Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Owen DeLong <owen () delong com>]

If you have that option, I suppose that would be one way to solve it.

I, rather, see it as a reason to:
        1.      Cryptographically secure links that may be carrying private data.
        2.      Rotate cryptographic keys (relatively) often on such links.

YMMV, but I think encryption is a lot cheaper than building a telco. Especially
over long distances.

Owen

On Feb 20, 2013, at 11:33 , Warren Bailey <wbailey () satelliteintelligencegroup com> wrote:

> Isn't this a strong argument to deploy and operate a network independent
> of the traditional switch circuit provider space?
>
> On 2/20/13 11:22 AM, "Jay Ashworth" <jra () baylink com> wrote:
>
> > ----- Original Message -----
> > > From: "Owen DeLong" <owen () delong com>
> >
> > > Many DACS have provision for "monitoring" circuits and feeding the
> > > data off to a third circuit in an undetectable manner.
> > >
> > > The DACS question wasn't about DACS owned by the people using the
> > > circuit, it was about DACS inside the circuit provider. When you buy a
> > > DS1 that goes through more than one CO in between two points, you're
> > > virtually guaranteed that it goes through one or more of {DS-3 Mux,
> > > Fiber Mux, DACS, etc.}. All of these are under the control of the
> > > circuit provider and not you.
> >
> > Correct, and they expand the attack surface in ways that even many
> > network engineers may not consider unless prompted.
> >
> > Cheers,
> > -- jra
> > -- 
> > Jay R. Ashworth                  Baylink
> > jra () baylink com
> > Designer                     The Things I Think                       RFC
> > 2100
> > Ashworth & Associates     http://baylink.pitas.com         2000 Land
> > Rover DII
> > St Petersburg FL USA               #natog                      +1 727 647
> > 1274