Re: Connectivity problems with the US Army

["Jamie A. Stapleton" <jstapleton () COMPUTER-BUSINESS COM>]

We have been seeing this in the commercial sector as well.  :(  

We have a shipping/moving company that cannot receive mail from
army.mil.

In the beginning they could not send to army.mil either.  However, we
got around this by forwarding everything to the ISP's SMTP server.

We have yet to find anyone with army.mil who can help...

-----Original Message-----
From: Brock, Anthony - NET [mailto:Anthony.Brock () OREGONSTATE EDU] 
Sent: Friday, January 19, 2007 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Connectivity problems with the US Army

We would love the information. However, we're not having issues with the
.mil domain. In fact, the DoD was quite responsive and helpful when I
talked with them. Unfortunately, they also said that the army.mil domain
is outside their control and that we have no recourse but to deal with
them concerning this issue.

The people at the US Army have been reluctant to discuss anything. In
fact, they initially refused to tell us why they were blocking us, only
saying it was for "reasons of national security" and that they "can only
discuss this issue with US Army personnel". After much probing (and
several different people), I finally found someone who admitted it was
their reaction to 29 probes for a Symantec vulnerability. While I can
agree with blocking to protect yourself, their procedures should provide
for notifying the remote site of the reason for the block and what they
need to do to get it removed. Also, blocking 65,534 IP addresses due to
29 probes is a bit of an overreaction.

In any event, the information would be greatly appreciated. Thanks!

Tony


> -----Original Message-----
> From: Jay Tumas [mailto:jay_tumas () HARVARD EDU]
> Sent: Friday, January 19, 2007 4:33 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Connectivity problems with the US Army
>
> We have run into similar issues over the past decade.  The .mil domain

> typically gets pretty defensive when they pick up on any amount of 
> probing, especially from .edu domains.  My experience has been that if

> you can verify the offending systems are clean, and you are talking 
> with the right folks, you can get the block removed - if not for your 
> entire network, then for the subdomains that require this access for 
> specific tasks.  I do (did) have a good contact that was very 
> responsive and was able to open the .mil domain up to Harvard traffic.
> I will see if I can dig up his contact info and forward it along.
>
> J
>
> Brock, Anthony - NET wrote:
> > Oregon State University recently noticed that we were being
> blocked from
> > accessing all army.mil domains and resources. The block
> includes access
> > to their DNS and email servers. We have since learned that
> this block
> > was implemented as a result of probes from machines compromised as a

> > result of the Symantec vulnerability. While we had hoped that the 
> > situation would correct itself, we've since learned that
> this may not
> > happen.
> >
> > We have had zero luck trying to deal directly with the Army 
> > administrators. As a result of the impact on several campus
> groups, my
> > administration is looking to escalate this into the
> political realm. If
> > possible, I would like to give them an idea of how many other 
> > institutions may have been affected.
> >
> > Is anyone else encountering this problem?
> >
> > One of the administrators at the Army NOC indicated that most of the

> > .edu IP space was being blocked. I would like to have a more solid 
> > foundation before I take that type of assertion to my
> administration.
> > Thanks in advance!
> >
> > Tony
> >
> > Anthony Brock
> > Senior Network Security Engineer
> > Oregon State University - Network Engineering 
> > http://oregonstate.edu/net/security/
>
> --
> ****************************************************************
> Jay Tumas, NSA/IAM,IEM
>
> - Network Operations Manager
> - Network Security and Incident Response Team Manager
> - Longwood Medical Area Technical Subcommittee Chair
> - NEECTF Member/InfraGard Member, I have run into this int he 
> pastBoard of Directors
>
> Harvard University - UIS/Network Operations Center 60 Oxford Street, 
> Suite 132 Cambridge, MA. 02138
>
> Office: 617-496-8500  VoIP/SoftPhone:  617-384-6530
> Cell:   617-733-6169  Cell 2-way/Email:  6177336169 () vtext com
> ****************************************************************
> "The first method for estimating the intelligence of a ruler is to 
> look at the men he has around him." - Niccolo Machiavelli