Forgot your password?
typodupeerror
Government Security The Internet News

US Government to Have Only 50 Gateways 150

Posted by Soulskill
from the e-downsizing dept.
Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks. "Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."
This discussion has been archived. No new comments can be posted.

US Government to Have Only 50 Gateways

Comments Filter:
  • ... or does this summary scream "Throw more money at the problem"?

    I mean, really. Perhaps ensuring the standards and procedures are actually adhered to would be a much cheaper and less drastic change.
    • by Pfhor (40220) on Sunday April 20, 2008 @09:29AM (#23134142) Homepage
      Are you kidding?

      Trying to maintain standards and practices across 4,000 gateway points vs 50. Let alone the agency bureaucracy that would be involved in doing site checks and working across various agency boundaries would be a nightmare. It would take eons to get those things in place to do consistent auditing and management to ensure standards and procedures are followed, let alone actually do them. Might as well consolidate bandwidth costs and number of checkpoints down to 50 in the process.
      • OK, I'm definitely not a networking guru (to put it euphemistically) but I'm wondering what the down sides are to only having 50 gateways.

        I'm thinking two things:
        1) You are concentrating access points (and thus increasing the likelihood of failure given concerted attacks [like DDoS for example])
        2) With a small definable limit of access points you are decreasing (or eliminating) the possibility of honeypots (and counter-surveillance)
        • by innerweb (721995) on Sunday April 20, 2008 @10:40AM (#23134452)

          Let me see...

          • 1) Each point of failure might have a greater chance to block a part of the network (depends on design). They could design it so that the 50 points lead to a network that is redundant behind the 50 points. If one point were to be blocked, then the traffic could be re-routed to other points. Much more secure and manageable than 4000 points. Bandwidth is only as much of an issues as the 50 points of connectivity allow/limit.
          • 2) Actually, as to honeypots and counter-surveillance, you are getting much better control. There is not limit to how many false access points you can seed (outside of resources). With fewer access points to monitor, policing the network becomes much easier.

          With 50 gateways, if the internal network is built correctly (unlike say a how certain cable company does their's), then I can not think of any real net negatives except the complexity of the internal network now. But, given the serious issues the 4000 has, the complexity of the internal network is a relatively non-existent issue.

          InnerWeb

          • by acidrain (35064)

            They could design it so that the 50 points lead to a network that is redundant behind the 50 points.
            That's just wishful thinking. You know the number 50 reflects the least number they could pick *without* having to run a significant amount of cable.
            • by innerweb (721995)

              It might be wishful thinking, but I am speaking from experience in the military. The networks were definitely redundant in many locations that were critical. I would be willing to bet that a part if not most of this network, especially given the price tag, has a certain level of redundancy behind those 50 gateways.

              InnerWeb

        • That's only 50 gateways to the internet so what you are calling an access points, is going to be more like an IXP, Internet exchange point, [wikipedia.org] by keeping the number of connection manageable they'll be able to monitor the traffic more effectively.
      • by jo42 (227475)

        4000 to 50
        All this means is that when, not if, one gateway is compromised, more machines will be hacked.
        • by Pfhor (40220)
          Of course, we are assuming that these gateways are the only public facing ones, and there may be back end trunks or vpns bridging them to each other (so internal communications are done over private channels, while external stuff is offloaded to local internet access / backbones). Depending on how the current network is setup, compromising one of these existing 4k gateways could get you access into one of the other 3,999 networks that it is associated with.

          Also, consolidating the traffic means they could tr
      • by Evets (629327) * on Sunday April 20, 2008 @11:43AM (#23134764) Homepage Journal
        You make a series of pretty huge assumptions here, many of which are unlikely.

        1) you assume that the 50 gateway points will be managed properly.
        2) you assume that access to those gateway points will be managed effectively.
        3) you assume that the underlying network design is intelligently put together.

        Since this is government work, I would throw in an entirely different set of assumptions:

        1) The contractor doing the work will be foreign.
        2) The contractor doing the work will have less than solid training in putting together nationwide internet scale networks.
        3) The underlying networks will mostly have already been compromised.
        4) The project will take at least 2 times longer than predicted to complete.
        5) The project will be considered complete before most of the network guru's here on slashdot would consider it complete.
        6) The project will likely introduce a 2 or 3 point of failure potential rather than a 50 point of failure potential. If you have trouble imagining such a poor design, you haven't experience with government contracts.

        I think the missing tag here is "whatcouldpossiblygowrong?". Knowing that something major WILL go wrong, as with all federal projects, you have to weigh the risk of moving forward against the risk of not moving forward. The realistic risk of moving forward is:

        1) a significant portion of the networks will go down and leave several agencies without the capability of getting anything done.
        2) a downtime in the network will present a very real and very dangerous national security issue.

        The risk of not moving forward?
        1) Data currently deemed secure is widely compromised. (in fact, this has probably already happened)

        It's an arguably good idea on the surface. But really, shouldn't the nation that brought the world the internet have the most well thought out and effective network infrastructure in the world? A change to the underlying network is a solid idea. This change? This change is the result of small minded thinking and government work.
        • by Original Replica (908688) on Sunday April 20, 2008 @01:02PM (#23135170) Journal
          You make a series of pretty huge assumptions here, many of which are unlikely. 1) you assume that the 50 gateway points will be managed properly. 2) you assume that access to those gateway points will be managed effectively. 3) you assume that the underlying network design is intelligently put together.

          I think the assumption is more along the lines of:
          50 gateway points are more likely to be managed properly than 4000 points.
          Those 50 points will have a great deal of attention and resources allocated to them, about 80 times the amount per point of the previous 4000 points.
          When the government really cares about a project (read military) they can be very intelligent, just look at the stealth bomber. They are only haphazard when it is a project that exists only to please the public (read medi-care, or social security)
          • by Evets (629327) *
            Flamebait... I hate when I get that moderation. My intention was just the opposite.

            I would sincerely hope that the military was segmented from the rest of the network. Certainly - if you take this idea with extreme optimism it is a good one. Experience tells me that optimism on large projects, especially where multiple disparate enterprises are concerned, is not the right way to look at things.

            I understand the logic. I simply feel that the logic does not take into account reality. In large projects, c
    • Well, anything to reduce the overall "surface area" of the governmentium [writeidea.org] is a good idea.
      • by TexNex (513254)
        Totally! Hopefully this will lead to better searching and information sharing as right now looking up info on .gov sites is about as easy as finding a needle in a junk yard. It can be done but you're gonna pick up alot of trash with it if at all.
      • by PopeRatzo (965947) * on Sunday April 20, 2008 @11:57AM (#23134826) Homepage Journal
        smitty, you know I love you, but I don't think I agree.

        Since we're supposed to be the government (of, by and for, you know) the more places we can interface with it the better.

        We've been trained by 27 years of "Conservative" control of government and media to see "government" as some alien entity over which we have no control and which only acts to make our lives unpleasant. St. Ronald was the first to really market this erroneous notion, and it really disrespects the clever and elegant plan our founding fathers laid out for us.

        This meme of "drowning government in a bathtub" is so ubiquitous that even some smart people are lazily spreading it, as you have done.

        If you've recently driven on a US highway, or if you're one of the unlucky ones under whom a bridge recently collapsed in Minnesota, you know first-hand what happens when "the commons" are neglected.

        The strangest thing about this whole story is that we are constantly told that the US is a "Christian Nation" yet the idea of "care in common" which is anathema to Republicans is a most Christian notion. But I guess it's to be expected when hypocrisy is the new black.
    • by mikelieman (35628) on Sunday April 20, 2008 @09:52AM (#23134228) Homepage
      I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?

      • by iamsamed (1276082) on Sunday April 20, 2008 @10:17AM (#23134362)

        I wonder what 'Loyal Bushie Companies' are being paid back with the contracts for this work?
        Considering the questionable way contracts have been awarded by the Government over the last several years, the parent's comment is more "Insightful" than "Troll".

        And, as a taxpayer, is a legitimate question that should be addressed by our Government. Especially, when, not if, it comes to light that the project runs over budget by millions of dollars which they inevitably do. Disgustingly, fleecing of the taxpayer has become de rigeur.

    • by MikeRT (947531)

      I mean, really. Perhaps ensuring the standards and procedures are actually adhered to would be a much cheaper and less drastic change.
      And don't you think that that would be a lot easier to do with 50 connections than 4,000?
  • DoS??? (Score:5, Interesting)

    by DNAGuy (131264) <{brent} {at} {brentrockwood.org}> on Sunday April 20, 2008 @09:42AM (#23134182) Homepage
    Wouldn't this make DoS easier, not harder?
    • Re: (Score:3, Informative)

      It will make inter network traffic overloading easy as well as alot of stuff will have to be push down smaller links. Also I hear that they also want to get rid of the update and other severs at each site as well. So you will have 1000's of systems pulling down updates over a small link over having a sever do it at each site.
    • Re: (Score:3, Interesting)

      by MiniMike (234881)
      With all of the traffic that's going to be funneled through them, would a DoS be necessary?
    • by Ruvim (889012)
      not if they distribute them properly
    • Re:DoS??? (Score:5, Interesting)

      by v1 (525388) on Sunday April 20, 2008 @10:31AM (#23134418) Homepage Journal
      It would certainly reduce the number of machines to target, but if 50 machines are to cover the duties of 4,000, you know they will have some horsepower. The obvious reality is it will be a distributed load system, so each of those 50 gateways will be an entire building of machines.

      Nothing new here really. Most of those 4,000 gateways are already at least several racks of hardware. I doubt that the vulnerability to distributed attacks will go up as a result of lowering the number of vectors. If anything, having 50 standardized and more carefully monitored gateways will probably further harden them against attacks. (is YOUR gateway patched?)

      Of course the other viewpoint is if all 50 of them are being administrated by the same group or a group under central control, when a vulnerability DOES surface, (and they alway so) they will probably ALL be vulnerable since they are standardized.

      Assuming they have their heads screwed on straight, they will at least be using somewhat of a variation of several hardware and software vendors to prevent this. As it is now, if a serious problem is discovered in a high end bit of router hardware, it may force downtime on maybe 300 gateways while traffic routes around them. If all 50 are using the same, what do you do then? Flip the kill switch and take down the entire country's internet whilst you fix it?

      I want to hear that phonecall. "Hello, Cisco. We're calling in regard to this morning's zero-day bug 433-86b in regard to your model 822 enterprise gateways. We're down, we need a fix now. No, DOWN. The entire country. Yes, really."

      I'd be interested to know how China handles their great firewall. Are there details posted anywhere? Somehow I don't think they'd terribly mind taking down the entire country's internet for a day or two for national security though. (and "for reasons of national security" is very loosely interpreted in China it would seem)
      • Re: (Score:3, Informative)

        by dreamchaser (49529)
        Um, they are not talking about the nation's Internet. They are talking about civilian Government agencies and their Internet connections. Even IF they had to 'take the whole thing down', it would just mean that US Agencies would be offline until it was fixed. Inconvenient, yes, but hardly 'the entire country'. Heck, I'd be willing to bet that productivity within said agencies would go UP while the links were down!
        • Re:DoS??? (Score:4, Funny)

          by ColdWetDog (752185) * on Sunday April 20, 2008 @12:48PM (#23135100) Homepage

          Heck, I'd be willing to bet that productivity within said agencies would go UP while the links were down!

          A truly excellent idea. When (if) they finish this project, it should be pretty trivial to have an "Internet-free day" at Government agencies. No Dilbert! No Slashdot! Just actually do something!

          On second thought, this may not be such a good idea. Carry on.

    • Re: (Score:3, Informative)

      by jschottm (317343)
      Wouldn't this make DoS easier, not harder?

      Sort of. While there would be fewer targets, in theory the gateways would have very high levels of connectivity, resources, and knowhow behind them that might not exist with smaller agencies doing their own thing.

      More importantly, think in terms of what the attacker is trying to do with a DoS and what the US government is attempting to do with the network. DoS attacks are frequently used as an extortion technique. This obviously won't work against the US governme
    • by notnAP (846325)
      "50 gateways" != 50 Cisco 1601R's.
      A gateway is a point of entry, but do not confuse "a point" with "a single line, a single box."
  • And now we have a new excuse for the bureaucracy: "Our web site is down because agency XYZ won't let us use the Internet we subcontracted from them."
    I've worked in a bureaucracy for a few years. The main reason for proliferation is because of disputes between departments, whether for poor service or arrogant management or both.
  • Blocklists (Score:3, Funny)

    by kylehase (982334) on Sunday April 20, 2008 @10:01AM (#23134278)
    In other words, please remove those 4000 IP addresses from your PeerGuardian/firewall blocklist.
  • by Anonymous Coward on Sunday April 20, 2008 @10:03AM (#23134298)
    Than the whole US Senate machine level of security:
    Netcraft [netcraft.com]
    When the U.S. Justice Department stepped up its investigation of cybercrime, it found spam originating from an unexpected source: hundreds of powerful computers at the Department of Defense and the U.S. Senate. The machines were "zombies" that had been compromised by hackers and integrated into bot networks that can be remotely controlled to send spam or launch distributed denial of service attacks.
    (this link also mentions the older Republican access of the Democrat fileserver)
    • Re: (Score:2, Funny)

      by iamsamed (1276082)
      hundreds of powerful computers at the Department of Defense

      So THAT explains all of the 'enlarge your gun' spam!

  • The "gateway" methodology splits the world into inside and outside, not a usefull split, since there are *always* bad guys on the inside.

    However, it nicely ensures that spendings on hosting and applications is filtered through a limited number of suppliers, reducing competition and stifling innovation -- the american way ;)

    --
    Helge
    • by OeLeWaPpErKe (412765) on Sunday April 20, 2008 @10:38AM (#23134442) Homepage
      No this really helps. This will *really* help a lot with dumb bad guys on the outside (like, say the storm botnet).

      If the connections between different departments are also forced to go through only these 50 departments, that would ensure a further layer of protection.

      It is *much* easier to defend a centralized infrastructure (like this) then to defend something random.

      This is the same like in real life. Defending a castle is much simpler than defending the village. Yes castle failures are more spectacular and do more damage, but they occur so much less that it's worth to build them anyway. Breaches in the security of a "village" are constant, unfollowable and you cannot prevent them.

      So from security standpoint ... good move !
    • by mikkelm (1000451)
      That's like dismissing the entire concept of border security because there are illegal immigrants in the country already. That's pretty stupid in any way you look at it. If you want network security to work, you need your domain to have clearly marked perimiters that you can effectively control.

      Suggesting that government contracts stifle innovation simply because of their size is also ridiculous. The government is a large entity, but by no means the only one. In fact, consolidating and centralising capacity
    • by jschottm (317343)
      The "gateway" methodology splits the world into inside and outside, not a usefull split, since there are *always* bad guys on the inside.

      The "gateway" methodology is the basis for pretty much all security, physical and computer. How do you think security on a military base works? You keep out people who aren't supposed to be there. It doesn't mean that someone who is supposed to be there isn't working contrary to your best interest, but it eliminates a bunch of the low hanging fruit so you can focus your
  • by SilentOneNCW (943611) <silentdragonNO@SPAMgmail.com> on Sunday April 20, 2008 @10:11AM (#23134330) Homepage
    You'll never get enough Zealots out with only fifty Gateways...
  • by roystgnr (4015) * <`roystgnr' `at' `ticam.utexas.edu'> on Sunday April 20, 2008 @10:23AM (#23134380) Homepage
    But just give it a chance! I hear the new Maginot-brand routers are great.
    • But just give it a chance! I hear the new Maginot-brand routers are great.

      You do realize that there was nothing wrong with the Maginot line itself, that the problem was that it only ran the French/German border and did not include the French/Belgium border since Belgium was a friend and it would be insulting to arm that border? The Germans simply invaded Belgium on their way to France.

      Or has the government said that only 4,000 of the 5,000 gateways will go behind the new line since the remaining 1,00
      • by Znork (31774)
        Or has the government said that only 4,000 of the 5,000 gateways will go behind the new line

        Most likely it'll work this way; government agencies are put behind the connection points, connection points become bogged down with administration and security rules, employees can't do their actual work, employees become frustrated enough to set up 3G access on their laptops, government agencies end up with 500.000 gateways instead.

        So I think the Maginot comparison isn't that far off the mark.
  • by Cheerio Boy (82178) * on Sunday April 20, 2008 @10:24AM (#23134390) Homepage Journal
    Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?

    After they do a project this large for their own network they'll have the experience necessary to do this across the board.

    If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)

    Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.
    • Re: (Score:3, Interesting)

      by the_raptor (652941)
      And you think they aren't monitoring the international connections already? ECHELON has been around for years. Just because they can tap something doesn't mean the computing and storage power exists to do anything useful with that data. And this project doesn't change that at all.

      My country (Australia) has only a handful of international links (I think it is around five), and it is still improbable that a Government could monitor all that data. They can filter out everything but "persons of interest", but t
      • I wasn't referring to just monitoring but filtering as well.

        The whole point was that if they go through all the hurdles to learn how to combine all these networks into 50 from 4000 and then filter/restrict that they will have learned how to do that on a larger scale.

        From that point it is just a matter of having the covert/overt funds and media spin for the project.

        I don't deny that monitoring is already occurring. As you said ECHELON has been around for years.

        But if they were to restrict the trunks it
  • At one of the big backbone facilities. The guy who gave the tour told use about it when I took his security course at Interop back in '89.

    At the time there were only seven connections between the Internet and the MilNet. One of the generals asked how they could be disconnected in times of war.

    Before their guide could answer, another general piped up with "Explosive bolts".

  • This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work.

    Imagine if bittorrent decided to say "screw the distributed client model", we'll just host 50 giant sites with all the files stored on them. Yeah, that just wouldn't work....
    • This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work.

      You sure? Maybe the folks at Internal Revenue, Social Security, etc don't need to be reaching rich media content outside the federal network and the federal network does not need to host rich media content for citizens from inside the federal network?
    • by c6gunner (950153)

      This plan won't work. 50 gateways is too few the performance will suck profoundly. 4000 to 50 just doesn't work. Imagine if bittorrent decided to say "screw the distributed client model", we'll just host 50 giant sites with all the files stored on them. Yeah, that just wouldn't work....

      Nonsense. Have you ever seen a google data center? All Google functions are provided by a grand total of 36 (known) data centers - only 19 of which are in the US. And I can pretty much guarantee that Google processes mo

  • Because the back-end databases contain proprietary information that could be private or even classified, the back-end networks need additional protection to fend off hacking attempts from outside. A separate layer of firewalls inside each agency's network will provide security by insulating the back-end systems from the rest of the network, Bradner said.

    Since when was classified data allowed to be anywhere near an internet facing computer?
    Are they abandoning the airgap policy or something?

    • Re: (Score:2, Insightful)

      by glitch23 (557124)

      Since when was classified data allowed to be anywhere near an internet facing computer?

      The times are changing my friend.

      Are they abandoning the airgap policy or something?

      Put simply, yes, it's a bit scary and myself and various coworkers (as contractors) have questioned the change in perspective but the government seems to be moving away from air gaps, at least in 1 agency that I know of which will go unnamed for privacy and security considerations. I think classified systems will be the last to be merged but already production and non-production systems are being merged. The idea, as TFA says, is to just put security monitoring devices

  • "The problem is all inside your router", the chinese said to me. The answer is easy if you brute it logically. They'd like to help you with some information for free. There must be fifty ways to hax0r your server
  • I think roughly once per day there's an headline on /. that is indecipherable. One that either makes no sense whatsoever, or is so specialized, or is so badly written, as to give no clue as to what the actual article is about.

    And this is today's.
  • 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program

    After 7 years bleeding us all dry, making us more endangered, lying to us, wasting our time and squandering our advantages against our many real enemies, suddenly Homeland Security has "a sense of urgency"?

    They're just going to spend as much money as they possibly can in the last 8 months Bush/Cheney control the Executive, all sent to their cronies, grabbing more power and cutting off as much communications inside

    • Why should the last 8 months of Bush/Cheney be any different from the first 88 months?

      1) It's a much shorter period of time and
      2) It's the last damn time.

      Progress as Promised!

  • Honest to god, I read that and though the US government were going to have 50 old gateway computers. I was like, WTF?
  • One of the problems is that barrier security has diminishing returns as the size of what you are barricading gets bigger.

    You wear clothes. Your house probably has a bathroom door. But Seattle or San Diego are probably too big and too intertangled with the world to use perimeter security in a big way, much less large countries with land borders.
  • There are now onyl 50 targets to take out the entire government network system? Based on how many trojan scans I get from .gov IP's I would say their grasp of network security is slim at best...so reducing the number of gateways to 50 seems like a giant "hack me" sign.

    Am I wrong about this?
  • by mbone (558574) on Sunday April 20, 2008 @12:47PM (#23135096)
    I see lots of waivers coming out of this. Let me guess - no additional funding will be provided to the "Small agencies that won't qualify for their own connection". Let me also guess - certain well connected companies will be doing the 50 gateways !

    When the DOD did this, no new money was provided for the switch, vendor "H" was the only source of outside assistance, at their usual outrageous prices, and everyone who could waivered out.
  • ..the "What could POSSIBLY go wrong?" tag. Wouldn't you say that one of the possible side effects of this move, is that it allows alleged attackers to concentrate their attacks by a factor of 80? Isn't this the IT equivalent of moving the whole population of Minas Tirith into Helm's Deep? All it took there was one big explosion and all the defenses were toast.
    • I would like to see someone attempt to keep 80 Helm's Deeps safe as opposed to 1 Helm's Deep safe... obviously, it failed, but that's because I am going along with your analogy and it was doomed to fail, hehe.

      Seriously, having redundancy is a very good thing, but if you are too redundant, it is way easier. If you have 50 shaded windows that people try to look in, it's a lot easier to monitor than if you have 200 windows that you try to monitor (and make sure all the defenses are safe, etc).

      • Sure, but what about "all your eggs in one basket"? Are they going to have multiple firewalls within their own LAN, or if you can breach just one of the 50 gateways, do you have access to everything? I'm not even going to get into how much pity I feel for government workers that need to access the public internet, it's going to be slower than dialup by the time they get done with it. For that matter, this is the public sector we're talking about: there's going to be exceptions to this, regardless of "policy
  • Am I the only one who notices this trend of being a couple of years late with good ideas?

    This could have worked earlier, say 5 years ago. However, the nature of attacks is such that the whole hard shell, soft centre approach is compromised.

    The primary issue is that defence mechanisms are moving up the stack. It started with being on an isolated bit of cable, then it because a routed network to the Internet - with 50 firewalls, that's the hard shell these guys are talking about.

    But the problem sit INSIDE t
  • So now they'll have to run point to point links to every VA and Social Security office to the closest gateway. At the cost of fiber these days, that'll be an amazingly high cost, when they could get much much less expensive internet through local suppliers. If they want to standardize their security, there are other ways to do this. They could decide on one line of router/firewall and remotely update the configurations.
  • "...US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways".

    Yes, about par for the course. From memory DEC (my employer at that time) took a similar decision back around 1985 or so. The plan entailed channelling all connections from the company's tens of thousands of computers, linked worldwide by DECnet, through one or at most two gateways to the ARPAnet. The security logic was unassailable even then.

    22 years for public

The Tao doesn't take sides; it gives birth to both wins and losses. The Guru doesn't take sides; she welcomes both hackers and lusers.

Working...