:
Set up a box with two ADSL cards in it, set two default routes via the next hop IPs for the connections on each card. By default it should load balance across the two. If one drops then it'll realise the next hop isn't reachable (as it's on same subnet as the interface which has now vanished) and remove that route.
I seem to remember that Linux can set routes via interfaces, that would work even better than using next hop.
Downside with this is it won't deal with an ISP that stops passing traffic but doesn't drop the DSL. I also don't know how Linux will load balance in this situation, I'd guess per-packet rather than doing "sticky" connections which may give you some issues.