US Government to Have Only 50 Gateways

Narrative Fallacy brings us a story about the US government's plan to reduce the roughly 4,000 active internet connections used by its civilian agencies to a mere 50 highly secure gateways. This comes as part of the government's response to a rise in attacks on its networks. "Most security professionals agreed that the TIC security improvements and similar measures are long overdue. 'We should have done this five years ago, but there wasn't the heart or the will then like there is now,' said Howard Schmidt, a former White House cyber security adviser. 'The timetable is aggressive,' he said, but now there is a sense of urgency behind the program. Small agencies that won't qualify for their own connections under TIC must subcontract their Internet services to larger agencies."

DoS???

[DNAGuy]

Wouldn't this make DoS easier, not harder?

Re:DoS???

[MiniMike]

With all of the traffic that's going to be funneled through them, would a DoS be necessary?

One could lead to the other...

[Cheerio Boy]

Hmm...TFA says it's obviously only for the government networks but quite honestly what's going to stop them form going farther?

After they do a project this large for their own network they'll have the experience necessary to do this across the board.

If they do that at the major trunks running in/out of the US that pretty much would be the end of unmonitored access for anybody on the 'net in the US. (Not like ISPs in a lot cases aren't logging stuff now but there's a big difference between that and a government run filter.)

Regardless it certainly bears keeping an eye on this to make sure it doesn't show signs of creep or expansion beyond government use.

Re:Great Wall of China

[Necroman]

I do have to say I like your idea of Tigerboxes to keep people out of network, but it makes me think of Ghost in the Shell TV series. In that series they had a concept called an "Attack Barrier" that would attack anyone that dived too deep into something they weren't supposed to be in. It could do anything from kill their connection to killing the person doing the dive.

Re:DoS???

[v1]

It would certainly reduce the number of machines to target, but if 50 machines are to cover the duties of 4,000, you know they will have some horsepower. The obvious reality is it will be a distributed load system, so each of those 50 gateways will be an entire building of machines.

Nothing new here really. Most of those 4,000 gateways are already at least several racks of hardware. I doubt that the vulnerability to distributed attacks will go up as a result of lowering the number of vectors. If anything, having 50 standardized and more carefully monitored gateways will probably further harden them against attacks. (is YOUR gateway patched?)

Of course the other viewpoint is if all 50 of them are being administrated by the same group or a group under central control, when a vulnerability DOES surface, (and they alway so) they will probably ALL be vulnerable since they are standardized.

Assuming they have their heads screwed on straight, they will at least be using somewhat of a variation of several hardware and software vendors to prevent this. As it is now, if a serious problem is discovered in a high end bit of router hardware, it may force downtime on maybe 300 gateways while traffic routes around them. If all 50 are using the same, what do you do then? Flip the kill switch and take down the entire country's internet whilst you fix it?

I want to hear that phonecall. "Hello, Cisco. We're calling in regard to this morning's zero-day bug 433-86b in regard to your model 822 enterprise gateways. We're down, we need a fix now. No, DOWN. The entire country. Yes, really."

I'd be interested to know how China handles their great firewall. Are there details posted anywhere? Somehow I don't think they'd terribly mind taking down the entire country's internet for a day or two for national security though. (and "for reasons of national security" is very loosely interpreted in China it would seem)

Re:What does gateway limiting *really* help?

[OeLeWaPpErKe]

No this really helps. This will *really* help a lot with dumb bad guys on the outside (like, say the storm botnet).

If the connections between different departments are also forced to go through only these 50 departments, that would ensure a further layer of protection.

It is *much* easier to defend a centralized infrastructure (like this) then to defend something random.

This is the same like in real life. Defending a castle is much simpler than defending the village. Yes castle failures are more spectacular and do more damage, but they occur so much less that it's worth to build them anyway. Breaches in the security of a "village" are constant, unfollowable and you cannot prevent them.

So from security standpoint ... good move !

Re:One could lead to the other...

[the_raptor]

And you think they aren't monitoring the international connections already? ECHELON has been around for years. Just because they can tap something doesn't mean the computing and storage power exists to do anything useful with that data. And this project doesn't change that at all.

My country (Australia) has only a handful of international links (I think it is around five), and it is still improbable that a Government could monitor all that data. They can filter out everything but "persons of interest", but that is just as easy with a local tap.

Monitoring the internal US net would be far more interesting to the authorities, but that is already largely multiplexed at the backbone links. Haven't you read the stories of whole regions of the US having no/poor net connection because one backbone went down and the secondary (and maybe tertiary) got saturated?

Again this project has no application. The Internet is not some ubiquitous cloud, it still largely follows the highly structured trunk and root system of telephony.

Waivers. Lots of waivers.

[mbone]

I see lots of waivers coming out of this. Let me guess - no additional funding will be provided to the "Small agencies that won't qualify for their own connection". Let me also guess - certain well connected companies will be doing the 50 gateways !

When the DOD did this, no new money was provided for the switch, vendor "H" was the only source of outside assistance, at their usual outrageous prices, and everyone who could waivered out.

Re:Great Wall of China

[Anonymous Coward]

We don't log our dhcp services. We allow tor. We host tons of medical, legal, and financial information on you and other americans. The federal IT director doesn't want to change it due to 'budget constraints'. Your government at work, people.

Re:Great Wall of China

[Wavebreak]

Actually, AFAIK (i.e. read it somewhere, not even remotely sure if it's true, but does make sense) the Great Wall was in fact meant to do neither; or rather, a bit of both. It kept the invaders in. Sure, they'd get over it pretty easily on their way in, and it was impossible to keep constant watch over in any case, but once they'd done their raiding and whatnot they'd have soldiers after them and wouldn't be able to get back over the wall fast enough to escape them, thus discouraging invasions by making it pretty much impossible to get away with your loot and your life.