Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

US Government to Have Only 50 Gateways

Posted by Soulskill on Sunday April 20, @09:19AM
from the e-downsizing dept.
Government Security The Internet
Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks. "Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."

Related Stories

[+] IT: Chinese "Cyber-Attack" US Department of Commerce 161 comments
Kranfer writes "The register has an article about how the Chinese have recently launched an attack against the US Department of Commerce. From the article: '...attacks originating from computer crackers largely located in China's Guangdong province are aimed at extracting sensitive information from targets such as the Commerce Department's technology export office. Security consultants and US government officials reckon the assaults have at least the tacit support of the Chinese government...' This is not the first time Chinese hackers have attempted to gain access to US Government systems."
[+] IT: Inside the Secret War Against Internet Spies 116 comments
ahess247 brings us a lengthy BusinessWeek story on the increasing amount of attacks against the US government's online presence as well as its contacts in the private sector. Hackers are gaining a greater awareness of where valuable data might reside, and that awareness is leading to more precise, more sophisticated attacks. Quoting: "The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. 'It's espionage on a massive scale,' says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. 'They have our information on their networks. They're building our weapon systems. You wouldn't want that in enemy hands,' Croom says. Cyber attackers 'are not denying, disrupting, or destroying operations--yet. But that doesn't mean they don't have the capability.'"
Firehose:US Government to Have Only 50 Gateways by pickens (49171)
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

US Government to Have Only 50 Gateways 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • DoS??? (Score:5, Interesting)

    by DNAGuy (131264) <brent.brentrockwood@org> on Sunday April 20, @09:42AM (#23134182) Homepage
    Wouldn't this make DoS easier, not harder?

    • Re: (Score:3, Informative)

      by Joe The Dragon (967727)
      It will make inter network traffic overloading easy as well as alot of stuff will have to be push down smaller links. Also I hear that they also want to get rid of the update and other severs at each site as well. So you will have 1000's of systems pulling

    • Re: (Score:3, Interesting)

      by MiniMike (234881)
      With all of the traffic that's going to be funneled through them, would a DoS be necessary?

    • Re:DoS??? (Score:5, Interesting)

      by v1 (525388) on Sunday April 20, @10:31AM (#23134418) Homepage Journal
      It would certainly reduce the number of machines to target, but if 50 machines are to cover the duties of 4,000, you know they will have some horsepower. The obvious reality is it will be a distributed load system, so each of those 50 gateways will be an entire building of machines.

      Nothing new here really. Most of those 4,000 gateways are already at least several racks of hardware. I doubt that the vulnerability to distributed attacks will go up as a result of lowering the number of vectors. If anything, having 50 standardized and more carefully monitored gateways will probably further harden them against attacks. (is YOUR gateway patched?)

      Of course the other viewpoint is if all 50 of them are being administrated by the same group or a group under central control, when a vulnerability DOES surface, (and they alway so) they will probably ALL be vulnerable since they are standardized.

      Assuming they have their heads screwed on straight, they will at least be using somewhat of a variation of several hardware and software vendors to prevent this. As it is now, if a serious problem is discovered in a high end bit of router hardware, it may force downtime on maybe 300 gateways while traffic routes around them. If all 50 are using the same, what do you do then? Flip the kill switch and take down the entire country's internet whilst you fix it?

      I want to hear that phonecall. "Hello, Cisco. We're calling in regard to this morning's zero-day bug 433-86b in regard to your model 822 enterprise gateways. We're down, we need a fix now. No, DOWN. The entire country. Yes, really."

      I'd be interested to know how China handles their great firewall. Are there details posted anywhere? Somehow I don't think they'd terribly mind taking down the entire country's internet for a day or two for national security though. (and "for reasons of national security" is very loosely interpreted in China it would seem)

        • Re:DoS??? (Score:4, Funny)

          by ColdWetDog (752185) * on Sunday April 20, @12:48PM (#23135100) Homepage

          Heck, I'd be willing to bet that productivity within said agencies would go UP while the links were down!

          A truly excellent idea. When (if) they finish this project, it should be pretty trivial to have an "Internet-free day" at Government agencies. No Dilbert! No Slashdot! Just actually do something!

          On second thought, this may not be such a good idea. Carry on.

  • Blocklists (Score:3, Funny)

    by kylehase (982334) on Sunday April 20, @10:01AM (#23134278)
    In other words, please remove those 4000 IP addresses from your PeerGuardian/firewall blocklist.

  • Hopefully this will work out better (Score:5, Informative)

    by Anonymous Coward on Sunday April 20, @10:03AM (#23134298)
    Than the whole US Senate machine level of security:
    Netcraft [netcraft.com]
    When the U.S. Justice Department stepped up its investigation of cybercrime, it found spam originating from an unexpected source: hundreds of powerful computers at the Department of Defense and the U.S. Senate. The machines were "zombies" that had been compromised by hackers and integrated into bot networks that can be remotely controlled to send spam or launch distributed denial of service attacks.
    (this link also mentions the older Republican access of the Democrat fileserver)
  • You'll never get enough Zealots out with only fifty Gateways...
  • But just give it a chance! I hear the new Maginot-brand routers are great.

  • One could lead to the other... (Score:5, Interesting)

    by Cheerio Boy (82178) * on Sunday April 20, @10:24AM (#23134390) Homepage Journal
    Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?

    After they do a project this large for their own network they'll have the experience necessary to do this across the board.

    If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)

    Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.

    • Re:Is it just me... (Score:5, Insightful)

      by Pfhor (40220) on Sunday April 20, @09:29AM (#23134142) Homepage
      Are you kidding?

      Trying to maintain standards and practices across 4,000 gateway points vs 50. Let alone the agency bureaucracy that would be involved in doing site checks and working across various agency boundaries would be a nightmare. It would take eons to get those things in place to do consistent auditing and management to ensure standards and procedures are followed, let alone actually do them. Might as well consolidate bandwidth costs and number of checkpoints down to 50 in the process.

        • Re:Is it just me... (Score:5, Insightful)

          by innerweb (721995) on Sunday April 20, @10:40AM (#23134452)

          Let me see...

          • 1) Each point of failure might have a greater chance to block a part of the network (depends on design). They could design it so that the 50 points lead to a network that is redundant behind the 50 points. If one point were to be blocked, then the traffic could be re-routed to other points. Much more secure and manageable than 4000 points. Bandwidth is only as much of an issues as the 50 points of connectivity allow/limit.
          • 2) Actually, as to honeypots and counter-surveillance, you are getting much better control. There is not limit to how many false access points you can seed (outside of resources). With fewer access points to monitor, policing the network becomes much easier.

          With 50 gateways, if the internal network is built correctly (unlike say a how certain cable company does their's), then I can not think of any real net negatives except the complexity of the internal network now. But, given the serious issues the 4000 has, the complexity of the internal network is a relatively non-existent issue.

          InnerWeb

        • Re:Is it just me... (Score:5, Insightful)

          by Original Replica (908688) on Sunday April 20, @01:02PM (#23135170) Journal
          You make a series of pretty huge assumptions here, many of which are unlikely. 1) you assume that the 50 gateway points will be managed properly. 2) you assume that access to those gateway points will be managed effectively. 3) you assume that the underlying network design is intelligently put together.

          I think the assumption is more along the lines of:
          50 gateway points are more likely to be managed properly than 4000 points.
          Those 50 points will have a great deal of attention and resources allocated to them, about 80 times the amount per point of the previous 4000 points.
          When the government really cares about a project (read military) they can be very intelligent, just look at the stealth bomber. They are only haphazard when it is a project that exists only to please the public (read medi-care, or social security)
    • I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?

      • I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?
        Considering the questionable way contracts have been awarded by the Government over the last several years, the parent's comment is more "Insightful" than "Troll".

        And, as a taxpayer, is a legitimate question that should be addressed by our Government. Especially, when, not if, it comes to light that the project runs over budget by millions of dollars which they inevitably do. Disgustingly, fleecing of the taxpayer has become de rigeur.

      • Re:Is it just me... (Score:4, Insightful)

        by PopeRatzo (965947) * on Sunday April 20, @11:57AM (#23134826) Homepage Journal
        smitty, you know I love you, but I don't think I agree.

        Since we're supposed to be the government (of, by and for, you know) the more places we can interface with it the better.

        We've been trained by 27 years of "Conservative" control of government and media to see "government" as some alien entity over which we have no control and which only acts to make our lives unpleasant. St. Ronald was the first to really market this erroneous notion, and it really disrespects the clever and elegant plan our founding fathers laid out for us.

        This meme of "drowning government in a bathtub" is so ubiquitous that even some smart people are lazily spreading it, as you have done.

        If you've recently driven on a US highway, or if you're one of the unlucky ones under whom a bridge recently collapsed in Minnesota, you know first-hand what happens when "the commons" are neglected.

        The strangest thing about this whole story is that we are constantly told that the US is a "Christian Nation" yet the idea of "care in common" which is anathema to Republicans is a most Christian notion. But I guess it's to be expected when hypocrisy is the new black.

    • Re:Great Wall of China (Score:4, Insightful)

      by ibjhb (173533) on Sunday April 20, @09:37AM (#23134170) Homepage Journal
      I could be wrong but I think this applies to only government computers and not the whole Country's Internet...
    • I tried to think of counter-examples to your point and I had trouble, but in the process I stumbled across an even better idea. The first thing I thought of was cages at the zoo. To some extent, this example shows your point because the barriers at zoos are designed much more to keep animals in than spectators out. However, despite being designed to keep animals in, they are just as successful at keeping people out. Why is this? Partly it's because zoos make it difficult for people to get inside cages, but mostly it's because inside the cages are dangerous animals. At this point, inspiration struck: if dangerous tigers can keep people out of a cage at the zoo, couldn't they also be used to protect a computer network? Of course they could! Who would risk hacking a network if it meant getting eaten alive by tigers?

      As far as a practical implementation, I imagine that behind the network's regular firewall, one would just place a container of tigers (a "Tigerbox") that way. The firewall will work as a general security measure, but if a hacker were to break through into the network, he would be immediately eviscerated by tigers. I suppose that in theory, one could even get rid of the firewall entirely, like you suggest, and protect the network entirely with tigers. I'm not sure how practical this would be, due to the increased number of tigers required. However, it might be feasible in a few years once tigerboxes are more popular and the market begins to flood with cheap commodity tigers.

    • Re:Great Wall of China (Score:5, Insightful)

      by jschottm (317343) on Sunday April 20, @11:28AM (#23134662)
      History shows that any "fence" or edifice to "security" is almost always, like the Great Wall designed to keep it's citizens in, rather than invaders out.

      First, there is no consensus that the Great Wall was created to keep citizens in, as nice as a soundbyte as it makes. Second, history does not show what you claim it does. Off the top of my head, European castles, the Maginot Line, the fences around U.S. military bases in Vietnam, the fences Israel uses to restrict Palestinian access to Israel itself, and the fences that the U.S. attempts to use at the Mexican border to keep illegal immigrants out are all examples of fences designed to keep the "other" from coming in.

      In fact, fences being used to keep _citizens_ in is relatively uncommon. They are most commonly used to keep the "other" out, to mark property lines, or to keep animals, livestock, or children within a certain area.

      But in any case, what exactly is your point? That you can compare the actions of a feudal society's relationship to its people to basics of computer security in a pithy two sentence statement and be insightful? Would you also claim that the edifice of WSUS for patch management is another example of the man trying to keep the federal employees down? Your fence analogy doesn't even hold up - this is a _gate_ - designed for deliberate flow to and fro.

      The article does specifically state that the monitoring systems are designed to keep certain information from leaving via the internet (whether intentionally or not) but that doesn't indicate that this is some feudal oppression system to choke the minds of federal employees. They are free to use whatever internet provider they wish when they get home, are they not? It's a firewall on steriods designed to protect government computers and data. Don't try to make it into something that it's not.
    • No this really helps. This will *really* help a lot with dumb bad guys on the outside (like, say the storm botnet).

      If the connections between different departments are also forced to go through only these 50 departments, that would ensure a further layer of protection.

      It is *much* easier to defend a centralized infrastructure (like this) then to defend something random.

      This is the same like in real life. Defending a castle is much simpler than defending the village. Yes castle failures are more spectacular and do more damage, but they occur so much less that it's worth to build them anyway. Breaches in the security of a "village" are constant, unfollowable and you cannot prevent them.

      So from security standpoint ... good move !

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.