Interesting People mailing list archives
IP: GOVNET? Not the brightest idea.
From: David Farber <dave () farber net>
Date: Wed, 10 Oct 2001 19:27:39 -0400
To: farber () cis upenn edu Subject: GOVNET? Not the brightest idea. From: "Perry E. Metzger" <perry () piermont com> Date: 10 Oct 2001 19:05:59 -0400 FYI, until I started Wasabi Systems, my job was security consulting to large financial institutions. > >A key feature of this network, called GOVNET, is that it must > >be able to perform its functions with no risk of penetration or > >disruption from users on other networks, such as the Internet. > >GOVNET is planned to be a private voice and data network > >based on the Internet Protocol (IP), but with no connectivity > >with commercial or public networks. I hope that they understand that this produces in many ways the ultimate "crunchy exterior -- soft chewy interior" problem that any firewalled system has. As many companies discovered during the recent Code Red problem, even users moving laptops from exterior to interior networks can suddenly infect "secure" networks. You have to prevent ANY data interchange, ANY accidental cross connection of networks. No amount of firewalling would be sufficient for such a network. It has to have no data interchange (even email) with the outside. No "Secure VPN" access from the outside, given that such software almost never produces "secure" access (what it typically does is make the machine with exterior access an effective hole in security -- penetrate it over the internet and you've penetrated the interior network.) Only an air gap will do, and a completely rigidly enforced one at that, no data or software interchange with the outside. Of course, if such a network is large enough, the biggest source of security problems -- stupid users -- becomes difficult to avoid, and it may become difficult to completely enforce the "no data or software interchange" rule. You can enforce that inside an agency like the NSA but not inside a large chunk of the federal government. Firewalls and airgaps only work if you have a small interior to defend against the outside. When the interior becomes too large, you can't possibly patrol the hundreds of thousands of network access points in the system. Every network jack in every agency with access to this net becomes a potential source of infection. In order to try to enforce such a regime, of course, you'll inevitably have to drive costs of running such a network through the roof, with every piece of software being installed on such a network only after analysis and with substantial amounts of labor by the central IS infrastructure. No innovative programmers or cowboy systems managers can operate on such a network. Without rigid rules, it won't work. Of course, WITH rigid rules, the value of the network to its users will be substantially lower than that of a normal network, since without innovative programmers or cowboy administrators, no innovation will take place and trying to get work done will be painful. "Oh, you want an interior web site to do *that*? Well, sorry, we'll have to take it up with the software committee, next month, after they're done discussing the things in the hopper. Oh, don't even think about setting up transfer of data from your normal department SQL server to the one you have on the interior network -- not after that last stored-procedure based virus." Ultimately, I think such an effort is utterly doomed. Such a network will be valueless AND not particularly secure. I will now say something politically incorrect in the extreme. The reason we face horrible security problems these days on the net is to a large extent (although by no means solely) because we've developed an operating system software monoculture on the internet, with a single supplier being responsible for the overwhelming bulk of software installs. This supplier is about as incompetent as you can possibly imagine at handling security issues, with large numbers of its own machines typically being infected by each new worm hitting the net. If the Federal government wants to avoid having its networks being vulnerable, having a polyculture of systems and software replacing the current monoculture, with systems being connected by open protocols rather than common use of undocumented file formats, is the single most important act it could take. Unfortunately, the major supplier in question will fight any such actions tooth and nail, both with aggressive business practices and with its biggest weapon, the closed and non-interoperability nature of its software. The company in question has shown that it will go to any lengths to gain even trivial incremental market share. It will also contend in all media, very loudly, that it bears no responsibility for the extraordinarily bad quality of its software, which it will loudly contend is perfectly secure. Perry
For archives see: http://lists.elistx.com/archives/interesting-people/
Current thread:
- IP: GOVNET? Not the brightest idea. David Farber (Oct 10)