×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US Government to Have Only 50 Gateways

Soulskill posted about 6 years ago | from the e-downsizing dept.

Government 150

Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks. "Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

150 comments

Is it just me... (1)

Aranykai (1053846) | about 6 years ago | (#23134118)

... or does this summary scream "Throw more money at the problem"?

I mean, really. Perhaps ensuring the standards and procedures are actually adhered to would be a much cheaper and less drastic change.

Re:Is it just me... (5, Insightful)

Pfhor (40220) | about 6 years ago | (#23134142)

Are you kidding?

Trying to maintain standards and practices across 4,000 gateway points vs 50. Let alone the agency bureaucracy that would be involved in doing site checks and working across various agency boundaries would be a nightmare. It would take eons to get those things in place to do consistent auditing and management to ensure standards and procedures are followed, let alone actually do them. Might as well consolidate bandwidth costs and number of checkpoints down to 50 in the process.

Re:Is it just me... (1)

unlametheweak (1102159) | about 6 years ago | (#23134374)

OK, I'm definitely not a networking guru (to put it euphemistically) but I'm wondering what the down sides are to only having 50 gateways.

I'm thinking two things:
1) You are concentrating access points (and thus increasing the likelihood of failure given concerted attacks [like DDoS for example])
2) With a small definable limit of access points you are decreasing (or eliminating) the possibility of honeypots (and counter-surveillance)

Re:Is it just me... (5, Insightful)

innerweb (721995) | about 6 years ago | (#23134452)

Let me see...

  • 1) Each point of failure might have a greater chance to block a part of the network (depends on design). They could design it so that the 50 points lead to a network that is redundant behind the 50 points. If one point were to be blocked, then the traffic could be re-routed to other points. Much more secure and manageable than 4000 points. Bandwidth is only as much of an issues as the 50 points of connectivity allow/limit.
  • 2) Actually, as to honeypots and counter-surveillance, you are getting much better control. There is not limit to how many false access points you can seed (outside of resources). With fewer access points to monitor, policing the network becomes much easier.

With 50 gateways, if the internal network is built correctly (unlike say a how certain cable company does their's), then I can not think of any real net negatives except the complexity of the internal network now. But, given the serious issues the 4000 has, the complexity of the internal network is a relatively non-existent issue.

InnerWeb

Re:Is it just me... (1)

budgenator (254554) | about 6 years ago | (#23134954)

That's only 50 gateways to the internet so what you are calling an access points, is going to be more like an IXP, Internet exchange point, [wikipedia.org] by keeping the number of connection manageable they'll be able to monitor the traffic more effectively.

Re:Is it just me... (1)

jo42 (227475) | about 6 years ago | (#23134592)

4000 to 50
All this means is that when, not if, one gateway is compromised, more machines will be hacked.

Re:Is it just me... (3, Insightful)

Evets (629327) | about 6 years ago | (#23134764)

You make a series of pretty huge assumptions here, many of which are unlikely.

1) you assume that the 50 gateway points will be managed properly.
2) you assume that access to those gateway points will be managed effectively.
3) you assume that the underlying network design is intelligently put together.

Since this is government work, I would throw in an entirely different set of assumptions:

1) The contractor doing the work will be foreign.
2) The contractor doing the work will have less than solid training in putting together nationwide internet scale networks.
3) The underlying networks will mostly have already been compromised.
4) The project will take at least 2 times longer than predicted to complete.
5) The project will be considered complete before most of the network guru's here on slashdot would consider it complete.
6) The project will likely introduce a 2 or 3 point of failure potential rather than a 50 point of failure potential. If you have trouble imagining such a poor design, you haven't experience with government contracts.

I think the missing tag here is "whatcouldpossiblygowrong?". Knowing that something major WILL go wrong, as with all federal projects, you have to weigh the risk of moving forward against the risk of not moving forward. The realistic risk of moving forward is:

1) a significant portion of the networks will go down and leave several agencies without the capability of getting anything done.
2) a downtime in the network will present a very real and very dangerous national security issue.

The risk of not moving forward?
1) Data currently deemed secure is widely compromised. (in fact, this has probably already happened)

It's an arguably good idea on the surface. But really, shouldn't the nation that brought the world the internet have the most well thought out and effective network infrastructure in the world? A change to the underlying network is a solid idea. This change? This change is the result of small minded thinking and government work.

Re:Is it just me... (4, Insightful)

Original Replica (908688) | about 6 years ago | (#23135170)

You make a series of pretty huge assumptions here, many of which are unlikely. 1) you assume that the 50 gateway points will be managed properly. 2) you assume that access to those gateway points will be managed effectively. 3) you assume that the underlying network design is intelligently put together.

I think the assumption is more along the lines of:
50 gateway points are more likely to be managed properly than 4000 points.
Those 50 points will have a great deal of attention and resources allocated to them, about 80 times the amount per point of the previous 4000 points.
When the government really cares about a project (read military) they can be very intelligent, just look at the stealth bomber. They are only haphazard when it is a project that exists only to please the public (read medi-care, or social security)

Re:Is it just me... (0)

Anonymous Coward | about 6 years ago | (#23135602)

The security industry is whacked at a fundemental level. People who know nothing are making technical decisions and all decisions are powered by CYA where the light of security scrutiny is regularly shined where it provides little benefit against determined advasaries or activly seeks to confront unwinnable battles to the detrement of winnable important concerns.

Many overly prescriptive regulations just serve to propogate and reinforce nonsense.

In large distributed networks you will never be able to control the flow of data so get over it and move on.

NAC, Virus scanners, IDS..etc all represent unwinnable wars you will ultimatly loose if you "rely" on these systems to protect you from harm.

If you can sit at the gateway of your enterprise and can understand the traffic moving through your routers using only wireshark your doing it wrong. Security is entirely a systems level concern. If you try and solve it from the network you may gain some but will ultimatly fail.

The solution to all network security problems is just two words. EDUCATION and TRUST.

In other words your users need to be trained to have a level of cluefullness including resistance to social engineering.

Finally rather than wasting time and money reorganizing your pipes mandate the use of secure protocols with end to end confidentiality guarantees based on sound sources of trust and reliable logging to reinforce the trust placed in all elements of the system.

Re:Is it just me... (0)

Anonymous Coward | about 6 years ago | (#23134152)

So they've recognized the data is important and they're going to do something about it. Unfortunately, what they've decided to do is put the data even more at risk by subcontacting to a whole bunch of subvendors without having an idea of how to secure their data much less decide who is doing a good job. I'm sure whoever it is that they send this data to, will allow them full access to inspect their process. What a cluster.....

This will absolutely make things ten times worse.

We should just give our data to the white house, sure as hell they won't be keeping track of it. (they'll just erase it) Criminals.

Re:Is it just me... (2, Insightful)

alshithead (981606) | about 6 years ago | (#23134522)

"Unfortunately, what they've decided to do is put the data even more at risk by subcontacting to a whole bunch of subvendors without having an idea of how to secure their data much less decide who is doing a good job."

I think you misread. What they said is:

"Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."

I think that means they are keeping it in house so to speak and causing small agencies to contract with large agencies for Internet access. This actually makes a lot of sense and is the way smaller agencies already work for some of the other services they need.

Re:Is it just me... (1)

smitty_one_each (243267) | about 6 years ago | (#23134154)

Well, anything to reduce the overall "surface area" of the governmentium [writeidea.org] is a good idea.

Re:Is it just me... (1)

TexNex (513254) | about 6 years ago | (#23134404)

Totally! Hopefully this will lead to better searching and information sharing as right now looking up info on .gov sites is about as easy as finding a needle in a junk yard. It can be done but you're gonna pick up alot of trash with it if at all.

Re:Is it just me... (3, Insightful)

PopeRatzo (965947) | about 6 years ago | (#23134826)

smitty, you know I love you, but I don't think I agree.

Since we're supposed to be the government (of, by and for, you know) the more places we can interface with it the better.

We've been trained by 27 years of "Conservative" control of government and media to see "government" as some alien entity over which we have no control and which only acts to make our lives unpleasant. St. Ronald was the first to really market this erroneous notion, and it really disrespects the clever and elegant plan our founding fathers laid out for us.

This meme of "drowning government in a bathtub" is so ubiquitous that even some smart people are lazily spreading it, as you have done.

If you've recently driven on a US highway, or if you're one of the unlucky ones under whom a bridge recently collapsed in Minnesota, you know first-hand what happens when "the commons" are neglected.

The strangest thing about this whole story is that we are constantly told that the US is a "Christian Nation" yet the idea of "care in common" which is anathema to Republicans is a most Christian notion. But I guess it's to be expected when hypocrisy is the new black.

Re:Is it just me... (0, Flamebait)

smitty_one_each (243267) | about 6 years ago | (#23135124)

We've been trained by 27 years of "Conservative" control of government and media to see "government" as some alien entity over which we have no control and which only acts to make our lives unpleasant. St. Ronald was the first to really market this erroneous notion, and it really disrespects the clever and elegant plan our founding fathers laid out for us.
"'Conservative' control of government and media" is some sweet flamebait. It clearly explains why, to drop just a couple of examples, you had Dan Rather pushing bogus documents about National Guard service during the 2004 election, or this current departure from reality that supposes Karl Rove was inciting investigations in the South.
If anything, the internet has revealed that there is a certain unstated orthodoxy (and certainly not a conservative one) driving things along a definite path.

This meme of "drowning government in a bathtub" is so ubiquitous that even some smart people are lazily spreading it, as you have done.
The meme I've sought to spread is one of "reading the Constitution as written", not as some would re-write it according to whim, without proper review [slashdot.org].

If you've recently driven on a US highway, or if you're one of the unlucky ones under whom a bridge recently collapsed in Minnesota, you know first-hand what happens when "the commons" are neglected.
I realize that the whole Blame BeelzeBush angle is diminished, but some findings of fact did come out about Minnesota [msn.com].
I'm not sure if its a bug or a feature that, after the "mixed results" of the Big Dig [wikipedia.org], that the Fed seems to be taking a more cautious look at funding projects, e.g. the Dulles Metro Extension in my area.
This real question is: What is the appropriate level for funding this stuff?
It is simply Un-American to me that the Fed be treated as the only source of leadership in the country.

The strangest thing about this whole story is that we are constantly told that the US is a "Christian Nation" yet the idea of "care in common" which is anathema to Republicans is a most Christian notion. But I guess it's to be expected when hypocrisy is the new black.
I suppose we could scuttle the First Amendment and set the Fed up as God, and then have "care in common" aplenty.
Because the State loves you and will hug you and pet you and offer a life free of fear pain.
Typically, Ben Franklin is invoked against the Bush Administration in general, and the Global War on Terror in Particular. But let's review those oft-quoted words again, anyway:

He who would give up a little liberty to gain a little security will lose both and deserve neither.

These words would also seem a caution about the Imperial Fed.

Thanks for dropping a quarter in me, boss.

From lots of little contracts to BIG CONTRACTS! (5, Insightful)

mikelieman (35628) | about 6 years ago | (#23134228)

I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?

Re:From lots of little contracts to BIG CONTRACTS! (5, Insightful)

iamsamed (1276082) | about 6 years ago | (#23134362)

I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?
Considering the questionable way contracts have been awarded by the Government over the last several years, the parent's comment is more "Insightful" than "Troll".

And, as a taxpayer, is a legitimate question that should be addressed by our Government. Especially, when, not if, it comes to light that the project runs over budget by millions of dollars which they inevitably do. Disgustingly, fleecing of the taxpayer has become de rigeur.

Re:Is it just me... (1)

MikeRT (947531) | about 6 years ago | (#23134268)

I mean, really. Perhaps ensuring the standards and procedures are actually adhered to would be a much cheaper and less drastic change.
And don't you think that that would be a lot easier to do with 50 connections than 4,000?

Great Wall of China (0, Troll)

kurt555gs (309278) | about 6 years ago | (#23134130)

History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.

How is this any different?

Cheers

Re:Great Wall of China (4, Insightful)

ibjhb (173533) | about 6 years ago | (#23134170)

I could be wrong but I think this applies to only government computers and not the whole Country's Internet...

Re:Great Wall of China (2, Informative)

kurt555gs (309278) | about 6 years ago | (#23134224)

I meant government computers, kinda hard to post to Wikileaks about the latest scandal when everything you do is being watched, and prolly timed recorded and put through some algorithm to determine your party loyalty.

Cheers
 

Re:Great Wall of China (5, Insightful)

danwesnor (896499) | about 6 years ago | (#23134262)

Government employees are allowed to own home computers connected to the real internet, where they can stroke pr0n and post wikileaks to their heart's content.

Re:Great Wall of China (4, Insightful)

Ihmhi (1206036) | about 6 years ago | (#23134296)

You'd have to be a dumbass to leak material via your workstation in a government facility. Actually, you wouldn't be a dumbass, you'd be a Guantanamo inmate.

Re:Great Wall of China (3, Interesting)

Anonymous Coward | about 6 years ago | (#23135298)

We don't log our dhcp services. We allow tor. We host tons of medical, legal, and financial information on you and other americans. The federal IT director doesn't want to change it due to 'budget constraints'. Your government at work, people.

Re:Great Wall of China (0)

Anonymous Coward | about 6 years ago | (#23134172)

Not sure if that's the reason you give to never leave your home.

Re:Great Wall of China (5, Funny)

iamdrscience (541136) | about 6 years ago | (#23134336)

I tried to think of counter-examples to your point and I had trouble, but in the process I stumbled across an even better idea. The first thing I thought of was cages at the zoo. To some extent, this example shows your point because the barriers at zoos are designed much more to keep animals in than spectators out. However, despite being designed to keep animals in, they are just as successful at keeping people out. Why is this? Partly it's because zoos make it difficult for people to get inside cages, but mostly it's because inside the cages are dangerous animals. At this point, inspiration struck: if dangerous tigers can keep people out of a cage at the zoo, couldn't they also be used to protect a computer network? Of course they could! Who would risk hacking a network if it meant getting eaten alive by tigers?

As far as a practical implementation, I imagine that behind the network's regular firewall, one would just place a container of tigers (a "Tigerbox") that way. The firewall will work as a general security measure, but if a hacker were to break through into the network, he would be immediately eviscerated by tigers. I suppose that in theory, one could even get rid of the firewall entirely, like you suggest, and protect the network entirely with tigers. I'm not sure how practical this would be, due to the increased number of tigers required. However, it might be feasible in a few years once tigerboxes are more popular and the market begins to flood with cheap commodity tigers.

Re:Great Wall of China (2, Interesting)

Necroman (61604) | about 6 years ago | (#23134410)

I do have to say I like your idea of Tigerboxes to keep people out of network, but it makes me think of Ghost in the Shell TV series. In that series they had a concept called an "Attack Barrier" that would attack anyone that dived too deep into something they weren't supposed to be in. It could do anything from kill their connection to killing the person doing the dive.

you're proposing the creation of skynet? (1)

boombaard (1001577) | about 6 years ago | (#23134822)

oh, come on.. haven't you been watching the movies? "dangerous tigers" -> AI who can control and actively/heuristically test for the nature of any intrustion -> give a machine the intelligence and power to shut down/quarantine affected systems -> soon it will start caring about the safety of its own hardware first..
i'll agree that skynet was supposedly created to esnure the efficient and speedy reaction of the USMil in case of an attack, but imagining it as having primarily a defense feature of the network itself doesn't seem that different.

Re:Great Wall of China (3, Funny)

frdmfghtr (603968) | about 6 years ago | (#23135018)

As far as a practical implementation, I imagine that behind the network's regular firewall, one would just place a container of tigers (a "Tigerbox") that way.
Wouldn't you want to use something more recent, like Leopardboxes?

Re:Great Wall of China (0)

Anonymous Coward | about 6 years ago | (#23135482)

Good Idea. As a matter of fact this is alluded to in Gibson's novels as well as Ghost in The Shell Universe. In these environment access to unauthorized systems usually have bad consequences, an energy surge or something that causes the equipment/people connected to get injured or die. We are not there yet, but perhaps someone can integrate these ideas with POE (Power Over Ethernet)

Re:Great Wall of China (1)

ForexCoder (1208982) | about 6 years ago | (#23134350)

History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.

Keep the government fenced up sounds like a good idea to me.

Re:Great Wall of China (2, Informative)

Radtastic (671622) | about 6 years ago | (#23134358)

I would agree with you, except that this is only about limiting and protecting the users *work* network. As they won't be limiting access to their users' home/private access, I don't think it's an apples-apples comparison.

Re:Great Wall of China (1)

ColdWetDog (752185) | about 6 years ago | (#23135070)

I don't think it's an apples-apples comparison.

Yes, I'm pretty sure they won't try to do this under OS X.

So...the Great Wall of San Diego (1)

Organic Brain Damage (863655) | about 6 years ago | (#23134492)

is designed to keep Americans fenced in? It's not to keep the Mexicans fenced out? Perhaps it is the exception that proves the rule.

Re:Great Wall of China (4, Insightful)

jschottm (317343) | about 6 years ago | (#23134662)

History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.

First, there is no consensus that the Great Wall was created to keep citizens in, as nice as a soundbyte as it makes. Second, history does not show what you claim it does. Off the top of my head, European castles, the Maginot Line, the fences around U.S. military bases in Vietnam, the fences Israel uses to restrict Palestinian access to Israel itself, and the fences that the U.S. attempts to use at the Mexican border to keep illegal immigrants out are all examples of fences designed to keep the "other" from coming in.

In fact, fences being used to keep _citizens_ in is relatively uncommon. They are most commonly used to keep the "other" out, to mark property lines, or to keep animals, livestock, or children within a certain area.

But in any case, what exactly is your point? That you can compare the actions of a feudal society's relationship to its people to basics of computer security in a pithy two sentence statement and be insightful? Would you also claim that the edifice of WSUS for patch management is another example of the man trying to keep the federal employees down? Your fence analogy doesn't even hold up - this is a _gate_ - designed for deliberate flow to and fro.

The article does specifically state that the monitoring systems are designed to keep certain information from leaving via the internet (whether intentionally or not) but that doesn't indicate that this is some feudal oppression system to choke the minds of federal employees. They are free to use whatever internet provider they wish when they get home, are they not? It's a firewall on steriods designed to protect government computers and data. Don't try to make it into something that it's not.

Re:Great Wall of China (1)

finalnight (709885) | about 6 years ago | (#23134936)

History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.

How is this any different?

Cheers
Um, you left your tin-foil hat on the table here. K thnx.

Third World (0, Troll)

Post-O-Matron (1273882) | about 6 years ago | (#23134160)

They got the title wrong. It should read: U.S finally joins "The League of Big Brother Regimes"

Re:Third World (1)

ScentCone (795499) | about 6 years ago | (#23135074)

They got the title wrong.

No, you've got your tinfoil hat on too tight. This has nothing to do with private internet access. This is about the IT systems used by the federal government, which currently connect to the internet on 4000 wildly disparate gateways. It's very hard to keep track of that, and to consistently handle the attacks that come in on a regular basis. So, they're very wisely tightening things up. Your comment is just another example of shrill, uninformed, ideallogically fragile whiny nonsense. But thanks for reminding everyone that there are people like you out there. It helps focus the mind on the upcoming election cycle.

Re:Third World (1)

glitch23 (557124) | about 6 years ago | (#23135752)

They got the title wrong. It should read: U.S finally joins "The League of Big Brother Regimes"

You got the point of TFA wrong. This is for the U.S. government only, not for the public at large.

Much easier to block these suckers. (0)

Anonymous Coward | about 6 years ago | (#23134166)

I hope the small list of 50 IP-s will be published sooner than later so that I could easily block these suckers from reading the stuff *I* don't want them to read. Just to balance the censorship.

Re:Much easier to block these suckers. (0)

Anonymous Coward | about 6 years ago | (#23134198)

Kind of useless, something tells me they'll use at least seven proxies. And buy a dog too, probably.

Re:Much easier to block these suckers. (1)

x_MeRLiN_x (935994) | about 6 years ago | (#23134524)

I would assume internet traffic is spied on at the ISP rather than at the endpoint. Think about it; a whitelist approach to allowing access would render wiretaps impossible if what you are saying were correct.

DoS??? (4, Interesting)

DNAGuy (131264) | about 6 years ago | (#23134182)

Wouldn't this make DoS easier, not harder?

Re:DoS??? (2, Informative)

Joe The Dragon (967727) | about 6 years ago | (#23134236)

It will make inter network traffic overloading easy as well as alot of stuff will have to be push down smaller links. Also I hear that they also want to get rid of the update and other severs at each site as well. So you will have 1000's of systems pulling down updates over a small link over having a sever do it at each site.

Re:DoS??? (3, Interesting)

MiniMike (234881) | about 6 years ago | (#23134258)

With all of the traffic that's going to be funneled through them, would a DoS be necessary?

Re:DoS??? (4, Interesting)

v1 (525388) | about 6 years ago | (#23134418)

It would certainly reduce the number of machines to target, but if 50 machines are to cover the duties of 4,000, you know they will have some horsepower. The obvious reality is it will be a distributed load system, so each of those 50 gateways will be an entire building of machines.

Nothing new here really. Most of those 4,000 gateways are already at least several racks of hardware. I doubt that the vulnerability to distributed attacks will go up as a result of lowering the number of vectors. If anything, having 50 standardized and more carefully monitored gateways will probably further harden them against attacks. (is YOUR gateway patched?)

Of course the other viewpoint is if all 50 of them are being administrated by the same group or a group under central control, when a vulnerability DOES surface, (and they alway so) they will probably ALL be vulnerable since they are standardized.

Assuming they have their heads screwed on straight, they will at least be using somewhat of a variation of several hardware and software vendors to prevent this. As it is now, if a serious problem is discovered in a high end bit of router hardware, it may force downtime on maybe 300 gateways while traffic routes around them. If all 50 are using the same, what do you do then? Flip the kill switch and take down the entire country's internet whilst you fix it?

I want to hear that phonecall. "Hello, Cisco. We're calling in regard to this morning's zero-day bug 433-86b in regard to your model 822 enterprise gateways. We're down, we need a fix now. No, DOWN. The entire country. Yes, really."

I'd be interested to know how China handles their great firewall. Are there details posted anywhere? Somehow I don't think they'd terribly mind taking down the entire country's internet for a day or two for national security though. (and "for reasons of national security" is very loosely interpreted in China it would seem)

Re:DoS??? (2, Informative)

dreamchaser (49529) | about 6 years ago | (#23134648)

Um, they are not talking about the nation's Internet. They are talking about civilian Government agencies and their Internet connections. Even IF they had to 'take the whole thing down', it would just mean that US Agencies would be offline until it was fixed. Inconvenient, yes, but hardly 'the entire country'. Heck, I'd be willing to bet that productivity within said agencies would go UP while the links were down!

Re:DoS??? (3, Funny)

ColdWetDog (752185) | about 6 years ago | (#23135100)

Heck, I'd be willing to bet that productivity within said agencies would go UP while the links were down!

A truly excellent idea. When (if) they finish this project, it should be pretty trivial to have an "Internet-free day" at Government agencies. No Dilbert! No Slashdot! Just actually do something!

On second thought, this may not be such a good idea. Carry on.

Re:DoS??? (2, Informative)

jschottm (317343) | about 6 years ago | (#23134560)

Wouldn't this make DoS easier, not harder?

Sort of. While there would be fewer targets, in theory the gateways would have very high levels of connectivity, resources, and knowhow behind them that might not exist with smaller agencies doing their own thing.

More importantly, think in terms of what the attacker is trying to do with a DoS and what the US government is attempting to do with the network. DoS attacks are frequently used as an extortion technique. This obviously won't work against the US government - even if the attack worked, there's no way the administration would lose face by paying to have it ended.

Another common use is to attempt to do damage to the target's ability to do work. In this case, the government branches would still be able to communicate with each other, both through the non-internet secure networks and because they could cluster behind their series of gateways. Information flow to the internet might be interupted but the crucial data could still get through. They would also have the ability to bring up alternative connections to the internet from the gateways in order to restore outgoing access to the internet. It's relatively easy to DoS a small company's ability to do work by attacking their internet connection. When you're dealing with something the magnitude of the federal government and the number of alternative networks available, it's very hard to do the same level of damage. Many critical things have to be designed to still work if the internet were to go offline for whatever reason.

The terrorists win again! (-1, Troll)

rotohammer (859842) | about 6 years ago | (#23134192)

Finally, the Govt itself will feel the pain of their own stupidity. Whats the difference if they have 50 firewalls or 500? This is what the terrorists want: to make working at Govt. agencies less enjoyable by cramping their internet access while making them waste millions implementing it!. Now for the reality: There are no terrorists. The goal is to make more money for contractors. We Americans foot the bill all the way. Its all a big lie, either you believe it or you go along with it to reap the benefits. Yes, 911, the pretext for all this, was an inside job!

Re:The terrorists win again! (2, Informative)

rootpassbird (1276000) | about 6 years ago | (#23134406)

Now for the reality:There are no terrorists.
Yes, 911, the pretext for all this, was an inside job!
Surely, you jest my friend!
The next thing you would say is that Pearl Harbor was allowed deliberately to throw the bomb at 'em Japs or that Hilter was a puppet of the US and the entire WW-2 was pre-planned albeit apparently sketchily - you know the routine elite-versus-commoner struggles that lead to "war and strife"
These things sound like good gossip material but are not so much verifiable.

Re:The terrorists win again! (1)

Zombie Ryushu (803103) | about 6 years ago | (#23134500)

9/11 was not an inside job. A small band of Islamic fanatics really did hijack some airplanes and fly them into buildings. Now....

Couple things. They don't have the technology to conquer the west. They don't. We know that. The leaders of the USA know that. We both out number and out gun them. If we really were as threatened by [the Muslims] as the media says, lets evaluate what would happen.

Navy Seals would be dispatched to seize every oil facility in Saudi Arabia. After that. We would carpet bomb and drop fuel air bombs on Saudi Arabia, Iraq, Iran, Yemen, Sudan, Pakistan, and Afghanistan until there was no one left alive.

But we didn't. We didn't because we don't need too and we know it.

Re:The terrorists win again! (1)

Hal_Porter (817932) | about 6 years ago | (#23134584)

Yeah because the only sort of threat possible against the US is one from a sovereign state. Non state actors can't possibly organise terrorist attacks.

Neither 9/11 or the 7/7 bombings in London nor the Madrid train bombings killed anyone. Since the governments of Muslim countries are not formally committed to attacking America, there is no threat whatsoever.

Actually I think the US would be a lot safer if it was a conventional war against a state, as you say the US would win that in a matter of hours.

Re:The terrorists win again! (1)

Zombie Ryushu (803103) | about 6 years ago | (#23134634)

I said they can't conquer us, I didn't say that they couldn't kill a bunch of people and make our lives miserable. Two different things.

Re:The terrorists win again! (0)

Anonymous Coward | about 6 years ago | (#23134668)

If you want to add some intellectual rigor to your argument you should read Eros and Civilization. It was written in the 50s but it has become more applicable over time, not less (the mark of work worth paying attention to).

Re:The terrorists win again! (1)

afabbro (33948) | about 6 years ago | (#23135576)

Because a philosophical critique of psychoanalysis is so relevant to a discussion of network firewall topologies...

Re:The terrorists win again! (2, Insightful)

glitch23 (557124) | about 6 years ago | (#23135806)

Finally, the Govt itself will feel the pain of their own stupidity. Whats the difference if they have 50 firewalls or 500? This is what the terrorists want: to make working at Govt. agencies less enjoyable by cramping their internet access while making them waste millions implementing it!. Now for the reality: There are no terrorists. The goal is to make more money for contractors. We Americans foot the bill all the way. Its all a big lie, either you believe it or you go along with it to reap the benefits. Yes, 911, the pretext for all this, was an inside job!

Why does reducing infrastructure equipment have to imply reducing functionality? You obviously don't understand the concept of consolidation. Reducing the # of devices reduces the amount of time managing and monitoring the devices. It makes managing the network easier because firewall rules can be consolidated and made simpler, along with other types of rules used throughout a network. Reducing the # of gateways to the outside world for a gov't agency or network also makes it more secure. People using those networks and the resources outside those networks can still get to those resources but those who maintain that infrastructure can better make sure it is done efficiently and more securely since they have less equipment to worry about.

This is a massive undertaking. I'm working on a consolidation right now for just one of these networks and it is just horrendous what we are up against. The government doesn't always have the same standards of documentation as contractors do which makes it even more unfair for the contractor who comes in to fix what isn't actually broken but it makes you wonder how it works in the first place given the spiderweb that exists. Now for the reality: It isn't about terrorists at all. It is about reducing cost for the taxpayers, THAT'S YOU, if you are a U.S. tax payer. Yes there are costs upfront but why would you be against spending money upfront for much greater savings down the road?

New bureaucratic excuse (1)

Edgester (105351) | about 6 years ago | (#23134240)

And now we have a new excuse for the bureaucracy: "Our web site is down because agency XYZ won't let us use the Internet we subcontracted from them."
I've worked in a bureaucracy for a few years. The main reason for proliferation is because of disputes between departments, whether for poor service or arrogant management or both.

Blocklists (2, Funny)

kylehase (982334) | about 6 years ago | (#23134278)

In other words, please remove those 4000 IP addresses from your PeerGuardian/firewall blocklist.

Re:Blocklists (0)

Anonymous Coward | about 6 years ago | (#23134382)

4000 Gateways does not equal 4000 IPs. Since it is the government and they funded the development of the internet, I am sure that they have quite a few more IP addresses(millions?)

Hopefully this will work out better (5, Informative)

Anonymous Coward | about 6 years ago | (#23134298)

Than the whole US Senate machine level of security:
Netcraft [netcraft.com]
When the U.S. Justice Department stepped up its investigation of cybercrime, it found spam originating from an unexpected source: hundreds of powerful computers at the Department of Defense and the U.S. Senate. The machines were "zombies" that had been compromised by hackers and integrated into bot networks that can be remotely controlled to send spam or launch distributed denial of service attacks.
(this link also mentions the older Republican access of the Democrat fileserver)

Re:Hopefully this will work out better (2, Funny)

iamsamed (1276082) | about 6 years ago | (#23134368)

hundreds of powerful computers at the Department of Defense

So THAT explains all of the 'enlarge your gun' spam!

What does gateway limiting *really* help? (1)

SLOGEN (165834) | about 6 years ago | (#23134326)

The "gateway" methodology splits the world into inside and outside, not a usefull split, since there are *always* bad guys on the inside.

However, it nicely ensures that spendings on hosting and applications is filtered through a limited number of suppliers, reducing competition and stifling innovation -- the american way ;)

--
Helge

Re:What does gateway limiting *really* help? (4, Interesting)

OeLeWaPpErKe (412765) | about 6 years ago | (#23134442)

No this really helps. This will *really* help a lot with dumb bad guys on the outside (like, say the storm botnet).

If the connections between different departments are also forced to go through only these 50 departments, that would ensure a further layer of protection.

It is *much* easier to defend a centralized infrastructure (like this) then to defend something random.

This is the same like in real life. Defending a castle is much simpler than defending the village. Yes castle failures are more spectacular and do more damage, but they occur so much less that it's worth to build them anyway. Breaches in the security of a "village" are constant, unfollowable and you cannot prevent them.

So from security standpoint ... good move !

Re:What does gateway limiting *really* help? (1)

mikkelm (1000451) | about 6 years ago | (#23134448)

That's like dismissing the entire concept of border security because there are illegal immigrants in the country already. That's pretty stupid in any way you look at it. If you want network security to work, you need your domain to have clearly marked perimiters that you can effectively control.

Suggesting that government contracts stifle innovation simply because of their size is also ridiculous. The government is a large entity, but by no means the only one. In fact, consolidating and centralising capacity and expenditures, is exactly what the government should do. It lowers cost for the private sector, and it'll lower cost for the government. You don't want a wasteful government.

Re:What does gateway limiting *really* help? (1)

jschottm (317343) | about 6 years ago | (#23134502)

The "gateway" methodology splits the world into inside and outside, not a usefull split, since there are *always* bad guys on the inside.

The "gateway" methodology is the basis for pretty much all security, physical and computer. How do you think security on a military base works? You keep out people who aren't supposed to be there. It doesn't mean that someone who is supposed to be there isn't working contrary to your best interest, but it eliminates a bunch of the low hanging fruit so you can focus your effort on the really dangerous ones. The same thing applies keeping hostile external traffic out of your network. An approach doesn't have to be 100% effective to be a cost effective step nor can you say that it's bad to take a step against external attacks because it doesn't prevent internal attacks - it's not meant to. It's just one layer in proper defense in depth.

Everybody's so cynical here (3, Funny)

roystgnr (4015) | about 6 years ago | (#23134380)

But just give it a chance! I hear the new Maginot-brand routers are great.

Re:Everybody's so cynical here (1)

AHumbleOpinion (546848) | about 6 years ago | (#23134694)

But just give it a chance! I hear the new Maginot-brand routers are great.

You do realize that there was nothing wrong with the Maginot line itself, that the problem was that it only ran the French/German border and did not include the French/Belgium border since Belgium was a friend and it would be insulting to arm that border? The Germans simply invaded Belgium on their way to France.

Or has the government said that only 4,000 of the 5,000 gateways will go behind the new line since the remaining 1,000 aren't currently giving them any problem? Perhaps I missed that. :-)

One could lead to the other... (4, Interesting)

Cheerio Boy (82178) | about 6 years ago | (#23134390)

Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?

After they do a project this large for their own network they'll have the experience necessary to do this across the board.

If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)

Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.

Re:One could lead to the other... (2, Interesting)

the_raptor (652941) | about 6 years ago | (#23134858)

And you think they aren't monitoring the international connections already? ECHELON has been around for years. Just because they can tap something doesn't mean the computing and storage power exists to do anything useful with that data. And this project doesn't change that at all.

My country (Australia) has only a handful of international links (I think it is around five), and it is still improbable that a Government could monitor all that data. They can filter out everything but "persons of interest", but that is just as easy with a local tap.

Monitoring the internal US net would be far more interesting to the authorities, but that is already largely multiplexed at the backbone links. Haven't you read the stories of whole regions of the US having no/poor net connection because one backbone went down and the secondary (and maybe tertiary) got saturated?

Again this project has no application. The Internet is not some ubiquitous cloud, it still largely follows the highly structured trunk and root system of telephony.

Re:One could lead to the other... (1)

Cheerio Boy (82178) | about 6 years ago | (#23135304)

I wasn't referring to just monitoring but filtering as well.

The whole point was that if they go through all the hurdles to learn how to combine all these networks into 50 from 4000 and then filter/restrict that they will have learned how to do that on a larger scale.

From that point it is just a matter of having the covert/overt funds and media spin for the project.

I don't deny that monitoring is already occurring. As you said ECHELON has been around for years.

But if they were to restrict the trunks it would allow them to do things like...say...censor complete legs of the world network that people can get to in the US.

Granted that would only last long enough for the average person to learn to use proxies or encrypted connections or something similar but it wouldn't stop them from trying it.

And the US government has done stupider things in the past...

Einstein software ??? (0)

Anonymous Coward | about 6 years ago | (#23134408)

Only the Department Of Homeland Security could come up w/ a name like this. They probably think he was one of the original 3 Stooges.

Some Generals Were Getting A Tour Of The Internet (1)

MichaelCrawford (610140) | about 6 years ago | (#23134414)

At one of the big backbone facilities. The guy who gave the tour told use about it when I took his security course at Interop back in '89.

At the time there were only seven connections between the Internet and the MilNet. One of the generals asked how they could be disconnected in times of war.

Before their guide could answer, another general piped up with "Explosive bolts".

Q_Q (0)

Anonymous Coward | about 6 years ago | (#23134420)

Oh, how sad. Looks like Bush's BitTorrent download speeds are going to suffer.

Now it's gonna take DAYS to finish downloading that steamy video of Hillary Clinton!

Performance will be awful (1)

JWW (79176) | about 6 years ago | (#23134444)

This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work.

Imagine if bittorrent decided to say "screw the distributed client model", we'll just host 50 giant sites with all the files stored on them. Yeah, that just wouldn't work....

Re:Performance will be awful (1)

AHumbleOpinion (546848) | about 6 years ago | (#23134740)

This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work.

You sure? Maybe the folks at Internal Revenue, Social Security, etc don't need to be reaching rich media content outside the federal network and the federal network does not need to host rich media content for citizens from inside the federal network?

Re:Performance will be awful (1)

c6gunner (950153) | about 6 years ago | (#23134762)

This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work. Imagine if bittorrent decided to say "screw the distributed client model", we'll just host 50 giant sites with all the files stored on them. Yeah, that just wouldn't work....
Nonsense. Have you ever seen a google data center? All Google functions are provided by a grand total of 36 (known) data centers - only 19 of which are in the US. And I can pretty much guarantee that Google processes more page requests on a daily basis than does the US Military.

So far you've only offered your personal incredulity in order to ridicule the idea - how about providing some technical data as to why "the performance will suck profoundly"?

How secure will these gateways be? (1, Insightful)

Anonymous Coward | about 6 years ago | (#23134480)

Will you have to take off your shoes and give up your toenail clipper before you can use these gateways? That's how you get real security these days.

Say what now? (1)

TubeSteak (669689) | about 6 years ago | (#23134484)

Because the back-end databases contain proprietary information that could be private or even classified, the back-end networks need additional protection to fend off hacking attempts from outside. A separate layer of firewalls inside each agency's network will provide security by insulating the back-end systems from the rest of the network, Bradner said.
Since when was classified data allowed to be anywhere near an internet facing computer?
Are they abandoning the airgap policy or something?

single points of failure (1)

shokk (187512) | about 6 years ago | (#23134486)

Bringing everything down to fewer single points of failure sounds like a good way to make DoS attacks more successful. Hopefully they intend on having each of these gateways redundant out the wazoo.

There must be 50 ways to hax0r your server (1)

palewook (1101845) | about 6 years ago | (#23134556)

"The problem is all inside your router", the chinese said to me. The answer is easy if you brute it logically. They'd like to help you with some information for free. There must be fifty ways to hax0r your server

clarity (1)

owlnation (858981) | about 6 years ago | (#23134630)

I think roughly once per day there's an headline on /. that is indecipherable. One that either makes no sense whatsoever, or is so specialized, or is so badly written, as to give no clue as to what the actual article is about.

And this is today's.

Re:clarity (0)

Anonymous Coward | about 6 years ago | (#23134670)

i knew what it meant. noob.

Sudden Urgency After 7 Worthless DHS Years (1)

Doc Ruby (173196) | about 6 years ago | (#23134680)

'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program


After 7 years bleeding us all dry, making us more endangered, lying to us, wasting our time and squandering our advantages against our many real enemies, suddenly Homeland Security has "a sense of urgency"?

They're just going to spend as much money as they possibly can in the last 8 months Bush/Cheney control the Executive, all sent to their cronies, grabbing more power and cutting off as much communications inside the government as they can. They're going to botch this huge job to screw over the government's ability to even connect to the Internet, and the public's ability to connect to it, so the next administration will be locked out when it tries to govern the Bush crony empire that's returned to the private sector for their great reward.

Why should the last 8 months of Bush/Cheney be any different from the first 88 months?

Re:Sudden Urgency After 7 Worthless DHS Years (1)

ColdWetDog (752185) | about 6 years ago | (#23135162)

Why should the last 8 months of Bush/Cheney be any different from the first 88 months?

1) It's a much shorter period of time and
2) It's the last damn time.

Progress as Promised!

Gateways? (1)

lattyware (934246) | about 6 years ago | (#23134754)

Honest to god, I read that and though the US government were going to have 50 old gateway computers. I was like, WTF?

circling the wagons around texas (1)

david_bonn (259998) | about 6 years ago | (#23134918)

One of the problems is that barrier security has diminishing returns as the size of what you are barricading gets bigger.

You wear clothes. Your house probably has a bathroom door. But Seattle or San Diego are probably too big and too intertangled with the world to use perimeter security in a big way, much less large countries with land borders.

Doesn't this mean (1)

koan (80826) | about 6 years ago | (#23134952)

There are now onyl 50 targets to take out the entire government network system? Based on how many trojan scans I get from .gov IP's I would say their grasp of network security is slim at best...so reducing the number of gateways to 50 seems like a giant "hack me" sign.

Am I wrong about this?

They should have the TSA run things (0)

Anonymous Coward | about 6 years ago | (#23134974)

You know, get some former fast-food manager, high school 100 IQ jock type to check packets, remove checksums from their feet, belittle malformed ones, etc. That will keep us safe from the terrorists.

As Homer would say: "USA! USA!"

not bugs, features! (1)

byte twine (1276352) | about 6 years ago | (#23134996)

The Bush administration has run a very secretive government--pulling public info off websites, classifying embarrassing info, refusing and stalling in response to requests. So I view this not as back room engineering changes, but as a plan to control the information the federal agencies release to the public, with the goals of restricting and filtering out many things now public.
If you look at it this way, many of the drawbacks of the plan (if the goal was to provide info to the public) become features.

Waivers. Lots of waivers. (2, Interesting)

mbone (558574) | about 6 years ago | (#23135096)

I see lots of waivers coming out of this. Let me guess - no additional funding will be provided to the "Small agencies that won't qualify for their own connection". Let me also guess - certain well connected companies will be doing the 50 gateways !

When the DOD did this, no new money was provided for the switch, vendor "H" was the only source of outside assistance, at their usual outrageous prices, and everyone who could waivered out.

Wifi Point-to-Point Links? (1)

grilled-cheese (889107) | about 6 years ago | (#23135178)

I'd like to see the government try to stop all the wifi Point-to-Point antenna pointed across the Rio Grande or the Canadian Border.

I guess we'll have to add create a big rf fence or create a wifi border patrol.

Everyone already took the others. (1)

Neoprofin (871029) | about 6 years ago | (#23135688)

It's normal /. policy not to RTFA, but you didn't even read the summary. Please try harder.

The government is cutting down the number of gateways to the government network, this has nothing to do with the rest of the US' private access. If you had said for example:

"I'd like to see the government try to stop all the wifi Point-to-Point antenna pointed across the street (to private unsecured gateways) or accessed at home using their government issue laptops."

you would have been insightful, but as it stands you (and at least 20 other people) addressed a question that no one asked.

Existing Consolidation Already a Problem (0)

Anonymous Coward | about 6 years ago | (#23135356)

Speaking from experiences with the already consolidated systems, instead of a system issue affecting 50 researchers in an office, it affects 5,000 researchers in a region. This means that often times researchers are having to switch to back channels for simple task such as email because their internal systems are unreliable. This actually ends up reducing the security of systems because researchers end up relying on services that the government doesn't control. These policies are torn between the money savings of outsourcing and the justified policy of not outsourcing government systems, so they hire 5 system administrators from IBM to do a 50 person job. Everyone ends up losing out.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...