nanog mailing list archives

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

From: Steven Bellovin <smb () cs columbia edu>
Date: Wed, 20 Feb 2013 20:43:45 -0500


On Feb 20, 2013, at 3:20 PM, Jack Bates <jbates () brightok net> wrote:

On 2/20/2013 1:05 PM, Jon Lewis wrote:


See thread: nanog impossible circuit

Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by 
accident.


This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls 
circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves 
back on public networks.

An amazing percentage of "private" lines are pseudowires, and neither you nor your telco salesdroid can know or tell; 
even the "real" circuits are routed through DACS, ATM switches, and the like.  This is what link encryptors are all 
about; use them.  (Way back when, we had a policy of using link encryptors on all overseas circuits -- there was a high 
enough probability of underwater fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our circuits 
mighty suddenly end up on a satellite link.  And we were only worrying about commercial-grade security.)


                --Steve Bellovin, https://www.cs.columbia.edu/~smb

Current thread:

RE: Network security on multiple levels (was Re: NYT covers China cyberthreat), (continued)
- - - RE: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jamie Bowden (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Warren Bailey (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Owen DeLong (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jay Ashworth (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Warren Bailey (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Owen DeLong (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) David Barak (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Cameron Byrne (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jon Lewis (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Jack Bates (Feb 20)
    - Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) Steven Bellovin (Feb 20)
- Re: NYT covers China cyberthreat . (Feb 20)
- Re: NYT covers China cyberthreat Scott Weeks (Feb 20)
  - Re: NYT covers China cyberthreat calin.chiorean (Feb 20)
    - Re: NYT covers China cyberthreat Barry Shein (Feb 20)
- Re: NYT covers China cyberthreat Scott Weeks (Feb 20)
  - Re: NYT covers China cyberthreat Warren Bailey (Feb 20)
    - Re: NYT covers China cyberthreat calin.chiorean (Feb 20)
    - Re: NYT covers China cyberthreat Warren Bailey (Feb 20)
    - Re: NYT covers China cyberthreat calin.chiorean (Feb 20)
- Re: NYT covers China cyberthreat Scott Weeks (Feb 20)

(Thread continues...)