Feds Move to Secure Net 137
An anonymous reader writes "eWeek reports:The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington."
I would hope so (Score:5, Informative)
Re:I would hope so (Score:5, Funny)
Its a good job they didnt do psychological tests too - 'talking to other people without using IM' - or they'd have no computer experts at all!
Re:I would hope so (Score:5, Interesting)
However, even if you lease a private line it would still be in control of a third party, the telephone company for instance. In these cases cryptographic hardware is used to secure the channel.
Re:I would hope so (Score:1)
Yeah just like once a Marine always a Marine. No matter what job you do, officer or grunt, your still infantry. Any how with the budget as is and a limit to how many agents they can have.
Re:I would hope so (Score:1)
Re:I would hope so (Score:4, Informative)
They have. NIPRNet and SIPRNet are two 'private internets' used by the US military (for unclassified and classified data respectively). This is just a new special purpose network for the Department of Homeland Security.
They're not pretending it's a novel idea.
Re:I would hope so (Score:5, Funny)
Re:I would hope so (Score:2)
a little bit more secure than a firewall
Just what the word says.. empirical testing has shown that wood cement and glass are about as effective at preventing unwanted transmissions as air, but the name has still stuck.
for the seriously paranoid, a faraday cage can also be employed to prevent EM transmissions that can sometimes be used to reverse engineer your activities. (do a google search on ' NSA tempest' if you want more data)
What a waste of my tax money (Score:3, Interesting)
On the other hand, VPN over Internet can be very secure and far cheaper. Not VPN using OpenSSL on Linux boxes, because both OS and the relatively big library could have buffer overflows or some other low-level bugs. But it's easy to build a layered system that will be extremly secure. Say, hardware routers that decrypt and check signature on every incoming packet in hardware before looking at it otherwise. And then AFTER that, a Linux box that does a santity check on what comes through the router, just in case.
You've missed the point (Score:3, Informative)
Also, this network may not be very expensive - most of the traffic is likely to be email or occasional software distributions, and just about everything except a major Windows patch can run fine over a 56kbps frame connection.
So how will they get data in/out ? (Score:4, Interesting)
Since their interest is in securing the net as a whole, it's a pity they're not practising what they preach, and try and implement a secure solution over the public 'net. Would be a inspiration for other folks.
Re:So how will they get data in/out ? (Score:5, Funny)
Re:So how will they get data in/out ? (Score:1)
Re:So how will they get data in/out ? (Score:2)
Re:So how will they get data in/out ? (Score:1)
Re:So how will they get data in/out ? (Score:5, Interesting)
I think they cannot implement a truly secure solution over the public net as the protocols were never designed with security in mind - ie. anything that happens is a hack or a bodge on top of those insecure protocols. Whilst these may be good enough for you or me in practical terms, the government would want a quantifiably secure system, and the only way you get that is to disconnect yourself from the rest of the world.
There are plenty of systems that do this BTW - I used to work for a company that did credit card processing. They had a single PC connected to the internet and not the lan, all the others were on the internal lan only. I've seen banks not connect to the internet at all.
Thank god I work for a less paranoid company now!
Re:So how will they get data in/out ? (Score:1)
Amen. Or, as someone said, the best firewall in the world is two feet of air.
Re:So how will they get data in/out ? (Score:2)
[ Reply to This ]
Unless you have a wireless access point set up.
Re:So how will they get data in/out ? (Score:2, Insightful)
And anyway in a major computer manufacturer's network, you didn't see much of internet except through the web proxy and soxyfied telnets. That's of course the way to go.
If you want real security, you are likely not to want a machine connected to the main power lines as well (tempest protection). I guess an off line UPS does the job.
Re:So how will they get data in/out ? (Score:2, Insightful)
Re:So how will they get data in/out ? (Score:1)
Then the users will demand access to the rest of the Internet, and they'll add a gateway.
Then it won't be secure anymore.
Re:So how will they get data in/out ? (Score:1)
No, they are completely separate. They have problems with people needing multiple computers to work on the different networks; there was an article a while ago about the gvt wanting an OS that can run on separate NICS, with separate OS instances for each NIC, and without sharing memory addressing between the instances- current VM software doesnt meet the requirements. I guess having three computers per person is expensive, go figure.
Re:So how will they get data in/out ? (Score:4, Interesting)
The principle was good: all of your internet research and private email was done on the unclass machine; all of your quotidian tasks, including accessing the archives and the cable database, was done on the class machine. Department-Embassy communication went through the State Department's cable system and thus was also unconnected from the public network.
If the government is willing to apply hardware redundancy on a massive scale, they can certainly replicate such a system in those agencies that do not have it already. There are still obvious human errors that can muck up such a system. For example, when rushed, many foreign service officers would e-mail colleagues in the embassies for information. While one wasn't supposed to discuss classified topics on e-mail because of the weaker security, it wasn't always easy to decide where to draw the line. Similarly, if you were writing a report that drew on classified and unclassified data, and much of the unclassified data was online, then it was tempting to slap your floppy disk with a copy of your classified report into the unclassified machine and work on it there, so as to copy and paste material more easily. Still, these are human errors; eliminating them is a different topic. As long as we are willing to think on a scale commensurate with the government's resources, it would be technically difficult to create such a system.
What's the News? (Score:5, Funny)
TOP STORY: A single government branch sets up an internal network, separate from the internet. Tonight at eleven, find out what kind of routers they bought.
Re:What's the News? (Score:5, Funny)
Re:What's the News? (Score:1)
Re:What's the News? (Score:1)
Alternate Headline: Fed Discovers NAT
Routers needed for any internet (Score:1)
Or maybe I don't get the joke
What? (Score:3, Interesting)
Re:What? (Score:2)
and i and really, any army or bigger companies(well, most of them maybe not have them physically _totally_ cut off from internet) will have such private networks, you just can't trust that the allmighty internet will work on such critical systems, and the whole security side of things too.
Australian Govt does have separate net (Score:1)
Did you hear the joke about CIA sending Iraq Generals bogus SMS? Hard to do when there is bugger all mobile coverage in Iraq.
I thought the point of the internet was to be so vast as to be unstoppable...
Re:What? (Score:2)
There isn't really a point to having a single large network, because access would be too hard to control and you'd lose the security benefit. The preferred solution is to deploy multiple independent private networks, each with a special purpose enabling access to be very limited.
That's exactly what this is.
bastards (Score:1, Informative)
Re:bastards (Score:3, Interesting)
I think that possibly a more relevant explanation of the ipv4 shortage would be that because there are so many new nodes being added, a shortage of addresses was obviously going to happen at some point. What with all the mobile phones and other, smaller devices (i.e. embedded systems in Internet-enabled fridges etc). that are connecting, ipv4 was going to run out at some point.
Besides, ipv6 should sort out that problem... Come 2010 even us poor souls in the UK may have completely switched to the new protocol version. Just in time to see BT finally provide full, half-decent UK broadband coverage (maybe give it a few more years though eh)
Re:bastards (Score:3, Interesting)
You want to make IPv4 last another decade? Take back all the colleges' IP blocks, make them use a single Class C with NAT-ing.
Re:bastards (Score:2, Insightful)
I disagree that forcing them to squeeze into less space is going to buy much of an extension to ipv4, however. In fact I think it's the wrong idea entirely. Any system where saving address space is such a high priority needs to be changed, especially since an alternative already exists in ipv6.
Even forcing all the schools to use a Class C network would buy only a few hundred million addresses, which is a drop in the pond at the rate that the net is growing worldwide, what with phones, PDAs, and toasters needing their own network connections these days.
Re:bastards (Score:2)
And why can't those PDA's be NAT'ed through their provider?
Re:bastards (Score:1)
I'm not the world's foremost networking expert... (Score:1)
Sean
Re:bastards (Score:1)
Re:bastards (Score:1)
Fulltext for offline browsing & quickref'ing (Score:5, Informative)
from http://www.eweek.com/article2/0,3959,922570,00.as
March 10, 2003
Feds Move to Secure Net
ByDennis Fisher
SAN DIEGO--The White House and the new Department of Homeland Security have begun in earnest the process of implementing the plan to secure the nation's critical networks--starting with extensive changes in the federal security infrastructure.
The most significant move is the development of a private, compartmentalized network that will be used by federal agencies and private-sector experts to share information during large-scale security events, government officials said at the National Information Assurance Leadership conference here last week.
The system is part of the newly created Cyber Warning Information Network, a group of organizations including the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office and others that have some responsibility for the security of federal systems. The private-sector Information Sharing and Analysis Centers will also be included.
The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, seen on left, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington.
Sachs, speaking at the conference here, which was put on by The SANS Institute, pointed to last week's handling of the critical vulnerability in the Sendmail Mail Transfer Agent package as a prime example of how such back-channel communication between vendors, researchers and the government can help protect end users. Researchers at Internet Security Systems Inc., in Atlanta, discovered the vulnerability in mid-February and immediately notified officials at the White House and the Department of Homeland Security.
The government quietly spread the word among federal agencies and, along with ISS, began contacting the affected vendors. After the vendors developed patches, the fixes were deployed quickly on critical government, military and private-sector machines before the official announcement of the vulnerability.
However, some in the security community say that until the CWIN is fully operational and proven, they'll continue to use existing methods.
"I would not have used CWIN for Sendmail. There are too many questions about something that has not been fully deployed," said Pete Allor, manager of the threat intelligence service at ISS and director of operations at the Information Technology ISAC. "I'd like to know who I'm transmitting information to and the rules for dissemination.
"My two biggest concerns are having private-sector information on a government network and if Congress withdraws the [Freedom of Information Act] exemption, there won't be any reason for private companies to use [the CWIN]," Allor said. While speculation exists, to date no bill has been introduced to remove the FOIA exemption in the Homeland Security Act.
As part of the plan to improve security, the CIO of each federal agency is, by statute, now accountable for the security of that agency's network. This is a significant change, considering the lack of responsibility permeating government security efforts.
"This is the first time this has ever happened," Sachs said. "It used to be that it was their job, but they just said, 'Yeah, I guess we're secure.'"
The internal structure of the government's security apparatus is also undergoing some major changes, officials said. The President's Critical Infrastructure Protection Board, formerly part of the Office of Cyberspace Security, is now part of the Homeland Security Council. But that may not be where it ends up. There are indications that the board may end up as part of the Department of Homeland Security.
what took so long? (Score:3, Interesting)
Money (Score:1)
And this wasn't in place before? (Score:5, Funny)
This seems so utterly obvious that I'm completely mystified as to why this is a news-worthy article. Or is this just a joke?
Yipee! The feds have an 'intranet'. I hope I don't pee my pants with excitement!
if true : do stuff; (Score:5, Funny)
2 Open it to Universities
3 Open it to everyone
4 Watch while "terrorists" start to spread viruses on it
5 Start network for the Feds
Re:if true : do stuff; (Score:2, Funny)
6 (Warning: Unreachable code): Profit!
Also, they'll use decimal IPv4 addresses -- which would explain a lot about the Uplink game [introversion.co.uk]...
Hey! (Score:2)
Re: hey easy with the terrorist word (Score:1, Insightful)
if you keep tossing that word around
freely applying it to everyone, pretty
soon domestic protests will be labeled
terrorist gatherings and other bad
stuff might result. I don't condone
releasing worms but its not terrorism.
I'm not terrorized when my web logs file
up with code red, just irritated.
Re: hey easy with the terrorist word (Score:3, Interesting)
Practically speaking, the Star Chamber has been recreated. That was the imposition of the English monarchy that habeus corpus was specifically created to stamp out. People being arrested without their name being released, without being allowed any outside contacts, and held indefinitely without being charged. Flagrant constitutional violations, but all actions taken by our government.
In *most* of the cases I've heard of there has been decent reason for the person to be arrested. But not for the violation of their rights. And in more than one of the cases I have not been able to determine any reason. (This doesn't mean there wasn't one. The information available it *intentionally* fragmentary.)
Something already there? (Score:4, Interesting)
Surely the US government has something equivalent...?
That's handy! (Score:1, Funny)
US Military already has it's own private network (Score:5, Informative)
Re:US Military already has it's own private networ (Score:1)
Hmm. (Score:2, Funny)
SIPRNET / NIPRNET , jerky... (Score:5, Insightful)
Re:SIPRNET / NIPRNET , jerky... (Score:1)
Anyway, I think the somewhat big news here is that non miltary agencies will be moving to the SIPRNET. And switching over more "routine" communications to this systems has to be a good thing for a variety of reasons.
And for those to lazy to google, here's a link [fas.org]. SIPRNET is designed to encrypt and send traffic, and they use their own wres and relays. (Although I can't swear that they don't use some of the commericial wires as well.)
Re:SIPRNET / NIPRNET , jerky... (Score:1)
Sean
Sweet... (Score:1)
And what are they doing about the OS they run in this new playground?
We must secure the net! (Score:1)
"Oh my god... the Feds are taking control of the net?! What the hell is happening? What about my pr0n?!"
rfc1918 (Score:2)
You mean... (Score:1)
Re:You mean... (Score:4, Insightful)
One would assume the actual hardware would be under lock and key and behind a pair of burly Marines, to discourage any stray installers of WiFi cards etc. One would also assume there are software safety measures that would prevent the stray installer from importing dangerous data or viruses via sneakernet. And finally, one would assume that deviating from the strict rules of conduct will result in reprimands/jail time/caning (delete as applicable) depending on how dangerous or stupid the said stray installer acted.
As for patching, that's fine for security levels up to a certain degree, but there are unpatched and undiscovered bugs around any given time, as the submissions history on /. will tell you.
Re:You mean... (Score:2)
Re:You mean... (Score:1)
IPv6? (Score:3, Interesting)
That's about the only realistic route a worldwide migration to IPv6 could take, I think - building an entirely separate infrastructure.
Then we can have that one and they can have the old one back!
GOVNET (Score:1)
IIRC, it is called GOVNET [gsa.gov].
Question for the well-informed (Score:3, Interesting)
These people employ some of the best mathematicians and engineers in the world, they ought to be able to come up with a good implementation.
Not to mention the fact that even a separate link is going to require some informataion-level security as you don't want every tech with a current probe to be able see your network traffic ...
Re:Question for the well-informed (Score:1)
-- shayborg
Re:Question for the well-informed (Score:2)
No digging for physically seperate cabling, but using "private lines" (ISDN, frame relay, OC-x) from telecos to interconnect between various government departments and agencies without relying on the public Internet infrastructure.
Actual companies like AT&T, WorldCom, and Sprint could use some new business, so the telecom sector will welcome this.
justified in terms of increased security when compared to simply setting up a secure tunnel over an existing long distance link?
Yes, a secure tunnel only provides confidential and integrity, it does not ensure availability. For a government secure network, it is reasonable to prevent a failure in the public Internet (root servers offline, major Internet eXchange destroyed, new Warhol worm) effecting the availability of this secure network.
The hardest part is keeping it clean while keeping it useful. There is a lot of temptation to use bridging and gateways of various technical (so called "air-gap" network NICs, which allow an insecure machine connect to both the public Internet and then switch (without connecting to both at the same time) to the "secure" federal network. Except any worms or trojans love these machines as an attack vector) and less-technical sorts (sharing files via CD-R/RW).
There are classifed networks and such already, but they are a pain to use with properitary software / interface typically on a time-sharing computer, and lack means of inputting new (read: useful) data other than to key it in by hand. Which makes for a lot of secret and top secret cleared data entry clerks, or a really big problem.
IPv6? (Score:1)
That's about the only realistic route a worldwide migration to IPv6 could take, in my opinion - building an entirely separate infrastructure.
Then we can have that one and they can have the old one back!
Re:IPv6? (Score:1)
The real reason... (Score:5, Funny)
7 nodes? What is this - an FBI LAN party?
Re:The real reason... (Score:2)
>7 nodes? What is this - an FBI LAN party?
Worse, some guy wrote half a dozen TS and SCI reports on the big computer with the bright red case and glowing red side window, because he figured that had to be the one on the secure net.
Turned out that was the UT server, case-modded by a couple of uncleared interns. Oops.
"Security" (Score:3, Insightful)
And the nodes will be also connected to internet? If this is true, a worm that goes thru internet (i.e.if in some moment comes a sendmail worm and a company have a postfix in the dmz that receives and forward the main to the internal sendmail would be vulnerable also) could pass between the two networks, I remember how much damage do CodeRed2 and Nimda in not properly secured internal networks. In this case, if the networks are connected to the two networks, a worm could enter from one point and try to infect the other (at least email will be the common point between them.
But, if they are only connected between them and NOT connected to internet (neither by mail), they are not solving the problem with this, only isolating some critical (?) part of the network so worms like this one [slashdot.org] will not infect their window shares and things like that (at least, until a worm that combines several ways to spread enter there)
Soo, If i want to mail them (Score:2, Funny)
whoopee! (Score:1, Informative)
Re:whoopee! (Score:1)
Noooo (Score:3, Funny)
Re:Noooo (Score:1)
OurNet (Score:1)
What if then we would start make our own network, with our own rules. The slashdotters and those alike are not few in this world, and I suppose a lot of us, if not most, got enough from rules over rules, comercial stuff, comercail stuff...
A kind of OurNet...
Won't Work for DoD Units (Score:4, Interesting)
Re:Won't Work for DoD Units (Score:2)
True.
>nobody at my level ever has access.
What MOS? Generally, its for command staff, Intelligence personnel, and operations personnel. If you don't need it, you don't get it. Also, it requires a minimum Secret security clearance to use.
The Feds are auditing what should be on Internet (Score:5, Informative)
About the sendmail vulnerability (Score:3, Funny)
Sachs, speaking at the conference here, which was put on by The SANS Institute, pointed to last week's handling of the critical vulnerability in the Sendmail Mail Transfer Agent package as a prime example of how such back-channel communication between vendors, researchers and the government can help protect end users. Researchers at Internet Security Systems Inc., in Atlanta, discovered the vulnerability in mid-February and immediately notified officials at the White House and the Department of Homeland Security.
The government quietly spread the word among federal agencies and, along with ISS, began contacting the affected vendors. After the vendors developed patches, the fixes were deployed quickly on critical government, military and private-sector machines before the official announcement of the vulnerability.
Re:About the sendmail vulnerability (Score:2)
Seven nodes on non-public IP block? (Score:2, Funny)
Let me guess:
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
192.168.0.6
192.168.0.7
Re:Seven nodes on non-public IP block? (Score:1)
Cyber Warning Information Network (Score:2, Informative)
These is the group that "handled" the recent announcement of a new sendmail vulrenability. Except what they did was this: ISS, a info-security company looking for browie points reported to Office of Cyberspace Security at the White House and Homeland Security, who told FedCERT which passed that along to military and federal government IT people. Except all they could do was turn off sendmail, since a fixed wasn't yet available!
Then Sendmail (.com and
So the DHS made three phone calls (or emails) and spent the rest of their time writing up press releases about their great job, so the "press release == news" media could spout how great and cyber-aware DHS is. Though ISS, Sendmail Inc./ Consortium, and CERT did all the real work.
One problem (Score:2)
Re:One problem (Score:2, Interesting)
It will be less vulnerable because they will have mandated that communications use physically separate switching nodes paths. And you can be sure that they have thought about this.
Just like the (Swiss) banks then ... (Score:5, Interesting)
Every worker has two computers. One for the bank stuff and the other for internet/ordinary stuff.
The internal network has very limited connections to the internet (necessary web-banking connections, but not more). Don't count on Sendmail bugs to get you in here
Routers and security (Score:3, Interesting)
Someone in the class had worked on a secure network project where all the routes were static, but when they did load testing the packets would arrive out of order. This worried them (as it should) and they looked into it. It turned out that the routers (switches?) they were using would "cheat" when they detected backup and would send packets to ports off the static routes.
The exptected behavior was that the receiver would bounce the packet back as destination unknown. But this could buy the equipment precious milliseconds and the conjestion might clear.
A cute solution, but not very secure.
SIPERNET? (Score:2)
Hope they use IPv6, that way you also get the ecomomy rolling. New OS, new Routers...
(I Know modern OS and Cisco 12.2 IOS run IPv6, but most gov router still run IOS 9.x and the DoD will not allow Win2000 Active Directory on Servers.)
Unintended consequences (Score:2)
ummm... (Score:2)
You mean.... (Score:2)
Somone on FIDO will gateway it to AOL (Score:3, Funny)
How is that supposed to work? (Score:2, Insightful)
umm.. if it's a completely separate network from the internet.. how is it going to have ANY effect whatsoever? I mean they won't even be able to look at what's out there! Am i missing something here?
Re:How is that supposed to work? (Score:2, Funny)
It looks like they think the WWW is too worldly and too wide. They could choose to just phone in the next Red Alert. Or use radio. Or homing pigeons.