US Government to Have Only 50 Gateways 150
Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks.
"Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."
DoS??? (Score:5, Interesting)
Re:DoS??? (Score:3, Interesting)
One could lead to the other... (Score:5, Interesting)
After they do a project this large for their own network they'll have the experience necessary to do this across the board.
If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)
Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.
Re:Great Wall of China (Score:3, Interesting)
Re:DoS??? (Score:5, Interesting)
Nothing new here really. Most of those 4,000 gateways are already at least several racks of hardware. I doubt that the vulnerability to distributed attacks will go up as a result of lowering the number of vectors. If anything, having 50 standardized and more carefully monitored gateways will probably further harden them against attacks. (is YOUR gateway patched?)
Of course the other viewpoint is if all 50 of them are being administrated by the same group or a group under central control, when a vulnerability DOES surface, (and they alway so) they will probably ALL be vulnerable since they are standardized.
Assuming they have their heads screwed on straight, they will at least be using somewhat of a variation of several hardware and software vendors to prevent this. As it is now, if a serious problem is discovered in a high end bit of router hardware, it may force downtime on maybe 300 gateways while traffic routes around them. If all 50 are using the same, what do you do then? Flip the kill switch and take down the entire country's internet whilst you fix it?
I want to hear that phonecall. "Hello, Cisco. We're calling in regard to this morning's zero-day bug 433-86b in regard to your model 822 enterprise gateways. We're down, we need a fix now. No, DOWN. The entire country. Yes, really."
I'd be interested to know how China handles their great firewall. Are there details posted anywhere? Somehow I don't think they'd terribly mind taking down the entire country's internet for a day or two for national security though. (and "for reasons of national security" is very loosely interpreted in China it would seem)
Re:What does gateway limiting *really* help? (Score:4, Interesting)
If the connections between different departments are also forced to go through only these 50 departments, that would ensure a further layer of protection.
It is *much* easier to defend a centralized infrastructure (like this) then to defend something random.
This is the same like in real life. Defending a castle is much simpler than defending the village. Yes castle failures are more spectacular and do more damage, but they occur so much less that it's worth to build them anyway. Breaches in the security of a "village" are constant, unfollowable and you cannot prevent them.
So from security standpoint
Re:One could lead to the other... (Score:3, Interesting)
My country (Australia) has only a handful of international links (I think it is around five), and it is still improbable that a Government could monitor all that data. They can filter out everything but "persons of interest", but that is just as easy with a local tap.
Monitoring the internal US net would be far more interesting to the authorities, but that is already largely multiplexed at the backbone links. Haven't you read the stories of whole regions of the US having no/poor net connection because one backbone went down and the secondary (and maybe tertiary) got saturated?
Again this project has no application. The Internet is not some ubiquitous cloud, it still largely follows the highly structured trunk and root system of telephony.
Waivers. Lots of waivers. (Score:3, Interesting)
When the DOD did this, no new money was provided for the switch, vendor "H" was the only source of outside assistance, at their usual outrageous prices, and everyone who could waivered out.
Re:Great Wall of China (Score:3, Interesting)
Re:Great Wall of China (Score:2, Interesting)