Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Move to Secure Net

CmdrTaco posted more than 11 years ago | from the can-i-have-a-static-ip? dept.

Security 137

An anonymous reader writes "eWeek reports:The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington."

cancel ×

137 comments

Sorry! There are no comments related to the filter you selected.

firstpost (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5483393)

first post?

Infinite MEta-moderation (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5483394)

Dam I HAVE Infinite MEta-moderation points!

I Wanna a 'Willing to Meta-moderate' checkbox in my user page!

Use them for good (0)

Anonymous Coward | more than 11 years ago | (#5484335)

Mark everything as "unfair" in metamod. That will reduce the credibility of the "good" moderators (those who mod down trolls), giving the points to others who would use them for "evil" (upmodding trolls).

It's all about decreasing the signal-to-noise ratio. Do your part! Embrace metamoderation as a trolling weapon!

I would hope so (5, Informative)

Blaine Hilton (626259) | more than 11 years ago | (#5483395)

Many companies have data centers in multiple locations with private lines connecting them. I would have hoped the government would have thought of this much sooner. Reminds me of a few months ago when they were saying the FBI has not been able to hire many computer experts because they could not pass the required physical tests.

Re:I would hope so (5, Funny)

gbjbaanb (229885) | more than 11 years ago | (#5483407)

don't forget that those physical tests are 'standing up straight', 'sitting still without fidgeting', and 'looking at things outside without squinting'.

Its a good job they didnt do psychological tests too - 'talking to other people without using IM' - or they'd have no computer experts at all!

Re:I would hope so (5, Interesting)

MnO-Raphael (601885) | more than 11 years ago | (#5483413)

Physical separation of networks _is_ widely used among government and military networks. The reason being very simple: It's the only cost-effective way to guarantee security.

However, even if you lease a private line it would still be in control of a third party, the telephone company for instance. In these cases cryptographic hardware is used to secure the channel.

Re:I would hope so (0)

Anonymous Coward | more than 11 years ago | (#5483514)

Physical separation of networks _is_ widely used among government and military networks. The reason being very simple: It's the only cost-effective way to guarantee security.

In corporate networks too. We have a "red" net, which connects directly to the outside world (well, it's NAT'd), the internal network with a private IP address space, which has a proxy server for HTTP and a mail gateway, but is otherwise isolated from the Internet, and a third network for the exclusive use of corporate security.

Re:I would hope so (1)

Martigan80 (305400) | more than 11 years ago | (#5483416)

Reminds me of a few months ago when they were saying the FBI has not been able to hire many computer experts because they could not pass the required physical tests.

Yeah just like once a Marine always a Marine. No matter what job you do, officer or grunt, your still infantry. Any how with the budget as is and a limit to how many agents they can have.

Re:I would hope so (1)

daveatwork (655626) | more than 11 years ago | (#5483435)

"FBI has not been able to hire many computer experts because they could not pass the required physical tests." well, we all know that computer boffins tend to lie on the more chubbier side but whats that got to do with their secure network? :-)

Re:I would hope so (0)

Anonymous Coward | more than 11 years ago | (#5483749)

"Boffins"? Isn't that WW2 era British slang? or is it still current? :-)

Re:I would hope so (3, Informative)

Proaxiom (544639) | more than 11 years ago | (#5484069)

I would have hoped the government would have thought of this much sooner.

They have. NIPRNet and SIPRNet are two 'private internets' used by the US military (for unclassified and classified data respectively). This is just a new special purpose network for the Department of Homeland Security.

They're not pretending it's a novel idea.

So how will they get data in/out ? (4, Interesting)

dew-genen-ny (617738) | more than 11 years ago | (#5483399)

I'd be interested to see how they propose to use this - ie is it completed closed, or are there specific hosts that have access to public and private. Inevitably there's always some host somewhere that comprimises this type of idea.

Since their interest is in securing the net as a whole, it's a pity they're not practising what they preach, and try and implement a secure solution over the public 'net. Would be a inspiration for other folks.

Re:So how will they get data in/out ? (4, Funny)

decarelbitter (559973) | more than 11 years ago | (#5483415)

One word: sneakernet.

Re:So how will they get data in/out ? (1)

Talez (468021) | more than 11 years ago | (#5483474)

How about IP over carrier pigeon? [ietf.org]

hou about (0)

Anonymous Coward | more than 11 years ago | (#5483583)

a less obvious joke?..

Re:So how will they get data in/out ? (1)

Spunk (83964) | more than 11 years ago | (#5484216)

I know you mean to be funny, but sneakernet is very common in this situation.

Re:So how will they get data in/out ? (5, Interesting)

gbjbaanb (229885) | more than 11 years ago | (#5483432)

almost certainly there will be hosts solely connected to the private network, and never to the public. No doubt this can work for the government who will not allow just anyone to plug a new host in. (perhaps they have a single hosts file ;-)

I think they cannot implement a truly secure solution over the public net as the protocols were never designed with security in mind - ie. anything that happens is a hack or a bodge on top of those insecure protocols. Whilst these may be good enough for you or me in practical terms, the government would want a quantifiably secure system, and the only way you get that is to disconnect yourself from the rest of the world.

There are plenty of systems that do this BTW - I used to work for a company that did credit card processing. They had a single PC connected to the internet and not the lan, all the others were on the internal lan only. I've seen banks not connect to the internet at all.

Thank god I work for a less paranoid company now!

Re:So how will they get data in/out ? (1)

6hill (535468) | more than 11 years ago | (#5483521)

I think they cannot implement a truly secure solution over the public net as the protocols were never designed with security in mind - ie. anything that happens is a hack or a bodge on top of those insecure protocols. Whilst these may be good enough for you or me in practical terms, the government would want a quantifiably secure system, and the only way you get that is to disconnect yourself from the rest of the world.

Amen. Or, as someone said, the best firewall in the world is two feet of air.

Re:So how will they get data in/out ? (1)

Skidge (316075) | more than 11 years ago | (#5483646)

Or, as someone said, the best firewall in the world is two feet of air.
[ Reply to This ]


Unless you have a wireless access point set up. :)

Re:So how will they get data in/out ? (2, Insightful)

_Eric (25017) | more than 11 years ago | (#5483554)

Yes my experience is the same in many cases. In one defense company, the only internet-connected machine of a 1000 people sized site was a few machines in the library.

And anyway in a major computer manufacturer's network, you didn't see much of internet except through the web proxy and soxyfied telnets. That's of course the way to go.

If you want real security, you are likely not to want a machine connected to the main power lines as well (tempest protection). I guess an off line UPS does the job.

Re:So how will they get data in/out ? (0)

Anonymous Coward | more than 11 years ago | (#5483843)

There will be some manual access...either via hardware configuration or actual plugs (probably hardware config so it can be managed from the next room). I assume the IT geeks will turn on access to the outside as needed and shut it down immediately afterwards. Or there will be no outside access, but that seems unlikely given that most jobs gain alot net access...I mean, how are they going to read Slashdot, otherwise.

Re:So how will they get data in/out ? (1)

razeh (192191) | more than 11 years ago | (#5483893)

It will start out as a closed network. They won't be able to move much data in or out because that's one easy way to keep a network secure. An "air gap" is a wonderful thing for computer security.

Then the users will demand access to the rest of the Internet, and they'll add a gateway.

Then it won't be secure anymore.

What's the News? (5, Funny)

Anonymous Coward | more than 11 years ago | (#5483400)

The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials.

TOP STORY: A single government branch sets up an internal network, separate from the internet. Tonight at eleven, find out what kind of routers they bought.

Re:What's the News? (5, Funny)

the uNF cola (657200) | more than 11 years ago | (#5483424)

I think it's akin to having your child say his/her first words. I'm impressed with the gov't. Next thing you know, they'll stop using default passwords ;)

Re:What's the News? (1)

AKnightCowboy (608632) | more than 11 years ago | (#5483566)

I wonder if the new network still uses plain tired old IPv4 or if they're implementing it using IPv6? Someone needs to cut off IPv4 or give a deadline for migration to IPv6 or nobody is ever going to change. It's just too much of a migration headache unless someone says the old net will be shut off. Who better to do that than the government that mandated we must all move to HDTV for no benefit to the citizens?

Re:What's the News? (1)

mattsouthworth (24953) | more than 11 years ago | (#5483776)

I was going to say:

Alternate Headline: Fed Discovers NAT

Re:What's the News? (0)

Anonymous Coward | more than 11 years ago | (#5483854)

Cisco

crackwhores (-1)

macksav (602217) | more than 11 years ago | (#5483403)

while i personally prefer 12 yr-old pussy, when in desperate need for a good ol' ass fucking, a crackwhore will do.

What? (2, Interesting)

decarelbitter (559973) | more than 11 years ago | (#5483405)

You mean they didn't already have a separate network? Well, I didn't think high of them anyway, but here's yet another reason why.

Re:What? (1)

gl4ss (559668) | more than 11 years ago | (#5483441)

yeah, i and most posts so far agree.

and i and really, any army or bigger companies(well, most of them maybe not have them physically _totally_ cut off from internet) will have such private networks, you just can't trust that the allmighty internet will work on such critical systems, and the whole security side of things too.

Australian Govt does have separate net (1)

wadiwood (601205) | more than 11 years ago | (#5483530)

Well they did when I worked there. But some of my cow-orkers used to program their user id and pw into the function keys on their terminals. So I guess the security is only human. (Flashes id card with picture of micky mouse).

Did you hear the joke about CIA sending Iraq Generals bogus SMS? Hard to do when there is bugger all mobile coverage in Iraq.

I thought the point of the internet was to be so vast as to be unstoppable...

Re:What? (1)

Proaxiom (544639) | more than 11 years ago | (#5484179)

They have more than one private network. There is no overarching government private network, but the DOD itself has two (SIPRNet and NIPRNet).

There isn't really a point to having a single large network, because access would be too hard to control and you'd lose the security benefit. The preferred solution is to deploy multiple independent private networks, each with a special purpose enabling access to be very limited.

That's exactly what this is.

Chucken Little Statists (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5483408)

The people running the Internet can do just fine at securing the net themselves, thank you, without a bunch of gubmint employees mucking shit up, hyping up threats, and expanding their budgets and fiefdoms.

If you're a government employee, you're a parasite on the taxpayers of the private sector. If fuckers like you were forced off your dead asses and out into the streets to compete, maybe taxes and government red tape would ease up so this country could be competitive again in the global marketplace.

Mods on crack! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5483798)

Either that or we got some waste-of-skin gubmint "workers" (now THERE'S an oxymoron!) with mod points. Whatsamatter? Afraid too many people will start demanding change and your non-stop game of circle-jerk will be over?

bastards (1, Informative)

solidox (650158) | more than 11 years ago | (#5483409)

either they mean there gunna use 10.x.x.x or one of there many DoD class A subnets (i think they got 7 or 8), they do not need 16.7million * 7 ip addresses. this is why there's a global ipv4 shortage, cos the bastards at the DoD and other places own most of them.

Re:bastards (0)

Anonymous Coward | more than 11 years ago | (#5483418)

Wouldn't you think that the DoD kinda has a right to them? Seeing as how without funding from them, the internet wouldn't really be what it is today...

Re:bastards (1)

leonardluen (211265) | more than 11 years ago | (#5483818)

you are close...but that should be ammended to "without porn the internet wouldn't be like it is today"

Re:bastards (3, Interesting)

mooZENDog (567187) | more than 11 years ago | (#5483457)

this is why there's a global ipv4 shortage, cos the bastards at the DoD and other places own most of them

I think that possibly a more relevant explanation of the ipv4 shortage would be that because there are so many new nodes being added, a shortage of addresses was obviously going to happen at some point. What with all the mobile phones and other, smaller devices (i.e. embedded systems in Internet-enabled fridges etc). that are connecting, ipv4 was going to run out at some point.

Besides, ipv6 should sort out that problem... Come 2010 even us poor souls in the UK may have completely switched to the new protocol version. Just in time to see BT finally provide full, half-decent UK broadband coverage (maybe give it a few more years though eh) :)

Re:bastards (3, Interesting)

Anonymous Coward | more than 11 years ago | (#5483522)

Heck, it's not the DoD that has all those IPs tied up! It's the universities! I don't know how many times I've come across colleges with a whole Class B, and every single PC has a routable address. And since only the very largest ones have anywhere close to 64K nodes, the vast majority of their space is just plain empty.

You want to make IPv4 last another decade? Take back all the colleges' IP blocks, make them use a single Class C with NAT-ing.

Re:bastards (2, Insightful)

6169 (318124) | more than 11 years ago | (#5483615)

You are right in that most colleges are assigned more address space than they use. My school of 1600 has a handful of class C nets, and maybe 30 systems that actually need to be routable.

I disagree that forcing them to squeeze into less space is going to buy much of an extension to ipv4, however. In fact I think it's the wrong idea entirely. Any system where saving address space is such a high priority needs to be changed, especially since an alternative already exists in ipv6.

Even forcing all the schools to use a Class C network would buy only a few hundred million addresses, which is a drop in the pond at the rate that the net is growing worldwide, what with phones, PDAs, and toasters needing their own network connections these days.

Re:bastards (1)

sqlrob (173498) | more than 11 years ago | (#5483657)

Even forcing all the schools to use a Class C network would buy only a few hundred million addresses, which is a drop in the pond at the rate that the net is growing worldwide, what with phones, PDAs, and toasters needing their own network connections these days.

And why can't those PDA's be NAT'ed through their provider?

Re:bastards (1)

6169 (318124) | more than 11 years ago | (#5483674)

They probably could be. I'm sure 99% of systems on the 'net could be NATed and not even notice. But let's pretend that we had enough addresses to make your PDA or phone routable. Wouldn't it be cool to be run a webserver on your phone? Or that you could access your PDA's calendar (left on your desk, of course) from work via ssh or IP?

Re:bastards (0)

Anonymous Coward | more than 11 years ago | (#5484254)

No, I'm pretty sure the reason for the global IP shortage is because there are only 4 billion of them to go around. I'm taking up 255 of them. Sucker.

Fulltext for offline browsing & quickref'ing (5, Informative)

Anonymous Coward | more than 11 years ago | (#5483410)


from http://www.eweek.com/article2/0,3959,922570,00.asp

March 10, 2003

Feds Move to Secure Net

ByDennis Fisher

SAN DIEGO--The White House and the new Department of Homeland Security have begun in earnest the process of implementing the plan to secure the nation's critical networks--starting with extensive changes in the federal security infrastructure.

The most significant move is the development of a private, compartmentalized network that will be used by federal agencies and private-sector experts to share information during large-scale security events, government officials said at the National Information Assurance Leadership conference here last week.

The system is part of the newly created Cyber Warning Information Network, a group of organizations including the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office and others that have some responsibility for the security of federal systems. The private-sector Information Sharing and Analysis Centers will also be included.

The Cyber Warning Information Network, a key part of the Bush administration's National Strategy to Secure Cyberspace, will use a secure, private IP network separate from the public Internet, according to officials. The government currently has seven nodes running, said Marcus Sachs, seen on left, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington.

Sachs, speaking at the conference here, which was put on by The SANS Institute, pointed to last week's handling of the critical vulnerability in the Sendmail Mail Transfer Agent package as a prime example of how such back-channel communication between vendors, researchers and the government can help protect end users. Researchers at Internet Security Systems Inc., in Atlanta, discovered the vulnerability in mid-February and immediately notified officials at the White House and the Department of Homeland Security.

The government quietly spread the word among federal agencies and, along with ISS, began contacting the affected vendors. After the vendors developed patches, the fixes were deployed quickly on critical government, military and private-sector machines before the official announcement of the vulnerability.

However, some in the security community say that until the CWIN is fully operational and proven, they'll continue to use existing methods.

"I would not have used CWIN for Sendmail. There are too many questions about something that has not been fully deployed," said Pete Allor, manager of the threat intelligence service at ISS and director of operations at the Information Technology ISAC. "I'd like to know who I'm transmitting information to and the rules for dissemination.

"My two biggest concerns are having private-sector information on a government network and if Congress withdraws the [Freedom of Information Act] exemption, there won't be any reason for private companies to use [the CWIN]," Allor said. While speculation exists, to date no bill has been introduced to remove the FOIA exemption in the Homeland Security Act.

As part of the plan to improve security, the CIO of each federal agency is, by statute, now accountable for the security of that agency's network. This is a significant change, considering the lack of responsibility permeating government security efforts.

"This is the first time this has ever happened," Sachs said. "It used to be that it was their job, but they just said, 'Yeah, I guess we're secure.'"

The internal structure of the government's security apparatus is also undergoing some major changes, officials said. The President's Critical Infrastructure Protection Board, formerly part of the Office of Cyberspace Security, is now part of the Homeland Security Council. But that may not be where it ends up. There are indications that the board may end up as part of the Department of Homeland Security.

what took so long? (3, Interesting)

turtle-spin (555326) | more than 11 years ago | (#5483411)

not being overly experienced myself in design of infrastructure for critical and data sensitive systems, surely this thought of thing is not the newest idea in the book. I would have thought most agencies would already have "critical" and "secure" networks in place to deal with emergency situations like mass DDOS or vulnerability attacks especially with all the paranoia for the last 5 years odd about cyberterrorism..

Money (1)

Detritus (11846) | more than 11 years ago | (#5483840)

Contrary to popular belief, most federal agencies don't have steamer trunks full of cash in the basement, in case they need to buy some more $900 toilet seats. Just putting a PC on everyone's desk with a LAN connection is either a still a goal or a recent accomplishment at many agencies. There are a substantial number of closed Internets that are used for handling classified or mission critical information. Generic Internet access is still classified as not being mission critical, even though the government is rapidly becoming more dependent on email and services/information delivered over the web.

And this wasn't in place before? (4, Funny)

smoon (16873) | more than 11 years ago | (#5483412)

The company I work for has had a 70+ node WAN with separate IP address space from the Internet for about 5 years, and before that a 6-7 node WAN running IPX.

This seems so utterly obvious that I'm completely mystified as to why this is a news-worthy article. Or is this just a joke?

Yipee! The feds have an 'intranet'. I hope I don't pee my pants with excitement!

if true : do stuff; (5, Funny)

watzinaneihm (627119) | more than 11 years ago | (#5483419)

1 Start a network for army
2 Open it to Universities
3 Open it to everyone
4 Watch while "terrorists" start to spread viruses on it
5 Start network for the Feds
.....Rinse and repeat.

Re:if true : do stuff; (2, Funny)

Anonymous Coward | more than 11 years ago | (#5483434)

You forgot:

6 (Warning: Unreachable code): Profit!

Also, they'll use decimal IPv4 addresses -- which would explain a lot about the Uplink game [introversion.co.uk] ...

Hey! (1)

Spunk (83964) | more than 11 years ago | (#5484190)

I'm claiming prior art [slashdot.org] . (Also see Parent)

Re: hey easy with the terrorist word (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5483612)

Go easy on the terrorist word,
if you keep tossing that word around
freely applying it to everyone, pretty
soon domestic protests will be labeled
terrorist gatherings and other bad
stuff might result. I don't condone
releasing worms but its not terrorism.
I'm not terrorized when my web logs file
up with code red, just irritated.

Something already there? (4, Interesting)

stroudie (173480) | more than 11 years ago | (#5483420)

I find it surprising that this doesn't exist already - surely this is something like a slightly shinier version of UK Government Secure Intranet [cw.com] which has been operational for some time.

Surely the US government has something equivalent...?

That's handy! (1, Funny)

Anonymous Coward | more than 11 years ago | (#5483423)

Now if terrorists want to attack american government, we can still download porn at full speed :)

US Military already has it's own private network (5, Informative)

ItaliaMatt (581886) | more than 11 years ago | (#5483425)

The military has it's own private and secure data/voice network. They have their own private IP's and everything. Any time people working on the unclassified network need to move data to the classified network they have to use "sneaker-net" and make damn sure the data isn't infected with a virus. Perhaps this is what the Department of National Security is modeling it's data network after.

Re:US Military already has it's own private networ (1)

mason127 (547465) | more than 11 years ago | (#5484136)

Wireless excepted, air is still the best firewall.

Hmm. (2, Funny)

twiztidlojik (522383) | more than 11 years ago | (#5483429)

Wonder if they're testing the TIA project on their intraweb ;)

SIPRNET / NIPRNET , jerky... (4, Insightful)

fire-eyes (522894) | more than 11 years ago | (#5483447)

Uh, look up what SIPRNET and NIPRNET are... been around for a long long time...

Re:SIPRNET / NIPRNET , jerky... (1)

taliver (174409) | more than 11 years ago | (#5483711)

(Thank God for typeahead find in Mozilla, I was just about to post this...)

Anyway, I think the somewhat big news here is that non miltary agencies will be moving to the SIPRNET. And switching over more "routine" communications to this systems has to be a good thing for a variety of reasons.

And for those to lazy to google, here's a link [fas.org] . SIPRNET is designed to encrypt and send traffic, and they use their own wres and relays. (Although I can't swear that they don't use some of the commericial wires as well.)

Sweet... (1)

MrFreshly (650369) | more than 11 years ago | (#5483462)

How much is this NEW RRRRREVOLUTIONARY idea going to cost us?

And what are they doing about the OS they run in this new playground?

We must secure the net! (1)

jabex (320163) | more than 11 years ago | (#5483466)

Guess I was the only one who read it like that... shew.

"Oh my god... the Feds are taking control of the net?! What the hell is happening? What about my pr0n?!"

rfc1918 (1)

martin (1336) | more than 11 years ago | (#5483478)

finally starts implementation in US govmt networks - film at 11... :-)

New record of /. inactivity (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5483479)

Feds Move to Secure Net
Posted by CmdrTaco on 12:45 Tuesday 11 March 2003


Developers: Linus Comments on SCO v IBM
Posted by CmdrTaco on 4:34 Tuesday 11 March 2003


Wow, 8 hours and 9 minutes between two successive posts. This must be a record.

Re:New record of /. inactivity (0)

Anonymous Coward | more than 11 years ago | (#5483491)

Sorry, 11 minutes.

You mean... (1)

mivok (621790) | more than 11 years ago | (#5483485)

Theyre gonna change the ip of all _7_ computers to 10.0.0.blah and unplug the modem. Wow.. a really innovative idea.. why didnt I think of that? Oh wait.. I did! Seriously though, even with a network completely separate form the internet, there will inevitably be a need to connect to the network from the outside, probably via dialup, and this will be the networks downfall. Even if this doesnt happen, all it takes is one person to install wifi, leave a modem connected, or decide they want to browse slashdot from one of these machines, and there is an entry point, which some skilled hac^H^H^Hidiot could gain access. Sure, disconnecting computers from the internet will help matters, but if this makes people complacent - 'Oh, I dont need to install the sendmail patch, 'cause I'm not on the internet!' (The logic of running sendmail on a non connected computer ignored at this point), then it would have been better to leave the possibility of machines being connected, and have people be more vigilant with patches.

Re:You mean... (4, Insightful)

6hill (535468) | more than 11 years ago | (#5483541)

One would assume the actual hardware would be under lock and key and behind a pair of burly Marines, to discourage any stray installers of WiFi cards etc. One would also assume there are software safety measures that would prevent the stray installer from importing dangerous data or viruses via sneakernet. And finally, one would assume that deviating from the strict rules of conduct will result in reprimands/jail time/caning (delete as applicable) depending on how dangerous or stupid the said stray installer acted.

As for patching, that's fine for security levels up to a certain degree, but there are unpatched and undiscovered bugs around any given time, as the submissions history on /. will tell you.

Re:You mean... (1)

surprise_audit (575743) | more than 11 years ago | (#5484410)

You may be assuming too much - this is a government project, right?

more information here (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5483489)

this website [nambla1.de] offers a foreign insight into this situation

But.. but.. (-1, Troll)

mivok (621790) | more than 11 years ago | (#5483494)

how are they going to read slashdot and look at 1n73rn37 pr0n?!?!

IPv6? (3, Interesting)

janap (451953) | more than 11 years ago | (#5483496)

If this "fednet" thing is to be totally separate, they're not staying with IP version 4, are they? The article doesn't say as far as I can make out.

That's about the only realistic route a worldwide migration to IPv6 could take, I think - building an entirely separate infrastructure.

Then we can have that one and they can have the old one back!

GOVNET (1)

The Jonas (623192) | more than 11 years ago | (#5483978)

IIRC, it is called GOVNET [gsa.gov] .

Question for the well-informed (3, Interesting)

Xner (96363) | more than 11 years ago | (#5483510)

Is the extra hassle involved with deploying a completely separate network (digging?) justified in terms of increased security when compared to simply setting up a secure tunnel over an existing long distance link?
These people employ some of the best mathematicians and engineers in the world, they ought to be able to come up with a good implementation.

Not to mention the fact that even a separate link is going to require some informataion-level security as you don't want every tech with a current probe to be able see your network traffic ...

Re:Question for the well-informed (1)

shayborg (650364) | more than 11 years ago | (#5483618)

IIRC, the Feds were big in the development of protocols like DES and then RSA, and are supporting the adoption of AES, so it's not as if they don't want to use secure tunneling at all. On the other hand, they've also realized pretty quickly (and largely from firsthand experience) that any encryption algorithm is breakable given enough computer power. So while I'm sure they don't have any problems using this sort of secure tunnel for most communication, I think it's a valid decision for them to use a totally different Intranet for the most secure stuff.

-- shayborg

Re:Question for the well-informed (1)

plcurechax (247883) | more than 11 years ago | (#5483685)

Is the extra hassle involved with deploying a completely separate network (digging?)

No digging for physically seperate cabling, but using "private lines" (ISDN, frame relay, OC-x) from telecos to interconnect between various government departments and agencies without relying on the public Internet infrastructure.

Actual companies like AT&T, WorldCom, and Sprint could use some new business, so the telecom sector will welcome this.

justified in terms of increased security when compared to simply setting up a secure tunnel over an existing long distance link?

Yes, a secure tunnel only provides confidential and integrity, it does not ensure availability. For a government secure network, it is reasonable to prevent a failure in the public Internet (root servers offline, major Internet eXchange destroyed, new Warhol worm) effecting the availability of this secure network.

The hardest part is keeping it clean while keeping it useful. There is a lot of temptation to use bridging and gateways of various technical (so called "air-gap" network NICs, which allow an insecure machine connect to both the public Internet and then switch (without connecting to both at the same time) to the "secure" federal network. Except any worms or trojans love these machines as an attack vector) and less-technical sorts (sharing files via CD-R/RW).

There are classifed networks and such already, but they are a pain to use with properitary software / interface typically on a time-sharing computer, and lack means of inputting new (read: useful) data other than to key it in by hand. Which makes for a lot of secret and top secret cleared data entry clerks, or a really big problem.

IPv6? (1)

janap (451953) | more than 11 years ago | (#5483511)

If this "fednet" is to be totally separate, they're not going with IP version 4, are they? The article doesn't say.

That's about the only realistic route a worldwide migration to IPv6 could take, in my opinion - building an entirely separate infrastructure.

Then we can have that one and they can have the old one back!

Re:IPv6? (1)

janap (451953) | more than 11 years ago | (#5483528)

Ho-hum, let me blame my company's Internet Slowness Aggregation-server for the double post. Feel free to mod parent redundant. It certainly is.

Re:IPv6? (0)

Anonymous Coward | more than 11 years ago | (#5483645)

realistic?
It will probably work its way from the backbones
down to the edges where translation will occur.
Then people on the edges will be left to convert
at their own pace. Kind of like before everyone
decided to use tcp/ip instead of ipx etc.

The real reason... (4, Funny)

Bazzargh (39195) | more than 11 years ago | (#5483513)

everybody from outside who came onto their Unreal Tournament server kicked their ass.

7 nodes? What is this - an FBI LAN party?

"Security" (2, Insightful)

gmuslera (3436) | more than 11 years ago | (#5483520)

This will be a VPN or simply a private network with their own separate communication channels between the nodes?

And the nodes will be also connected to internet? If this is true, a worm that goes thru internet (i.e.if in some moment comes a sendmail worm and a company have a postfix in the dmz that receives and forward the main to the internal sendmail would be vulnerable also) could pass between the two networks, I remember how much damage do CodeRed2 and Nimda in not properly secured internal networks. In this case, if the networks are connected to the two networks, a worm could enter from one point and try to infect the other (at least email will be the common point between them.

But, if they are only connected between them and NOT connected to internet (neither by mail), they are not solving the problem with this, only isolating some critical (?) part of the network so worms like this one [slashdot.org] will not infect their window shares and things like that (at least, until a worm that combines several ways to spread enter there)

Soo, If i want to mail them (2, Funny)

grazzy (56382) | more than 11 years ago | (#5483523)

And ask them if they run a vuln version of sendmail, can i use "secret-gateway.mil.org" then?

whoopee! (1, Informative)

Anonymous Coward | more than 11 years ago | (#5483525)

7 nodes - another 10 yrs they'll have a big enough botnet to launch a DDOS attack !

Re:whoopee! (1)

NiteHaqr (29663) | more than 11 years ago | (#5484114)

Shouldn't that be DoDOS attack

Noooo (3, Funny)

Timesprout (579035) | more than 11 years ago | (#5483538)

Its all part of a cunning plot by cigarette man to put all the p0rn on the net someplace we cant get it.

Re:Noooo (1)

6169 (318124) | more than 11 years ago | (#5483761)

You know the Cigarette Man gets off on the kinky stuff. "Take it off...slowly...now tell me how weak the Flouride has made your will to resist. Tell me! Oh yea....that hits the spot."

OurNet (1)

cipset (550887) | more than 11 years ago | (#5483578)

Have you ever thought what if the internet would be 24h/24h under surveillence? If there would be only Msoft, Sonies, Hewlets all over our screen ... etc. etc.

What if then we would start make our own network, with our own rules. The slashdotters and those alike are not few in this world, and I suppose a lot of us, if not most, got enough from rules over rules, comercial stuff, comercail stuff...

A kind of OurNet... ;-) //yeah ... I know ... nice dreaming

Won't Work for DoD Units (4, Interesting)

Highwayman (68808) | more than 11 years ago | (#5483579)

<rant> I have always been frustrated by the biggest technology issue facing the military or any large organization: deployment. The SIPRNET has been around for ages. However, in all the places I have been assigned, nobody at my level ever has access. This is ridiculous because I have always worked where the proverbial rubber meets the road. VPN, Fortezza cards, and all this is not new, nor revolutionary. The issue is plainly logistics, sustainment, and training. Logistics is an issue because you have to field the equipment. The government already runs scads of custom applications many requiring dedicated computers. If you are able to field the equipment, it will be very difficult to maintain and upgrade because the channels for doing so are often convoluted or repair facilities are hundreds of miles away. Sustainment is a pain because the military is not designed (for the most part) to be stationary. When a large deployment happens, you are lucky to have a telephone let alone Internet capability. Finally, training is always a big problem. Right now most users cannot even perform the most basic computer tasks. As it all revolves around dollars when it comes to manning and training, I find it hard to believe that enough is going to be vested in empowering the end user to have access or know-how. In the end, it will end up where all good ideas end up, only being used at levels above reality by people who already have access to all matter of secure everything. I don't see it getting to the end user any time in the near future. To me this is an operating system issue, if you don't ingrain this crap at the OS level, there is always going to be problems. From sensitive data left in the swap space, to unsecured file systems, and ineffective data destruction utilities, there are dozens of pitfalls for truly running a secure network. Throwing tons of third party applications on top of it is a huge mess. Secondly, the government has become over-reliant on using the Internet. At least for the military, occupations in fixed facilities should mirror operations in deployment situations. The only solution for the military is satellite or high frequency radio. Access to these solutions at the speeds necessary for Internet transactions is years away and very expensive. I won't believe a word of any of this until the Department of Defense stops using Telnet and other insecure software for their day to day business. Way too many personal transactions are conducted via Telnet un-tunneled and unsecured. I have seen this first hand many times and as recently as yesterday. I am tired of the good idea factory coming up with solutions from behind their $3000 dollar oak desks when at my level the IT and security is crap and my personal information is strewn all over who knows where.</rant>

The Feds are auditing what should be on Internet (4, Informative)

MyNameIsFred (543994) | more than 11 years ago | (#5483581)

For all those saying I can't believe the Feds don't have a separate network -- golly gee yes they do and have had such separate networks for years. What the Feds are doing is auditing which systems are connected to which networks. If it was originally assumed that the public Internet was safe enough, those assumptions are being checked. If it is decided that those assumptions were wrong, that a system is threatened, it is moved to a private internet. Considering the size of the Federal government it should surprise no one that history, changes in the internet and other factors should justify such an audit. Its not like private companies don't do the same thing on occassion. The difference is this time politics are involved. Its a way to wave the flag and see we're doing something for homeland security. Three years ago, the press would have ignored this.

It's just a test! (0, Flamebait)

borgdows (599861) | more than 11 years ago | (#5483586)

When THIS administration (tm) will be informed that the Fednet is working, all US providers (Aol included) will have to switch on this network!

Don't be fooled! If we let THIS administration (tm) continue the way it does, United States of America couldn't be called a democracy anymore (that's what a lot of people in US and in Europe already think)

About the sendmail vulnerability (3, Funny)

6169 (318124) | more than 11 years ago | (#5483650)

I notice in the article that the Feds et al. were notified of the sendmail security flaw before the official release. Um. Not that I have anything against the FBI perusing my pr0n collection (Leanna Hart -- Locker Room.avi is quite good if y'all are listening), but this scares the fuck out of me.

Sachs, speaking at the conference here, which was put on by The SANS Institute, pointed to last week's handling of the critical vulnerability in the Sendmail Mail Transfer Agent package as a prime example of how such back-channel communication between vendors, researchers and the government can help protect end users. Researchers at Internet Security Systems Inc., in Atlanta, discovered the vulnerability in mid-February and immediately notified officials at the White House and the Department of Homeland Security.

The government quietly spread the word among federal agencies and, along with ISS, began contacting the affected vendors. After the vendors developed patches, the fixes were deployed quickly on critical government, military and private-sector machines before the official announcement of the vulnerability.

Re:About the sendmail vulnerability (1)

bfree (113420) | more than 11 years ago | (#5484167)

As soon as I started to read the article, the phrase "used by federal experts and private-sector experts" jumped out at me! I immediately thought that this was another way for the US administration to use the indeterminate "war on terror" to fund private enterprise. I wonder who these experts will be, and I wonder why they feel the need to make the "private-sector" qualification as opposed to civilian! Is this really just a way for the US government to provide a secure network for US anti-virus and security companies to communicate in the event of a serious net attack and thus provide them with a competitive advantage in the market (as non-US companies will have to or already have built their own)?

Seven nodes on non-public IP block? (2, Funny)

Joff_NZ (309034) | more than 11 years ago | (#5483699)

The government currently has seven nodes running, said Marcus Sachs, director of communications infrastructure protection at the Office of Cyberspace Security, in Washington.

Let me guess:
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
192.168.0.6
192.168.0.7

Re:Seven nodes on non-public IP block? (1)

DaLiNKz (557579) | more than 11 years ago | (#5483934)

lol.. and find out they use AOL's DSL Services for their connection

Cyber Warning Information Network (2, Informative)

plcurechax (247883) | more than 11 years ago | (#5483766)

Cyber Warning Information Network (CWIN) looks to be an expensive, slower, and less effective version of CERT [cert.org] .

These is the group that "handled" the recent announcement of a new sendmail vulrenability. Except what they did was this: ISS, a info-security company looking for browie points reported to Office of Cyberspace Security at the White House and Homeland Security, who told FedCERT which passed that along to military and federal government IT people. Except all they could do was turn off sendmail, since a fixed wasn't yet available!

Then Sendmail (.com and .org sides, i.e. Eric Allman) and CERT was contacted. CERT alerted various Unix, Linux and BSD vendors that a new sendmail security fix was coming and to get ready to package it. Sendmail shared their fix with vendors and everyone announced a fix at roughly the same time. Thanks to the hard working people at CERT. Nobody played "I'm fixed, screw the rest of you" or other selfish self-centered games.

So the DHS made three phone calls (or emails) and spent the rest of their time writing up press releases about their great job, so the "press release == news" media could spout how great and cyber-aware DHS is. Though ISS, Sendmail Inc./ Consortium, and CERT did all the real work.

One problem (1)

IIRCAFAIKIANAL (572786) | more than 11 years ago | (#5483775)

isn't a private WAN such as this more susceptible to a "single point of failure" attack? Or have they thought of that?

Re:One problem (2, Interesting)

bigsteve@dstc (140392) | more than 11 years ago | (#5483851)

isn't a private WAN such as this more susceptible to a "single point of failure" attack?

It will be less vulnerable because they will have mandated that communications use physically separate switching nodes paths. And you can be sure that they have thought about this.

Just like the (Swiss) banks then ... (4, Interesting)

snowtigger (204757) | more than 11 years ago | (#5483778)

I talked to some computer people working in Swiss banks last year. It turned out they have a private network in parallel with the internet.

Every worker has two computers. One for the bank stuff and the other for internet/ordinary stuff.

The internal network has very limited connections to the internet (necessary web-banking connections, but not more). Don't count on Sendmail bugs to get you in here ...

Routers and security (2, Interesting)

shreak (248275) | more than 11 years ago | (#5483841)

I heard a story few years ago while taking a networks training course. We were talking about packet order and the fact that it's not guaranteed. The instructor mentioned that you could probably expect the order to be maintained if you specified the route and were the only thing transmitting, but still, it is not guaranteed.

Someone in the class had worked on a secure network project where all the routes were static, but when they did load testing the packets would arrive out of order. This worried them (as it should) and they looked into it. It turned out that the routers (switches?) they were using would "cheat" when they detected backup and would send packets to ports off the static routes.

The exptected behavior was that the receiver would bounce the packet back as destination unknown. But this could buy the equipment precious milliseconds and the conjestion might clear.

A cute solution, but not very secure.

Re:Routers and security (0)

Anonymous Coward | more than 11 years ago | (#5484359)

hi, i'm a router guy...how can i put this...what the fuck are you babbling about?

moron converting loyAL hostages.. (0)

Anonymous Coward | more than 11 years ago | (#5483877)

into meatpackers, for the Godless greed/fear based payper liesense bullshipping industrIE.

Stay in touch with customers. Reach out to new ones.

Director's Chair: Jeff Riley Try bCentral's List Builder e-mail marketing today (no credit card needed). Build professional-looking e-mails and newsletters, including real-time tracking and reporting! List Builder lets you target different customer segments with personalized messages, based on demographics and survey responses.

Use List Builder to promote product specials, and then track how many customers open your mail, and how many click through to your Web site. With List Builder, you have the tools you need to evaluate the effectiveness of your campaigns and adjust your approach as needed. Try List Builder today and see how you easy it is to stay in touch with existing customers, attract new ones and increase sales! Learn more.

New feature!
Need additional help deciding which bCentral product is right for your business?
Click here to start a live Web chat with one of our online representatives. It's free!

Special offer: Get a $50 Office Depot gift certificate

Growing your business just got easier. With powerful online services from Microsoft® bCentral(TM) you can create a Web site, sell online, expand your customer base and drive more traffic to your business. And with our special limited-time offer, choosing the tools you need to succeed couldn't be simpler.

Buy two bCentral services between now and May 31, 2003, and we'll send you a $50 Office Depot gift certificate to help you build your business. It's our way of saying, "Thank you." Learn more.

-- Jeff Riley
General Manager, Microsoft bCentral

Tips & Advice

* Make e-mail marketing work for you
* Are you doomed if your office computer tech quits?
* Tailor your loyalty program to the right customers

SIPERNET? (1)

kruczkowski (160872) | more than 11 years ago | (#5484010)

Will this be an extention to SIPERNET or a new network?

Hope they use IPv6, that way you also get the ecomomy rolling. New OS, new Routers...

(I Know modern OS and Cisco 12.2 IOS run IPv6, but most gov router still run IOS 9.x and the DoD will not allow Win2000 Active Directory on Servers.)

And apparently it's already begun... (0)

Anonymous Coward | more than 11 years ago | (#5484227)

So what will a whole new system do for us telecommuters?

I'm REALLY looking forward to it.

A certain government agency has already implemented a new security policy a week or so ago. Good? No. Those of us who telecommute in my company and program offsite have already been having numerous issues since the new policy went into effect. We are required to log into our company's servers to run our programs, but unfortunately doing so requires connecting through a certain agency's network. We have ridiculous time-out windows now and it's awful trying to stay connected. Now I can't even connect to work at all. Wonderful. Guess I must be a hacker because I use telnet, X11, FTP and have had to connect multiple times in a short time period thanks to the new wonderful (and completely ridiculous) timeout.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>