GOVNET In the Works 271
gtg010b writes: "According to USA Today, the U.S. government is considering a private network to be used for all government communications. This network would be "separate from the Internet to keep it safe from hackers or terrorists" according to Richard Clarke, the head of the president's "cyberspace security adviser." Whatever happened to government not being above the people?" Clarke is the guy who's been crying "cyber Pearl Harbor" for a few years; apparently if you cry wolf long enough you get promoted. His request (.doc format) is informative. I should point out that the U.S. military already has such a network (I'm not even going to ask why the Feds can't piggy-back on it), so GOVNET would be for critically-important government agencies like the Department of Agriculture to communicate.
uh? (Score:3, Insightful)
text form, in case you cant read .docs (Score:2, Informative)
Request for Information for a Government Network Designed to Serve Critical Government Functions (GOVNET)
1.0 SUBJECT
Request for Information (RFI) for a Government Network designed to provide protected services for critical Government functions. The network is designated GOVNET. Responses are due to this RFI by 4:00 PM on November 21, 2001. See section 8.0 for further information.
2.0 DESCRIPTION
The General Services Administration, at the request of the Executive Office of the President of the United States, and the newly designated Advisor for Cyberspace Security, and in support of National Security goals established by the President, is seeking information from industry that will assist in the development and deployment of a special telecommunications network, GOVNET.
Specifically, this RFI seeks the following information:
Conceptual technical architecture alternatives
Technical feasibility alternatives assessments
Approximate cost information (i.e., order of magnitude, ballpark estimates, etc.) for alternatives
Information about spare or unused telecommunications capacities that could support GOVNET minimizing the need for special construction and associated costs and time delays
Schedule estimates
Ideas and suggestions that provide alternative approaches to designing, developing, acquiring, operating, and managing GOVNET
3.0 REQUIREMENTS
This section enumerates the high-level functional requirements for GOVNET. For purposes of responding to the RFI, requirements in the form of hypothetical locations to be served and associated traffic requirements for initial operational capability (IOC) will be made available to interested respondents at an information exchange meeting (see Section 6.0, below).
GOVNET will be a private Internet Protocol (IP) network shared by government agencies and other authorized users only. GOVNET will provide connectivity among users to a defined set (to be determined) of service delivery points.
There will be no interconnections or gateways to the Internet or other public or private networks. This applies to any network management, control, and maintenance functions for GOVNET as well. Initially, GOVNET will provide private intranet data connectivity within the contiguous 48 United States (CONUS).
GOVNET will provide commercial-grade voice communications capabilities within the network among specified users using the data network components and protocols. Voice services to be supported will include, but not be limited to, conferencing and multicast/broadcast. No connections or gateways to the PSTN or SS7 are envisioned for voice communications.
The potential for adding video communications also exists as a secondary requirement at this time. Video services to be supported will include, but not be limited to, conferencing and multicast/broadcast. As with voice requirements, there will be no communications or gateways outside of GOVNET.
GOVNET will support critical government functions and will be immune from malicious service and/or functional disruptions to which the shared public networks are vulnerable (i.e., so-called cyber attacks). In particular, it shall be impossible for malicious or intentionally disruptive activities (e.g., denial of service attacks) to be perpetrated within GOVNET from any network external to GOVNET. Similarly, it shall be impossible for malicious code (e.g., computer viruses) to penetrate GOVNET from any network external to GOVNET.
GOVNET will provide the highest levels of reliability and availability including trunk and access diversity, and rapid response times for customer outages. This RFI does not specify a particular requirement for availability or reliability. Responses to this RFI will assist in establishing this requirement. In formulating responses, each respondent should describe the reliability and availability characteristics of each alternative included in their response.
GOVNET traffic will be secure (i.e., encrypted by the network using NSA approved encryption techniques), and will be suitable for carrying classified information. For purposes of this RFI respondents should assume encryption of payload data only. No encryption of routing or addressing information is contemplated at this time.
GOVNET will be a turnkey solution offered and priced as a service to participating users. For purposes of this RFI, assume a single invoice with supporting detail presented monthly to GSA will be acceptable.
GOVNET will offer bandwidth-on-demand services at user locations and will be scalable to meet growth in overall network demand and/or peak requirements.
All GOVNET components and links must be located in the U.S. or Canada.
GOVNET shall evolve to maintain technology and service currency with state of the art commercial services to the maximum extent practical.
GOVNET will be operated on a 24/7 basis by the contractor.
GOVNET will provide initial operational capabilities (IOC) within six months from contract award. For purposes of responding to the RFI, IOC is defined as full GOVNET IP connectivity to all locations that will be made available at the public information exchange meeting. Within 12 months after award, voice and video capabilities will be available on GOVNET.
Other requirements not directly related to physical network and services isolation will be addressed at a later date. Examples of such requirements include security policies and security management requirements, required active defense measures, security of network management and control technologies, network capacities, service level agreements, and other important considerations.
The purpose of this RFI is to gather information about those requirements enumerated above. To the extent simplifying assumptions are needed, respondents are encouraged to make and document such assumptions in their responses.
4.0 POSSIBLE NETWORK SOLUTION
GOVNET must meet the functional requirements specified above. The Government is open to alternative concepts for solutions that meet these requirements. The Government encourages creativity and outside the box thinking in responses to this RFI.
One possible solution would be to build a completely dedicated network based on dedicated physical fiber pairs and full path diversity. All hardware would be dedicated, including all transmission equipment, routers, switches, multiplexing equipment, network management and control equipment, etc. In addition, all management and operational personnel would be fully dedicated to the network.
This RFI seeks information about a fully dedicated non-shared network as well as other approaches that could meet the functional requirements with additional levels of sharing of personnel, equipment, and connectivity paths. In doing so, the Government seeks to understand the tradeoffs among risks, costs (initial and ongoing) and alternative technical architectures that incorporate increasing degrees of sharing.
Accordingly, respondents are encouraged to provide information about any alternatives that can be demonstrated to be immune from the kinds of disruptions described in section 3.0, above.
5.0 SAMPLE RESPONSE OUTLINE
Following is a suggested outline and suggested page counts for a response to this RFI. This outline is intended to minimize the effort of the respondent and structure the responses for ease of analysis by the government. Nevertheless, respondents are free to develop their response as they see fit.
Section 1 - Conceptual Alternatives
Briefly describe two or more alternative architecture concepts for GOVNET, including the reliability and availability characteristics of the alternatives. Discuss the capability for the architecture to expand to meet video requirements, and to meet needs outside CONUS. (3-5 pages per alternative with one diagram per alternative identifying the brand/type of equipment that would typically be deployed)
Section 2 - Feasibility Assessment
Briefly describe the feasibility of each alternative and the design tradeoffs involved as matched against the functional requirements and risks of penetration. (1 page per alternative)
Section 3 - Cost and Schedule Estimates
Provide cost estimates for each alternative for 5 and 10-year contract terms for non-recurring and annual recurring costs using the locations provided at the public information exchange meeting(one page table). Also, discuss cost drivers, cost tradeoffs, and schedule considerations (2-3 pages)
Section 4 - Corporate Expertise
Briefly describe your company, your products and services, history, ownership, financial information, and other information you deem relevant. (no suggested page count)
In particular, please describe any projects you have been involved in that are similar in concept to what is described in this RFI, including management and operations approach, security requirements, security assurance processes, and any relevant lessons learned (1-2 pages per project).
Include any comments on the structure of the requirements for a formal RFP response.
Note - please also describe any network capacity assets that you might be willing to dedicate for deploying GOVNET. Examples of such assets might include unsold or unsubscribed capacities, so-called dark fiber routes, assets designated for liquidation or that are financially under-performing, etc.
Section 5 - Additional Materials
Please provide any other materials, suggestions, and discussion you deem appropriate.
6.0 INFORMATION EXCHANGE MEETINGS
GSA and the Special Advisor for Cyberspace Security will hold an information exchange meeting to discuss this RFI with interested potential respondents. Details about this meeting will be made available at a later date. If you wish to attend this meeting, please respond to the contact provided in section 8.0, below.
In addition, GSA will consider meeting individually with interested potential respondents. If you are interested in requesting such a meeting, please respond to the contact provided in section 8.0, below.
7.0 DISCLAIMER
This RFI is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in response to this RFI that is marked Proprietary will be handled accordingly. Responses to the RFI will not be returned. In accordance with FAR 15.202(e), responses to this notice are not an offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this RFI.
8.0 CONTACT INFORMATION
Following is the Point of Contact (POC) for this RFI, including the public information exchange meeting:
Mr. John (Jack) Braun
(703) 306-6423
jack.braun@gsa.gov
Please submit responses via e-mail in Microsoft Office format by 4:00 PM on November 21, 2001, to the POC at: govnet.ts.fts@gsa.gov. You may also submit supplemental hardcopy materials such as brochures, etc. (5 copies each) to the POC.
Re:uh? (Score:2, Informative)
Encryption is still subject to traffic analysis (i.e. monitoring when data moves and where it is going to/from).
Also it may be vunerable to DoS attacks if going across a public network.
> i really don't understand why everyone is crying pearl harbor about everything anyway...
Me neither - I though it was just a knee jerk reaction, but it seems to be persisting.
Re:uh? (Score:2, Informative)
Sure... (Score:5, Funny)
and get spammed with MAKE WHEAT FAST!
Re:Sure... (Score:1)
Re:Sure... (Score:2)
Why not use Internet2 for the new network? (Score:3, Insightful)
Would be a good test case - if it works, then we can expect to see a clone system roll out in major cities within two years.
Re:Why not use Internet2 for the new network? (Score:1)
If the test case proves woefully inadequate, then the secrets of our Government will be in the hands of a bunch of l33t 12 y34r-0|d H4X0Rz!
Seriously, why would the Govt want to do that? They'll keep everything hush-hush until someone invents something better. I understand that a bunch of MIT folks developed a system that can recreate a computer screen from over 100 ft from the computer without wires just by decoding the electromagnetic pulses from the monitor.
Of course, that means the NSA now has copies of my spam.
Re:Why not use Internet2 for the new network? (Score:2)
If the test case proves woefully inadequate, then the secrets of our Government will be in the hands of a bunch of l33t 12 y34r-0|d H4X0Rz!
I was describing a parallel or private Internet2. There wouldn't be any hackers - this would be more like the Mil version, but it's own space.
ARPAnet? (Score:2, Insightful)
Using the threat to accomplish hidden purposes. (Score:3, Informative)
People are using the terrorist threat to do things they wanted to do anyway, but would not normally be allowed.
Secrecy and weapons sales corrupt democracy: What should be the Response to Violence? [hevanet.com]
Look for the real reason... (Score:2)
You lose a lot. First, the government is no longer supporting the public network.
The Internet MUST be made secure. We need to accomplish that, not just allow it to be insecure and then pay for a lot of separate networks. It would be great to have the government help everyone else accomplish security.
Second, having a separate network creates a sense of separateness among government employees. There is too much of that already.
Remember, a separate network means that employees no longer have access to the Internet. They can't join in with the discussion on Slashdot, for example. They can't see what people are saying. They can't do research on other ways of achieving security. They can't check their e-mail. A democracy should try to accomplish security, but not separateness.
Third, having a completely separate network is EXPENSIVE. We lose the right to spend our money on something else.
There are cheaper ways of accomplishing security.
Every time someone proposes to do something that doesn't make sense, and costs a lot of money, look for the real reason.
President Bush's father is connected with a company that wants to put a pipeline across Afghanistan: What should be the Response to Violence? [hevanet.com]
Huh? (Score:2, Insightful)
>the people?"
I think it is about the government being separated from the people. So this sentense per se is irrelevant.
This is bad why? (Score:5, Insightful)
Re:This is bad why? (Score:4, Interesting)
So, they want to set up an intranet for the government. Why is this a bad thing? Should all corporations be required to use the internet for any and all communications between employees/remote sites/customers?
This is not a bad thing. It's a redundant thing. If you read up on DARPA and the creation of the Internet, you'll see that all that's being proposed has already been proposed some forty years ago or something. So commercial entities have the majority of sites on the Internet now. Big deal. The Internet was initially created just to handle this sort of thing.
Yes, if they want to do videoconferencing, etc., they'd need to beef up the bandwidth. You'd need something like an Internet2 or something like that. Oops. That's already in the works, isn't it?
(As an aside, when's the last time anyone used a .mil address? They're still valid TLDs, right?)
Re:This is bad why? (Score:2, Informative)
The DARPA-NET was created to provide a mean to communicate after a nuclear-strike or any other physical attack.
It should be redundant (and by this mean fault tolerant).
Therefor all partners were more or less equal.
It didn't matter which way the packets go and it shouldn't matter.
Security was never a main issue as you can see from the amount of security flaws [linuxsecurity.com], which exist(ed) in TCP/IP.
Granted, IPv6 seems to tackle these problems, but it is still not in use. And sometimes it's easier to build something new than to change the existing (I would suggest doing the same with tax law).
What was the best network security tool again? IRC, pliers.
Re:This is bad why? (Score:3, Interesting)
Way back in the day there was a reason or two to visit a .mil site. Or to use a .mil address, like if you were archie'ing or something. I can't even remember the last time I typed in .mil. When you think about it, that's really weird, since it's one of the few valid TLDs. There's .com, .net, .edu, .mil, and .org. (Before the new .biz, etc.) Whatever. I think it's weird, OK? :)
Re:This is bad why? (Score:2)
D
Re:This is bad why? (Score:2, Informative)
for army, in fact - there's an army webmail using certificate based tunneling between the client and server from the us.army.mil server.
*grin* It's a great domain. Haven't seen much spam from it, either.
Re:This is bad why? (Score:4, Insightful)
I hope that they understand that a large-scale network like this isn't going to solve all of their problems. They'll still have to maintain heavy security on all of their sites, regardless of how much more secure this network is.
I think it's not a bad idea, if you're looking to avoid a William Gibson type scenario (where all sorts of critical resources can be accessed from the public networks, if you've got enough tools and skill.)
The main issue here seems to be cost. It's not going to be pretty. And it's entirely possible that this network will be more trouble than it's worth.
Safeguarding Government pr0n (Score:3, Funny)
It's part of the internet as envisioned by Clinton, a complete private government network for Pr0n. Eventually all pr0n will be outlawed, available only in special government archives for use by government investigators and officials in thier research projects.
Eventually all the best pr0n will be there, leaving all of the junk out on the net as a collection of blind links going in an endless circle.
This is as good a reason as any for this network, to safeguard the government pr0n collection
Govt. guidlines for reading Pr0n (Score:2)
Xix.
Agreed, sounds less secure. (Score:2)
hope that they understand that a large-scale network like this isn't going to solve all of their problems. They'll still have to maintain heavy security on all of their sites, regardless of how much more secure this network is.
Sounds like much more trouble. If they build their own private wires, the terrorists will know exactly what to break and listen to. I can see it now, "Ah yes, as prommised there it is, the red wire! Cut it quickly for there is no reason for the animal to suffer.", and the Bat Phone dies.
Re:This is bad why? (Score:1)
So if this is in no way part of the Internet, the only true way to keep it safe from Hacks is to have dedicated lines to each 'GOVNET' LAN and have absolutely no connections to outside of this 'GOVNET' right?
Sounds costly. Having to lay pipe to keep everything seperate. I say allow and build better encryption schemes, (but those are terroist tools right).
Re:This is bad why? (Score:3, Insightful)
Because it's going to take our tax money, to pay for this.
Re:This is bad why? (Score:3, Informative)
Well, considering how many of your tax dollars are wasted when folks hack into their systems and mess them up... Makes sense.
I think this is a great idea. If its thought out well. Heck many large companies do this - you have a set # of firewalsl controlled by ONE group of security professionals. They can link the major sites with some of the tons of dark fiber out there. Smaller sites - use VPN with high encryption over the Internet. That gives you a good cost point since its the small offices that can kill you for an Intranet. Link the large locations with private links. The next step would be to place all their public webservers under the auspices one a single web team to ensure the damn servers are setup properly and securly. But that'll never happen :) Isn't bureaucracy grand? :)
Re:This is bad why? (Score:2)
So the choice is between applying a few timely patches and building a whole 'nother Internet, and the latter is chosen as the cost-effective route??
All I can ask is... did Cisco have lobbyists at the hearing for it?
Re:This is bad why? (Score:2)
LOL - a few? Across how many machines? I've worked at large organizations that had 100% firewalled Inranets with minial access from outside and currently work where all machines are direct connected to the internet. We are constantly fighting viruses, hackers, etc here. Its a nightmare - why? Because no matter how hard you try, getting every machine to the right pacth level is impossible unless you shell out millions for something like SMS and thats only for MS machines. You shoudl always worry about security, but in an Intranet environment you cna focus your limited resources where it counts and try to bring everythign else up when you can - sounds slack, but given todays IT bugets you often have no choice. If Intranets work so well for large multi-national corporations, why not hte gov't? Sure it'll probably be bungled like most other large scale govt IT projects, but if they pull it off - it would be nice. Gov't desktops would have some protection from outside attackes on a large scale and they could control what servers got placed OUTSIDE the firewall in a DMZ - makes life much easier for those admins - but requires a culture shift and on the scale of the gov't it might be impossible.
But in the end - this makes sense for them - otherwise we'd have many large scale companies whose machines were on teh Internet vs Intranets.
I like that idea (Score:2)
Re:This is bad why? (Score:2)
Uh, who do you think pays for that kind of shit?
It's bad because it's unnecessary. Do you think it would be acceptable to run 100Mbps fiber to every congressman's house just because it would be alright for a corporation to do it for its Vice Presidents?
Re:This is bad why? (Score:2)
Whats the difference these days?
Re:This is bad why? (Score:2)
It continues the tendency of government to view itself as separate from the people.
Look at gated government communities, high security mansions, government hospitals, politicians who push anti-gun agendas while being protected by armed security, career politicians, heck hereditary politican dynasties.
Government is becoming an observer of the nation, not a participant. This is another step down that road.
I'm not saying that all of these steps aren't pragmatic or justifiable, just that it's hypocritical and unhelpful to apply them only to government. How can governemnt (and why would they want to) solve problems that they aren't experiencing?
Specifically on this issue though, AFAIK the biggest threat to national security comes from corrupt insiders armed with a bunch of floppies, not evil shadowy crackers roaming the internet looking for .mils to ream. The money might be better spend hiring more watchmen watchers or even (gasp!) letting us oversee them.
F. Lee Ermey, "Well...No Sh!t..." (Score:5, Funny)
In business news, Cisco Systems stock [CSCO] rose 60% today.
Thank god for USA Today: America's Pravda
Re:F. Lee Ermey, "Well...No Sh!t..." (Score:1)
Re:F. Lee Ermey, "Well...No Sh!t..." (Score:1)
Color me corrected.
Re:F. Lee Ermey, "Well...No Sh!t..." (Score:2)
Makes me think of of a discussion Milo Bloom had with the editor of the Bloom Picayune:
(paraphrased from memory)
Editor: "Run the weather map across pages 96-102 in 50 eye-catching colors!!"
Milo: "It's the dreaded 'USA Today' effect."
Re:F. Lee Ermey, "Well...No Sh!t..." (Score:3, Interesting)
"The difference between the Russian press and the American press is that in Russia the papers only print the government's lies, whereas here in America we can't get the press to quote its lies accurately."
KFG
Large != Private (Score:3, Insightful)
The goverment is simply too large to expect that a separate network would make it that much harder for crackers to get in.
This can only be a good thing (Score:1)
You don't want the government (or anyone else) spying on your connections, do you? You believe in having your own lines which you control and which don't depend on someone else's ring or something, don't you? Why should the government behave any other way?
Also, this will keep the government from eating up our bandwidth, which we need for pr0n and warez! Also a good thing, although I'm sure that the aforementioned uses consume dramatically more bandwidth in a day than the government does in a month.
In any case, I don't see how anyone could get snitty about the federal government wanting to build a secure private network. It's a good idea, and long since time.
Government WAN (Score:3, Interesting)
Most large government agencies already have extensive WANs. The Judiciary (third branch) has a WAN called the DCN (District Court Network) that connects all 92 Districts. To my understanding many agencies falling under the dept of Justice also have their own WAN's.
Looks like a lot of the "GOVNET" is already in place.
Re:Government WAN (Score:2)
confusing (Score:3, Insightful)
#1 legally restrict secure communications
#2 build private network for security
One connection is all it takes (Score:1)
-foxxz
Watch the movie instead (Score:2)
The internet is based on ARPAnet.. (Score:3, Insightful)
I say "Bring it on!" Not for a hacking standpoint, because really, what's the point? I think that GOVNET will eventually become another arm of the Internet eventually. It only makes sense that at least one department (Office of Homeland Security comes to mind) will want a direct link to the Internet to make work easier, and then another and then another, and finally, the GOVNET will just be another section of the internet, the same way WAIS and GOPHER are today. I wouldn't worry.
BTW, my thought that ARPAnet was the start of it all is sort of correct. You can check it all out right here. [isoc.org]
Dept. of Agriculture? (Score:1)
What STUPID POS(not point-of-sale) program are they going to think of next to waste our hard earned money on?
Critique (Score:2, Insightful)
These networks can't even be "integrated" into one another because of different classifications levels etc. There isn't even a way to move data from low to high (systems of low classification to systems of higher classification), because the fact that the high network wants certain data from the low netowrk is sensitive itself.
"A better way, Rasch suggested, might be to improve the ways sensitive information is encrypted and sent over public networks such as the Internet"
It is my understanding that this is exactly how the DOD's classified networks work. I suppose I could be wrong, but I doubt it.
Doesn't this already exist? (Score:1)
This is the dumbest thing I've ever heard of (Score:5, Insightful)
The Internet is everywhere. It's so purvasive that there is zero chance you can have any isolated network. The second some low-level government flunkie at the Bureau of Railroad Employee Retirement signed onto AOL to check his e-mail, boom, there's a gateway.
My thinking is that they plan to use GOVNET as an excuse to be lazy. Everything will have minimal authentication because there's no way big bad hackers can get on the network, right? Except that any PC on the network can easily become a gateway. There are plenty of examples of "private" and "secure" networks that were breached through classic hacking techniques like social engineering and wardialing.
This is stupid. What bout PPTP/VPN? Why can't they just make a virtual network that runs over the Internet like every other business is doing? The infrastructure costs are minimal because you aren't running redundant wiring. It's just as secure, in fact, it's more secure because you are going to be extra paranoid about things like password schemes and encryption levels if it has to survive some public data transfer points.
A few years ago, AOL tried to market this to companies. They called it EOL for Enterprise OnLine. Basically, for a fixed fee per user, all your employees got AOL accounts and access to a private keyword with your company's Intranet.
Except no one but Century21 ever signed up, as I suspect they got a good deal for being a test case. No one saw the point when security, done properly, is going to produce a much more versitile and cheaper result.
To make an analogy, this guys is suggesting that every government office get a tin can and a string so that they can communicate securely because there's alwaye the potential for someone to tap the phone lines.
Re-freakin-diculous.
- JoeShmoe
Re:This is the dumbest thing I've ever heard of (Score:2)
Absolutely true. But think about a thin client...one that you CAN'T install AOL on. That'd clear up a lot of problems right there...
Re:This is the dumbest thing I've ever heard of (Score:2)
If businesses aren't quite ready to embrace thin clients, I can't imagine the government being so on the ball technically that they are even aware that's an option. Besides, if it runs TCP/IP then there is some way it can be hacked. It may take physical tampering on the site, but where there's a will, there's a way. Building that wall gives a false sense of security.
- JoeShmoe
Re:This is the dumbest thing I've ever heard of (Score:2)
True, but the example given, and the one I was responding to, was inadvertent subversion of network security. I think you and I both agree that network security is like a privacy lock on a bathroom door - it doesn't stand up to even a hard kick, but it keeps stupid people from barging into places they oughtn't go. And let's face it, with regard to technology, most people are stupid (ie don't understand and don't want to).
You have never worked in corporate have you ? (Score:3, Interesting)
1. The second some low-level government flunkie at the Bureau of Railroad Employee Retirement signed onto AOL to check his e-mail, boom, there's a gateway. - Nope - i can lock it down so he cannot even get to the site and without local admin cannot install anything - we already do this with hotmail and yahoo etc due to people getting round our virus scanning and mail attachment restrictions by using hotmail - thus infecting us in this way - its simple proxy control and group policy application
2. VPN and PPTP are great concepts but shitty in practical terms - we use it here for remote clients and it is the bane of my existence with failed clients and forgotten passwords - its find with a limited number of remote sites but is cannot be used to replace infrastructure in larger (5+ people sites ) the only solution there is Frame/ATM
3. EOL sucked as it ws simply AOL attempting to give corporates a cheaper intranet option back before internet access was a standard thing
Drawing the TIN can analogy is a joke - the guy who wrote the article is an idiot in many ways but dont oversimplify the argument like that. The fact is with IDSL and Frame and ISDN running a routed network for communication and a good firewall and admin policy (and staff) you can have a secure environment (even on MS products) and totally private - the environment this guy is describing covers this and i suspect in most cases is already in place, as for offsite i think stronger mail encryption for them and PPTP would be sufficient for limited exchange.
This is one guy trying to make a name for himself and hes doing it by stating the obvious.
Re:You have never worked in corporate have you ? (Score:2, Informative)
If there is a business need to someone with a leather chair, and a nice enough view...then it will happen. I had to install AOL countless times working in corporate environments (big fun since NT was also the standard and AOL doesn't play nice on NT). Why? Because I wanted to keep my job. "I'm sorry sir, but installing AOL would breach security" is a nice technically sound position, but you need to have someone with the letters "VP" in his title to back that up or the question is "why can't you make it work with AOL and be secure?"
I just think it's impossible to prevent crossovers between GOVNET/Internet because users are going to balk at having two boxes on their desk. Someone, somewhere is going to present a business case for Internet access (how are the GOVNET techies supposed to download drivers unless everything is mirrored internally?) and once that happens I'm positive they won't be smart enough to have an air firewall between them. Multiply that risk by the number of agencies involved and I think the chance of someone making a mistake and leaving a window open are quite good.
Which, again, brings me to my main point...will a separate network make GOVNET security weak? Will they be lazy? Or will they have a properly secured Internet-ready network AND have the separated network security layer to boot?
- JoeShmoe
Re:You have never worked in corporate have you ? (Score:4, Insightful)
This is exactly how intelink (the classified version of in the internet) works dude. It is secure, guess why, because it ain't connected to the internet. You don't get access to it unless you need to have it. Sure you can tap the cable somewhere or steal sensitive info from work and post it on Yahoo. But assuming your a hacker not a traitor, good luck breaking in. I'm sure it's possible, though in the years I worked at NSA/DoD I never heard of someone hacking it.
You want to use the internet from your desk? Tough. You sign up, get permission and walk to a room where unclassfied internet exists. You want the latest device driver? You submit a request, it's downloaded a day or so later, virus scanned, logged in a file, and given to you on a floppy or internal ftp site. Last year I posted a length article on slashdot about pros and cons of working for the classified government. No net access was a big minus. Every friday, someone was nice enough to import Linux weekly news in it's entirety and post it. That's how I got my linux news at work. Note that NSA is working with VMware on a solution to provide internet access and classified access on the same desktop; not sure it will ever happen. Anyway, just some insight from someone who has been there and done that.
This is the smartest thing I've ever heard of (Score:3, Interesting)
Not that making information sharing quite so easy will be good for civil liberties or anything.
-jhp
US Gov on Milnet (Score:1)
Keep those drugs flowing. (Score:3, Funny)
Yeah, if the government isn't able to keep the flow of drugs coming into the country, society might fall apart.
Re:Keep those drugs flowing. (Score:1)
I thought the DEA (Drug Enforcement Agency) was out of the DoJ (Department of Justice) and the FDA (Food and Drug Administration) was out of the DoHaHS (Department of Health and Human Services.
http://www.fda.gov/ - Sure looks like it there, so I have no idea what you are getting at with the comment about drug flow.
I've heard of this before.... (Score:2)
Ok, so what's the big deal? My company has an intranet to keep the unwanted away from our sacred data. What's wrong with government doing this? How does this make them "above the people"?
What happens when (Score:1)
more general, wouldnt it almost instantly be linked up to the public internet due to people doing things like the above, heck without even knowing what they did? what about people who DO know what they're doing and just dont care? surely getting 100% of everyone using a private network to NOT link up to the net is impossible.
course, maybe its more like putting a white fence up around your field of horsies. you can jump over it, its just inconvenient and blocks the majority...
Uhmm (Score:2)
Besides, the government has been using private networks for quite a while, this is just yet another private network. I don't think that I'd even want to run a business without SOME privacy.
Re:Uhmm (Score:1)
No Modems, No Firewalls, No Connections to the Internet... Definitely all nude
Some already do it this way (Score:2, Interesting)
All 5 countries have access to it, but classified stuff still has to be encrypted for transmissions. And we dont use commercial stuff for that, each country uses their own stuff.
The interconnection of the 5 countries allows us to share data as we see necessary.
This separation from the internet keeps the classified network safe from things like Code Red or any other viruses and worms.
Seperation of GOVNET and the military network (Score:3, Interesting)
be fine. The civilian governmental agencies could use the same network without problems and without interference.
Needless to say, this is not an ideal world. Do you think Billy Bob the Forest Ranger and Gordon the Beef Inspector (to use USDA examples) are going to do his part to keep the same network secure that James the Spy or Steve the Strategic Planner use? As the
Moreover, the separation of civilian powers and military powers is an important American ideal. If some civilian agency (the GSA maybe?) is investigating the military, you usually don't want them seeing or interfering with your communications. That can't happen when your network admin takes military orders, and will knowingly break the law under orders. A civilian government employee, on the other hand, can legally refuse to break the law without retribution by the employer.
So, all in all, its probably a good idea to keep the networks separate.
Re:Seperation of GOVNET and the military network (Score:2)
I thought there already was one, called Interlink (Score:2)
The goverment needs network security, too (Score:4, Insightful)
Nice troll. I suppose suppose you think that the government should allow us all into their LANs - firewall separate the people from the government. And they shouldn't use private WAN links - they should transmit all their packets on public internet (and no VPNs!). Nor should they use encryption - that's just another barrier between the people and the information.
Come on, we're not talking about hiding stuff that's not already (theoretically) hidden. We're talking about basic security. I'd be shot if I seriously proposed to my employer any of those tongue-in-cheek items in my first paragraph - and we're a private firm. You don't let just anybody look at you're business. "But we're the people," you cry. "We have a right!" So you do. Consider the privacy implications of unsecured governmental communications. The feds have HUGE amounts of information about the citizenry, and I think that info should be secured from the likes of J. Random Cracker. Whether or not the government should have all that info is a question for another day, but surely they should secure what they have.
If you want to know what the government knows, use FOIA. Consider it a public interface; don't worry about the implementation details. Use your vote to eliminate bad implementors. encourage investigative journalism. Demand accountability in recordskeeping - make Ollie North a traitor. But for heaven's sake, don't be so pigheaded as to think that we should take phones out of government offices because ureaucrats use them to have point-to-point, uneavesdropped conversations.
P.S. I'll bet some proactive GS IT types are using current events to finally get some long-needed network security into place.
Seems reasonable... (Score:1)
Why not do it over the internet in general ??? Well this way you have guaranteed bandwidth characteristics, as much data hiding as you want, and each office does not have to expose itself to the internet in general
one problem (Score:1)
Some suggestions and alternatives (Score:3, Interesting)
A few alternatives to consider:
The government expanding the network already in place for the "Internet 2" initiative (high bandwith application testing) which currently exists between a network of universities, is already in place, and already has the fiber allocated and lit.
The government buying (or leasing in some form) some of the thousands of miles of dark fiber strung recently in the massive network infrastructure buildout.
Then, a second more practical and imporant suggestion. The government's goals are to ensure secure communication, ensure access to critical government data (not so much websites but FBI photo files, salelite imagary, even census data), and ensure critical command infrastructures.
Look at how non-goverment agencies accomplish very similar tasks - Banks use a web of network providers (usually at least two, often three) providing basic network connectivity to data centers; they often layer this with dedicated encryption (so that any traffic across public switched networks is encrypted); sometimes there are networks with-in networks (VPN tunnels etc); and there is extensive (and expensive) redundancy of all systems (and usually key people).
This redundancy would be rather expensive and difficult for most government agencies - but it is likely required. This includes physical as well as technical redundancy (i.e. serious data centers have power from multiple power grids entering the building at multiple locations; similarly they have data leaving the data center in multiple ways.
Now the good news - the government could probably pick up seriously redundant data centers, servers, networking equipment, fiber (dark or lit but already in the ground) for a very reduced price with the recent consolidation and collapse of hosting providers and network equipment vendors.
Rather than using this to build an entirely seperate network - if the government took the appropriate steps to secure and protect the system if could overlay the existing Internet without much difficulty.
(I would recommend of course that the government look at using the appropriate equipment for this job - i.e. secure and reliable OS's runing on physically secured machines)
Hope someone reads this and expands on my suggestions.
- some disclusures - I do not currently work for the government - my company is a software and consulting firm that may in the future do business with the government.
If done right... (Score:2)
Allows:
This is basically the way the military handles things, and it works fairly well. The largest issue is that the military had much of this infrastructure in place prior to the huge growth of computer networks, so much of the infrastructure isn't as integrated as it should be. I'd love to be able to design a system like that from the ground up. Can you say Voice-over-IP in all US government agencies?
Good things, indeed.
JJ
disclaimer: I run networks for the military...
Standing up for Dept of Agriculture (Score:2, Insightful)
Porky pork pork (Score:2)
2. Spend billions upon billions of dollars to replicate the Internet, whose supposed network-wide security could be compromised by tapping into a LAN at a Dept. of Agriculture office or whatever.
Of course, many Internet protocols are wildly insecure, due to the academic roots of the 'Net when security wasn't an issue. However, we have https, ssh, all that good stuff now.
I demand you show me more than a handful of properly administered (Yes, MS software could possibly be a part of that) government computer networks that have been compromised like this guy fears. Unix-based servers with good IT people backing them up are pretty goddamned solid. DDOS attacks are probably the only threat which could be helped by building DARPANET-2. What a dumbass!
They haven't got a clue.... (Score:2)
Is this the same government I'm familiar with? 6 years, maybe. Cripes, I wait in line at the DMV longer than 6 months, let alone roll out a new security infrastructure.
Sure, it will work just fine... NOT (Score:2)
Think about it for a while, how many works for the government in the US today? And if just one of those are lazy/stupid/corrupt or anything else, they will have a LARGE enough loophole to be hacked to hell. And how should they check if no one lazy/stupid/corrupt worker by mistake/laziness/stupidity/intention just happens to connect his pc to the other world? And how should they do with more practical things, like there may be some chance that some of the workers would like to get emails for instance from people not on GOVNET, or maybe they must use the ordinary net in work. Should they use two physically separated pc's in their work?
Alright, I say OK to the fact that it works in the network used by the U.S. military. But thats a big difference, they have more discipline, are fewer and are more easily controlled (compared to the Department of Agriculture for instance
Can we send some others off to GOVNET? (Score:2)
why piggybacking wont work (Score:3, Interesting)
A person's security clearance. There are multiple levels: Secret and Top Secret are the two most common for military and intelligence uses (there are other levels of classification, but I'm singling out these two for simplicity's sake). Hence, the mil and IC share TWO separated networks, a Secret and a Top Secret (both separate from each other and separate from teh Internet). People with a S clearance cannot access the TS network. But people who are TS cleared can access the S network if their job deems it necessary.
Now for to the rest of the government. Many agencies dont require a security clearance at all (ok, they do require criminal bkgd checks, but that's about it). Question to ask is do you really want uncleared people accessing a network made for classified data?
What I think is being proposed here is a third network that's an Unclassified standalone network (standalone meaning separated from the Internet). This will allow agencies like USDA or Agriculture and state/local gov'ts to be separate from the Internet so that they become more immune to attacks and viruses.
The only issue here is when these people need to access the internet for real. Currently in the military, that means a few internet workstations shared by 30-50 people and each person having a classified box at their cube. If the job deems it necessary, people can have both at their desk. The problem here is an increasing number of computers.
IIRC, DARPA (or one of their contracts) is developing something that can allow a machine access to multiple networks simultaneously, yet keep everything separate. Whenever that gets done, that'll save money on buying physical workstations.
(Note: S and TS are shorthand for Secret and Top Secret)
Re:why piggybacking wont work (Score:3, Insightful)
Some of what I said is proably a tad innacurate, but I think the point of having multiple separated networks is made.
I should probably say something about Bush's irateness over press leaks. I'm a former DoD contractor with a clearance. (Contract ended Sept 20, thank god!) We got an email the day after the attacks saying that if the media approaches you, direct them to the Office of Public & Media Affairs and answer all questions 'no comment'. People in Congress proabably also got similar emails/memos.
I should note that the 'anonymous sources' the media uses are commiting espionage. Yes, espionage. IANAL, but my interpretation of espinage laws indicate that any disclosure of classified info, regardless of who the info is being disclosed. (that's also the drift I got during my exit briefing form the DoD)
Piggy Back on Intelink (Score:2)
A bigger target? (Score:2)
By putting all government computers on one easily identifiable network, aren't you just making a bigger, easier target? Doesn't this just paint a big huge bullseye on the government network infrastructure? You would need a very, very large distributed network to achieve the levels of backup redundancy current internet routing provides.
On the other hand, segmenting the network off from the internet as a whole eliminates (most) of the electronic attacks. If you have a seperate network tightly controlled by physical security this could definietly work. For this to work I think you would need some heavily guarded data centers distributed liberally throughout the country.
Comments anyone?
the future of GOVNET (Score:2)
2002: Microsoft proposes "GOV.NET". U.S. Government is impressed with plan to hand control of U.S. Government Information Technology Infrastrucure over to private company in return for promises that Microsoft Operating Systems on exisiting Infrastructure will function more reliably.
2003: GOVNET protocol figured out by shadowy hacker or group of hackers known as DarthBilbo and disseminated in Spam Usenet posts: 14 year old turns Department of Interior server into Gnutella node, 22 year old uses California Homeland Defense Office server to stash 100 gigs of porn and pirate music. Chinese hackers splash "F*** Poisonbox" on homepage of over 100 government servers.
2004: FARC and IRA Terrorist sympathizers, despondent at the decimation of their ranks in the past 3 years by U.S. Anti-Terror activity, launch crippling DoS attacks with Code Red, White, and Blue worm. Unpatched versions of IIS9 installed on 98% of GOVNET Servers. Entire GOVNET shut down. Worm works via social engineering exploit whereby all GOV.NET Server Admins get email saying: "Hi! How are you? I send you this file in order to have your advice. See you later. Thanks". IIS9 patch would have prevented this exploit by denying the Admins access to Server rooms by revoking the revolving monthly license for their Microsoft Passport service on their National Identification Cards. Nation awaits crippling of U.S. Infrastructure and mass confusion.
Nothing happens. An office worker in a State Department office building is quoted on the evening news as saying "Those GOVNET boxes? They never worked anyway. We just use them to play Solitaire and FreeCell. We all use our personal AOL email accounts and chat rooms to conduct important government business."
2005: President Rudolph Giuliani announces plans for GOVNET2. Based on earlier work on the RFC 1149 implementation [linux.no]. Privacy advocates scream Big Brother up to no good and bemoan loss of civil liberties. Building commences.
What is the big deal? (Score:2)
OK so the Gov't already has some "secure NWs"
OK so the Gov't is "wasting" money
Why is any of this news? The US gov't does this sort of thing all the time.
The US gov't gave the Airline industry 17 BILLION dollars. This is a group of people who couldn't move all the people who wanted to be moved AND still lost money! We're feeding a country we're bombing.
I say, "Let'em have their secure network," more jobs for me!
As a federal contractor... (Score:2)
Why? For starters, it is a political thing. One group likes NT, another Sun and another HP. There are vested skills and talents for managing the network for each sub agency. It may not look pretty on paper, but does anyone think you can really turn that sort of establishment on its head and impose a single network policy on the whole Government, let alone one agency?
A fresh start would in some ways be nice, and the terrorism as of late may be a strong impetus to get this off the ground, but I have some doubts about how productive it will be.
GOVNet is a good idea. (Score:2)
This is good (Score:2)
This is a great move. Essentially, they want to create a large, secure, reliable, high-bandwidth infranet. That's a huge task. It will mean huge contracts, lots of money, and many jobs for networking companies that have recently hit hard times.
Will the network actually be more secure? Maybe, maybe not. If it isn't...so what? Just the act of trying circulates money.
Re:This is good (Score:2)
Money I could have spent stimulating the REAL economy, not one propped up by government.
irresponsible (Score:2, Interesting)
We need a government who is going to say the opposite, that they will spearhead crypto & security research, put pressure on Microsoft and other weak security companies, and lead the way to making the Internet as secure, redundant, and failsafe as possible. *That* would be a service to the nation. Govnet is not.
Short Lived Proposal (Score:2)
Code red took IBM's internal network down for about a week. You don't think that this network won't go down as soon as your favorite senator and mine dials out to the internet proper so they can spank it to the scenes of nubile young goats? It'll never fly...
And A New TLD (Score:2, Funny)
Oh please...a network that's unhackable? (Score:3, Interesting)
Okay, let's figure this thing out. Government wants to separate themselves completely from the WWW. This means that they need to lay their own network of wires.
Let's figure out this deductively:
Step #1: Wireless: If they are dumb enough to use satellite communication for networking, all it would take is someone to go driving along in their van with a good enough receiver who knows where a receiver would be along the network, park their van close by, and tap into the mainframe with a large enough receiver. Honestly, there's no way you can completely guard an entire "wireless airspace." If they use hard cable...
Step #2: Cable: My assumption would be that they'd lay cable instead. Alright, no problem. Play the game by the network's rules (just like phreakers did back in the 70s and 80s)...find a line and tap into it. Again, all it would take is for someone to figure out that one of those cables is the GOVNET cable (or someone obtain a map of the GOVNET network...even if it's classified, I'm sure one would leak out eventually). Even if it's out in the middle of the Utah desert, all someone would need is a shack and an electric pole running nearby the cable and he could easily break into the data stream.
Of course, I'm sure that GOVNET would also be using some style of encryption (hopefully...I want to assume that they would hire technicians that are THAT ignorant, but they do pay $1000 for a toilet seat, so who knows what bozos they'll hire). But even so, the point is that once you have some way of tapping into the line itself, you could broadcast it however you like to the surrounding region with a wireless tranceiver (heck, go for 802.11b
I probably don't have all my wireless networking tools correct, but the point I'm trying to make still stands out: any network can be physically broken into, since it cannot all be guarded throughout the US. And after it's physically compromised, it's just a matter of time before we see Bush on GOVNET VidConference Viewer v1.0!
Nothing New (Score:4, Informative)
In the US Air Force, they refer to the internet as NIPRNET (Non-secure IP Router Network). Only unclassified info is sent across it, and sensitive unclassified or privacy act info is restricted to
The other network is called SIPRNET (Secret IP Router Network). On military installations its conduit is encased in concrete, junction boxes are alarmed, & cable drops are only in secure areas. Off the installations it's encrypted. I imagine the encryption is pretty strong since NSA designs the algorithms.
For more info check out these AF regulations:
AFI 33-202: Computer Security [af.mil]
AFMAN 33-221: Computer Security: Protected Distribution Systems (PDS) [af.mil]
Re:Nothing New (Score:2)
welll... (Score:2)
and slashdot gets trolled again... (Score:3, Insightful)
Also it's well known that gov't computer security is fairly pathetic, this would be a nice first step towards remedying that problem. Just have seperate networks with an airgap between this network and the internet, and the gov't would be shielded from any number of plausible attacks.
After all, if you show me a Network Admin who can't hack a .gov/.mil site, I'l show you an incompetant Network Admin.
Re:Why would hackers want to hack the... (Score:1, Funny)
Re:God, i'm tired of this... (Score:3, Insightful)
A few questions:
How many times, in the last century alone, has a nation killed tens of thousands of it's own people in a consolidation of government power? Hundreds of thousands? Millions? The fact that you probably need to research an accurate answer to the first two, and that the answer to #3 is not "zero", should worry you just a little.
Given the above answers, do statements like: "Some civil servants might not care about my privacy as much as they should" really seem that outlandish?
If the government were as truly evil as you think they are, they would have already killed you, or would have prevented you from being born in the first place, let alone let you (gasp) speak openly in public!
Oh, of course! They're not committing genocide yet, so obviously everything is hunky-dory in the binary "perfect good" vs. "infinite evil" world you live in. Sorry if we're confusing you by suggesting the existance of gray...
Re:The various military networks are already there (Score:2)
SIPRNET carries classified data and is physically and logically separate from the Internet. Not even the best hacker can get through an airgap.
The way I understand the proposal, it would be to establish a similar network for unclassified but sensitive data that would also be logically and physically separate from the Internet.
I think most likely this would be accomplished by disconnecting the current unclassified IP router network from the Internet and extending it government wide. Email could pass through a special purpose mail guard/robust firewall of some sorts that would provide a high level of protection.
Re:SIPERNET NIPERNET (Score:2, Funny)