Ethernet Wiring Through Hostile Territory? 65
GoogleDidntFindIt asks: "I need to connect a terminal to a server which contains very sensitive information. Unfortunately, the terminal is about 200 feet away from the server. The server (which even includes a 'self destruct' device) and terminal are both in highly secure areas of the building, but the wiring will be in uncontrolled areas. What should I do to keep people from tapping or monitoring the wire?" Is there any way a conduit can be wired with an alarm which goes off when it's integrity has been violated?
"Heres a basic description of my situation:
- A new wire/fiber/cable/whatever will be run and I can use any sort of conduit I want.
- A potential attacker may have several days of undetected access to parts of the wire/conduit and may have sophisticated fiber-optic tapping equipment (which can tap a fiber without cutting it).
- I can physically inspect the conduit/cable/wire once a month.
- Ideally, the system would also notify me of a majority of successful attacks (or, even better, disconnect the line).
Conduit under pressure. (Score:3, Informative)
A waterhose with a waterprrof glassfibre should do the trick.
Re:Conduit under pressure. (Score:5, Funny)
Oh, Conduit. I have nothing to say about that.
ROFLMAO! (Score:2)
Re:Conduit under pressure. (Score:1)
Fibre + steel + pressure + ... (Score:3, Informative)
Re:Fibre + steel + pressure + ... (Score:2)
His potential attackers have devices that can tap a fiber optic cable without breaking it.
A far more sensible approach would be to rig up a jacket around a fiber optic cable that would block the tapping devices. Run some signal through the jacket that will cease if somebody tries to peel it off.
Pressurizing steel pipes requires too many manhours to install and is too impractical.
Re:Fibre + steel + pressure + ... (Score:1)
how much fun is that? now if you can get one of those 10,000 volt lines down to the server room... then I think you'd have something!
t1 equipment (Score:2, Interesting)
do you care about someone pumping a few amps down the wire and trying to burn out the IO pins on your super-duper computer? in that case it would be prudent to pick up your soldering iron and build a serial relay with electro-optical interconnects.
your best bet may be to just go wireless, run IPSEC and keep lots of random traffic in the background. at least it would take more smarts to create an EM pulse strong enough to attack the electronics.
Re:t1 equipment (Score:1)
I had a friend who worked for Wachovia MIS, and he said thats what they did, IPSec on Cisco Routers.
Spend the money, or give up (Score:3, Insightful)
"I have a budget of $0.39, and I would like the same amount of security major banks, intelligence organisations, and the military use. I'll ask
If you truly have information so valuable that someone could gain information just on traffic analysis, you need to hire real professionals. Not some ex-cracker wannabe with a nose-ring and tattoo collection, but ex-DIA soldiers who have already made a career of physical security.
You either spend the money, or tell the powers-that-be to kill the idea of placing a remote terminal in an unsecured location. If the information is that valuable, those who need access to it can cross the street. If they are too lazy to cross the street for your information, then the information isn't valuable enough to keep secure.
Pressurised conduit requires separate monitoring facilities at both ends, inside the secure areas. That means physical access for inspections and maintenance on a regular basis, not just once a month. And if you can't run a customised IPSec implementation with a constant level of traffic, you don't have the budget to do this project correctly. Kill yourself now
the AC
Re:Spend the money, or give up (Score:1)
I dis-agree, the post speaks of self-destruct on the server and being able to run in pretty much any conduit possible. This doesn't sound like a low budget situation to me.
The post also is after physical security, not encryption, It sounds like he/she is trying to protect against some seriously determined people, who probably have lots of resources. If you can hack the connection and just sniff a copy of all the traffic, and happen to have a super-computer lying around, then you can probably decrypt the data eventually. Maybe that isn't aceptable.
As for hiring professionals, maybe he/she is going to get professionals in but wants some background suggestions so they don't get taken for a ride.
Expensive Specs (Score:5, Insightful)
Okay, my $0.02 will likely cost you a large amount of money; but hey... if the data's so important to require self-destruct devices then I can understand that money isn't the biggest concern. Perhaps some of my ideas will prove useful.
Some of the previous articles mention using vacuum or pressure. This isn't a bad idea; though it could potentially be defeated by extremely carefully poking a small hole (about 5 microns in diameter) and then getting a pressure monitor on there. It may take hours for the gauge to read anything of use; but supposedly attackers may have that long. The hole itself would just look like a very small leak on 200 foot of pipe--and so you would believe that it's not an attacker.
Instead, you really should use a multi-layered configuration. Start with a fiber--they are a pain to tap without splicing; and I'll assume you could monitor each end and check for signal degradation that would be indicative of a splice. Then, the fiber should be insulated already, so jacket it in copper or aluminum sheeting (like grounded CAT5) with insulation on top of that. To top off the internal layer, send this "wire" down the smallest metal tube you can; with Great Stuff or other spray-in insulator filling the gap. Note that the fiber et al should be running nearly down the center of this conduit.
That's the first layer. Outside of that, fit the conduit inside another one (again, metal)--this one should be have a good vacuum on it. 10e-3 torr is easy to reach with a roughing pump, so you shouldn't have any trouble getting there. And then one more pipe outside of that. The final pipe should have a high pressure on it, 75 or 100 psi can be reached by a common air compressor. So this gives a total of three metal conduits to go through before reaching the fiber. Obviously, monitor the pressure from both ends--and those numbers should match up (with some error).
Yes, I realize this seems like over-kill. But, with this set up you can do some really cool things to check for intrusion. First, one can put different voltages across each of the 4 metal layers (fiber jacket included). If any of those are the same, you've got an attacker. You also can connect two layers on one end and gauge the resistance from the other. If this number doesn't match what it was yesterday, then there is an attacker. My personal favorite, though, is checking the capacitance between the different layers. If someone somehow figures out how to cut through the pressure and vacuum jacketting, the resistance test might be able to catch it. If you check the capacitance, there's almost no way they can not be detected. If this were me, I would configure both sides to randomly check different combinations from my list.
Finally, you likely will have a few seconds from when an attacker is detected and when he/she could be possibly be listening. This means that you can fully trust the computer on the other end even just after an intruder detection. Use this time for "Oh my God! Cut the line! Shut up and don't talk again!!!" as well as any other last-second transactions you need.
Re:Expensive Specs (Score:2)
decoy (Score:1)
The Problem with Pressured Conduit (Score:1, Interesting)
Drilling tiny holes is easy to do, and it can be done under pressure, or under vacuums. The high pressure problems are regularly dealt with when they splice trans-oceanic cables. (These are much bigger, I know.)
Fiber is hard to splice, but it's not hard to knick just enough to bleed some signal off of, so fiber may not be good. However, it's better than copper, since someone with Van Eck equipment might be able to read the signal without actually opening the conduit.
I'd recommend making it look like something other than conduit, or hiding it inside of other pipes, like sewer pipes or steam pipes (those pipes need not be active). You might even consider using the glass waste pipe that they use for chemistry waste, as this is harder and more fragile to deal with than metal conduit. It also allows for visual inspection. The alternative is to place the conduit in a secured location, or at least in a blatantly public location (like in the middle of the ceiling in the middle of the most used hallway) so that tampering efforts are quickly noticed. Don't rule out motion/vibration sensors (including motion in the area of the conduit). If you're going to use a vacuum, there are real-time smoke sniffers I've seen that constantly pull air through pipes and sniff it for smoke (the server room here has several). One of these could probably be adapted that notices smell changes, such as adhesives or hot metal from cutting. One of those companies that are working on bomb/drug sniffers for the Feds and airports might have something.
The real problem with asking us is that the people who know may be under federal rules not to say anything.
I think your simplest solution is to make a 200' dog kennel, put the wire in there, and let a couple of mean dogs loose to guard it.
Snakes (Score:2, Insightful)
Forget the dog kennel.. just deploy a legion of snakes in the conduit. Make sure they're poisonous snakes BTW. Either that, or rabid weasels or ferrets.
Re:The Problem with Pressured Conduit (Score:1)
Re:The Problem with Pressured Conduit (Score:1)
though the water you can run a current through to test the integrity....
Idea! (Score:2, Interesting)
How do we know that he's the good guy here? (Score:4, Interesting)
Too complicated... think KISS (Score:2, Interesting)
If your worried about someone with government level resources cracking the data and the amount of data trafficing the pipe is not huge your best bet is a pad cypher (generally considered to be unbreakable). Generate completely random data (atmospheric noise is a good source), burn it to two CDROMs. Encrypt and decrypt the stream of data on each end. You can use a small embedded PC on each end if the data stream is non-standard. Never reuse the same stream of random data.
Re:Too complicated... think KISS (Score:1)
It is a good idea, but you would first need a way of recording the noise, and building an encryption program that allows the data to be integrated with the noise. Would take time to decrypt, secure as hell, but would take along time to implicate
physical security links? (Score:1)
Does anyone have any good links about physical security? ANd any info on programs to genereate traffic when a line is dead?
Re:physical security links? (Score:1)
IIS is a great app for generating traffic.
Re:physical security links? (Score:1)
Addition (Score:4, Insightful)
I notice most of them recommend running fiber through some sort of pressurized, protected conduit, with various tamper notification schemes. Great; do all that. But instead of just running your single fiber strand, run a lot of them. If you feel extra devious, rig up something to pump garbage signal through them, signal which will look not unlike the encrypted traffic I assume you'll be using on the real line.
Stuff enough of them in there, and make the bogus signal convincing enough, and it will easily take your attacker longer than your one-month inspection period to breach the conduit, defeat the anti-tamper, and identify the correct strand, let alone get anything useful off it.
Re:Addition (Score:2, Interesting)
Like having a $50,000 safe in you house, then burrying the Krugernads in the backyard; the theievs waste time on the (empty) safe.
Re:Addition (Score:2)
Re:Addition (Score:2)
This may be sneaky. But it isn't any real security. Decoy systems may be okay. But the real system needs to also be secure.
I had a box (Score:3, Funny)
Why not ipsec? (Score:3, Interesting)
Re:Why not ipsec? (Score:1)
Re:Why not ipsec? (Score:2)
Because often the simple fact that communication is occuring at particular times with particular characteristics is revealing.
That can be defeated by well planned random junk messages. If the junk volume/frequency is random and widely variable enough, it may completely defeat traffic analysis.
Re:Why not ipsec? (Score:2)
duh. easy. (Score:4, Interesting)
Try this :
put a bunch of fibre optic strands into a steel pipe (large). make sure the fibre is all loose strands of single mode fibre (glass) and not encased in a protective coating. then fill the pipe completely with concrete and let it dry. attach the fibre to the terminal and the server and run something to monitor the connection 24/7. if the bad guys blowtorch thru the steel pipe they need to use a hammer to get thru the concrete. cracking the concrete cracks the fibre along with it destroying your connection (even if it is temporary and they rig something up to restore the connection your software monitoring the connection can sound the alarm). since single mode fibre is essentially very thin glass strands you will loose a few strands while pouring the concrete but at least one will work. you can use the one that works.
its messy but reliable. epoxy and other nasty stuff in layers with the concrete is also useful.
Re:duh. easy. (Score:3, Interesting)
put 3 strands down the middle of the conduit.. and a bunch all around at a small radius from it. Fill with asphalt.
run stead signals through the outside strands... if an outside strand stops working...then check for intrusion.
for added protection... put some temperature sensors in (actually... checking the resistance of the outside conduit (assuming its made of metal) may work for that)) the conduit. (to detect anyone tryin gto melt out the asphalt)
oh yea...and spray paint all the fiber black, so it blends in with the asphalt.
I would then use crypto in addition to that...but thats just me.
-Steve
Re:duh. easy. (Score:1)
The place I used to work for wrote a custom bench ORTD program for Alcatel, so we had a bunch of single mode color coded fiber laying around.
Re:duh. easy. (Score:1)
Of course if you ever experienced a heavy explosion or earthquake, the strands may break and you would be sol until it could be replaced.
Stenography + Encryption + Physical Security (Score:1)
Of course every single one of these methods can be broken, but together it is near impossilbe.
Re:Stenography + Encryption + Physical Security (Score:2, Funny)
n.
A keyboard machine for reproducing letters in a shorthand system.
A character in shorthand.
"You keep using that word. I do not think it means what you think it means."
Data Security (Score:1)
Slightly misleading subject (Score:2)
Re:Slightly misleading subject (Score:1)
The best security is going to be a VP or other interested party, with very tangible reasons for maintaining the integrity of your systems. Sick 'em on the contractors whenever work is being done near your secure line. Encase the line in concrete, asphalt, or some highly volatile chemical capable of melting the line whenever something contacts it, and then don't worry about all those extra lines, junk data, etc. Just make sure you have someone you trust, and knows technically what's going on, to oversee any projects that happen along that 200ft span of wire.
Use Quantum Mechanics! (Score:2)
If you could somehow transmit the information quantum mechanically, as soon as some one intercepted the message, it would change state and you would know.
for more info check out www.qubit.org.
of couse this is all theoretical, since no hardware like this exists commercially yet. There are some researchers doing some basic research into this area, though, so maybe banks and other high security institutuions will be using this in ~10 years.
the other suggestions about fiber in a steel pipe along with a pressure differential as well as some capacitance measurement seem to be pretty good suggestions for data line integrety, though.
To avoid traffic analysis, use 100% bandwidth (Score:2)
For added annoyance value, use random data instead of zeros.
You'll still want to armor the cable, put in a bunch of dummy fibers and many of the other things that were suggested.
Re:To avoid traffic analysis, use 100% bandwidth (Score:2, Informative)
It seems to me that you want to wrap your end-to-end encrypted tcp traffic (ipsec) with a synchronous link encryped protocol that sends garbage when it's not sending data. These sorts of link encryption devices exist (at least they used to). I imagine that modern versions exist that use AES, twofish, serpent, or RC6 instead of DES. (I've heard good arguments for each of these AES finalists. If you have the choice, you won't get blaimed for agreeing with NIST.)
In any case, you really need to use ipsec in addition to your link encryption layer. Adding physical security may be a good idea as well, but traffic analysis-resistant link encryption has been arround for decades.
If in the unforseable event that you can't find a supplier for link encryption, it sound like you may have the budget to develop your own link encryption. Authenticated key exchange is the easiest part to screw up, so go for manually entering the keys into the boxes. (If an attacker has physical acess to the link encryption device, assume you've already lost the traffic analysis game.) For link encryption, you probably want to use a self-syncing mode of a block cypher such as CFB Make sure your block cypher is suitable for CFB mode operation. Make sure to use gpg's crypto-strong random output function or something similar to generate your keys. You should rekey at least as often as you sheck the physical integrity of the line.
There's a government standard here-- TEMPEST (Score:2, Informative)
Plus, you have some CYA protection here since it's a predefined standard!
http://www.eskimo.com/~joelm/tempest.html [eskimo.com]
http://www.fas.org/irp/program/security/tempest.h
... but I still like the chain link fence idea with guard dogs
Re:There's a government standard here-- TEMPEST (Score:1)
thats nothing a couple of steaks marinated in arsenic/most any toxin wont quickly fix.
2 possible methods for detection of tampering (Score:2, Informative)
The second is an OTDR (optical time domain reflectometer) - this will easily detect changes in the fiber layout, and will also tell you exactly where the tap/modification occurred.
Basically, an OTDR sends a pulse of light and looks at the reflection(s) over time. It will show bends, nicks, etc that occur in the fibre.
Use REAL tamper protection (Score:3, Interesting)
The big boys use a plastic sheet coated with carbon tracks in many layers. Goretex (yes the same one that makes boots) sells this stuff. It is generally used to protect small devices from being probed. It works by measuring the resistance of the carbon tracks and can detect sub-micron drills. Crypto units in gov/mil applicions use this technique, so it is considered to be the best method.
In your case the wire would be wrapped in this stuff and then coated in a soft epoxy resin. Any damage to the sheath and the system can take evasive action...
I've got a contact in this area - Email me and I'll put you in contact.
Oil pressure cables, crypto (Score:1)
Also, I would not entirely rule out cryptography. If you start by sending as much garbage as you can, then sending encrypted data with no headers only when there's data to be send, instead of the noice, then you should be able to avoid the problems of traffic analysis.
Personally I'd go with the following method:
Make two queues, one virtual and one "real". If there's real data to be sent, encrypt it and store it in a buffer. If there's no real data to be sent, grab something from the virtual queue, which gives you either all NULLs, or random data, and encrypt that, then place it in the buffer. Then run another deamon or task which grabs data from the buffer at a constant rate and sends it. That way you'll have a constant stream of encrypted data. All the attacker will see is the encrypted data, and he should not be able to pick out any information usable for traffic analysis.
This explanation is a nutshell one, you'd need to take care of re-keying etc. You also need a way for the recipient to know if the package is real data or random data. That can be done by prepending a checksum to each package, inside the encryption. If you're using a keyed sha1 checksum then you get authentication as well.
Keeping in mind that nothing (neither physical nor electronic protection) is 100% secure, I'd combine both cable protection and encryption.
I'm currently doing work on this encrypted approch, and can be contacted if you're interested.
GhettoAss(tm) solution... (Score:2)
Simply have a script running on the server that periodically (ie less than 1s intervals) sends a single short time-out ping to the other end of the line. If the other side fails to respond, kill the route and interface, and if possible, shut down and lock up the server, since a failed reply strongly suggests that the link has been compromised.
If you feel like putting more work into the project, you can watch for unwelcome network traffic. Sending out various broadcast requests and looking for their response, as well as things like windows network broadcasts, and again killing the link if unacceptable results are found will give you an added level of security.
While most of the above physical solutions are clearly outside of your budget, considering you're talking to slashdot and not a properly bonded security consultant, using fiber will make it significantly more difficult for the link to be compromised without detection. Running IPSEC(over IPSEC over...), or better yet not using ethernet & TCP/IP will add an aditional layer of confusion for any potential attackers.
I could go on and on with various ideas, but I think I've said enough. If you really want more of my ideas, I'd be willing to talk for a case of beer and a hooker. If money's tight, I'll settle for a cheap hooker, just don't skimp on the beer, its where my magical powers come from. ^_^
uhhhhh...... (Score:1, Insightful)
Ignore all the people here wanting to use pressurised systems.
Use fiber, because you can sniff ethernet via copper without having to touch the cable.
Get some fiber cards that do IPSec at the ethernet packet level. Yes, they make them, because it's what I have to use. They are expensive, about 5K per card, but they do GigE...
Also, when you run the fiber cable, just run it with all of the rest of the cables. You put that cable in a steel pipe with pressure or whatever... you might as well go ahead and label it as "HEY!!! CRACKERS!!!! THE SECURE CABLE IS IN HERE!!!!"
Go look at the military regulations on the subject. They spent good tax payer dollars to do it.
But another thing you might look at... Run some copper lines between the two, pick up some Westtel DSL modems, the ones with built in encryption. They have ethernet ports on each side of them, you can then run an additional layer of IPSec across them if you wanted to.
Your application also encrypts the data... right? have you looked into useing SSH tunnels, or is that out of the question to?
Just wondering, but if the data is THAT secure... why in the he** are they letting you even cross an insecure area?? I would NEVER be allowed to do that.
Another Multiple Idea (Score:1)
You could get interesting.
If I had an OK budget, I would try the following:
Create an array of fibre cables running from terminal to server.
Throw an IPSec Box on each end of each fiber.
Use a random sequence (transmitted in the first packet of each sequence) for data to be transfered on each cable.
IE Packet 1 goes through cable 2 packet 3 goes through cable 1, and change that up every 50 packets or so.
Then cover the CAbles with OTDR and have that monitered on the server. Upon a tamper detection, have the connection shut off. Send notice of some kind through some other datapipe (A serial port with a repeater and Zener (I think that's the right spelling) Diodes to prevent a reverse in current, and have the connection sent to another PC (could be in the room actually) that can Dial out to call your cell or something.
That should suffice. However, this method is quite useless without physical security
If a hacker trys to get into one line (which might not be the right line at the time) he will immediatly set off the OTDR and parralize the system.
In the meantime (heh, if possible) he still has to break through IPsec *and* get through your own random cable swapping/packet swapping sequence.
I think that's impossible to break through. (almost?