Comment Clarification on military networks (Score 5, Informative) 254
I speak only for myself, not as an official representative of the U.S. Government.
I decided to write this because I often see misconceptions of military networks on slashdot.
I have been a network administrator in the U.S. Air Force for 5 years. I have administered classified networks in Asia, Europe, the Middle East and the U.S. I have worked on Air Force and Army networks.
(1) The basic levels of classification are:
Unclassified
Confidential
Secret
Top Secret
There's some gray areas between and above but those are the basics
(2) You can process classified information on almost any platform you want. Top Secret on DOS, no problem. Windows 95, every day. Linux, sure. The big restrictions come when a computer is connected to both classified and unclassified networks. In that case the machine must be trusted to differentiate between the classifications. It must make sure that only Unclass was writted to the disk you're going to carry over to the unclassified network.
(3) Classified information, once properly encrypted, is no longer classified and you can pretty much do you what you want with it (put it on your t-shirt, print it on a flag and wave it, blast it in to space, send it over the internet, whatever)
(4) Because of the above, wireless and classified are nothing new. Radios, wireless networks, satellite phones, all of the them are used to transmit classified information.
(5) Moving classified information over unclassified networks is old news and several devices already exist. Devices like the NES (Network Encryption System) and the TACLANE are used to plug in to a classified network, encrypt and encapsulate the data, then move that data over an unclassified network.
http://www.fas.org/irp/program/security/_work/kg -1 75.html
(6) What this new device offers is conveniance. Previously to run a network over a wireless link the procedure went something like:
Connect computer/network to DTE/DCE device
Connect DTE/DCE device to crypto
Connect crypto to wireless transmission medium
These steps needed to be completed for both sides of each link. It is slow, complicated, and expensive.
(7) Why not use IPSEC? It's complicated and not NSA certified. You should be able to give crypto to a user and only explain three things to them; in, out, power. Nothing to misconfigure, either it works or it doesn't, no chance of classified spillage.
(8) Why doesn't someone with access just take this thing apart and figure out whatever? This product is likely a CCI (controlled cryptographic item). Opening CCI without certification/authorization is illegal. Besides, without disecting the chips, how much are you really going to learn?
(9) The NSA must have a back door built in, right? No. A back door built in for them would be vulnerable to anybody. I highly doubt we would move national security information over a wireless network with a back door. If you're using their encryption keys, they have a copy and can read the info anyway. If you're not using their encryption keys, then you don't have one of these devices.
(10) Isn't someone going to crack this in a week? No. NSA certified encryption is good and well tested. We still routinely send Top Secret information over 10 year old encryption devices. If they had been compromised, we wouldn't be using them. The information sent from this device is encrypted. Without the same encryption key, you can't communicate with the device. Period.
(11) What about sniffing packets and breaking the key? Go ahead and try. Encrypted information has been floating around in the air for years and years. Multimillion man armies have been sniffing and recording and trying to break for decades. They keys change often. Sure, someone might (if they were lucky) break one key in ten years, but many devices get a new key every day.
I'm sure I left some stuff out and there are faults in my knowledge and spelling. If you have any questions, post and I will try to answer them.
I decided to write this because I often see misconceptions of military networks on slashdot.
I have been a network administrator in the U.S. Air Force for 5 years. I have administered classified networks in Asia, Europe, the Middle East and the U.S. I have worked on Air Force and Army networks.
(1) The basic levels of classification are:
Unclassified
Confidential
Secret
Top Secret
There's some gray areas between and above but those are the basics
(2) You can process classified information on almost any platform you want. Top Secret on DOS, no problem. Windows 95, every day. Linux, sure. The big restrictions come when a computer is connected to both classified and unclassified networks. In that case the machine must be trusted to differentiate between the classifications. It must make sure that only Unclass was writted to the disk you're going to carry over to the unclassified network.
(3) Classified information, once properly encrypted, is no longer classified and you can pretty much do you what you want with it (put it on your t-shirt, print it on a flag and wave it, blast it in to space, send it over the internet, whatever)
(4) Because of the above, wireless and classified are nothing new. Radios, wireless networks, satellite phones, all of the them are used to transmit classified information.
(5) Moving classified information over unclassified networks is old news and several devices already exist. Devices like the NES (Network Encryption System) and the TACLANE are used to plug in to a classified network, encrypt and encapsulate the data, then move that data over an unclassified network.
http://www.fas.org/irp/program/security/_work/k
(6) What this new device offers is conveniance. Previously to run a network over a wireless link the procedure went something like:
Connect computer/network to DTE/DCE device
Connect DTE/DCE device to crypto
Connect crypto to wireless transmission medium
These steps needed to be completed for both sides of each link. It is slow, complicated, and expensive.
(7) Why not use IPSEC? It's complicated and not NSA certified. You should be able to give crypto to a user and only explain three things to them; in, out, power. Nothing to misconfigure, either it works or it doesn't, no chance of classified spillage.
(8) Why doesn't someone with access just take this thing apart and figure out whatever? This product is likely a CCI (controlled cryptographic item). Opening CCI without certification/authorization is illegal. Besides, without disecting the chips, how much are you really going to learn?
(9) The NSA must have a back door built in, right? No. A back door built in for them would be vulnerable to anybody. I highly doubt we would move national security information over a wireless network with a back door. If you're using their encryption keys, they have a copy and can read the info anyway. If you're not using their encryption keys, then you don't have one of these devices.
(10) Isn't someone going to crack this in a week? No. NSA certified encryption is good and well tested. We still routinely send Top Secret information over 10 year old encryption devices. If they had been compromised, we wouldn't be using them. The information sent from this device is encrypted. Without the same encryption key, you can't communicate with the device. Period.
(11) What about sniffing packets and breaking the key? Go ahead and try. Encrypted information has been floating around in the air for years and years. Multimillion man armies have been sniffing and recording and trying to break for decades. They keys change often. Sure, someone might (if they were lucky) break one key in ten years, but many devices get a new key every day.
I'm sure I left some stuff out and there are faults in my knowledge and spelling. If you have any questions, post and I will try to answer them.
