nanog mailing list archives
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
From: Steven Bellovin <smb () cs columbia edu>
Date: Wed, 20 Feb 2013 20:43:45 -0500
On Feb 20, 2013, at 3:20 PM, Jack Bates <jbates () brightok net> wrote:
On 2/20/2013 1:05 PM, Jon Lewis wrote:See thread: nanog impossible circuit Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident.This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks.
An amazing percentage of "private" lines are pseudowires, and neither you nor your telco salesdroid can know or tell; even the "real" circuits are routed through DACS, ATM switches, and the like. This is what link encryptors are all about; use them. (Way back when, we had a policy of using link encryptors on all overseas circuits -- there was a high enough probability of underwater fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our circuits mighty suddenly end up on a satellite link. And we were only worrying about commercial-grade security.) --Steve Bellovin, https://www.cs.columbia.edu/~smb
Current thread:
- RE: Network security on multiple levels (was Re: NYT covers China cyberthreat), (continued)
- RE: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jamie Bowden (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Warren Bailey (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Owen DeLong (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jay Ashworth (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Warren Bailey (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Owen DeLong (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) David Barak (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Cameron Byrne (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jon Lewis (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jack Bates (Feb 20)
- Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Steven Bellovin (Feb 20)
- Re: NYT covers China cyberthreat calin.chiorean (Feb 20)
- Re: NYT covers China cyberthreat Barry Shein (Feb 20)
- Re: NYT covers China cyberthreat Warren Bailey (Feb 20)
- Re: NYT covers China cyberthreat calin.chiorean (Feb 20)
- Re: NYT covers China cyberthreat Warren Bailey (Feb 20)
- Re: NYT covers China cyberthreat calin.chiorean (Feb 20)