NSA Chief Wants Internet Partitioned For Government, 'Critical' Industries 258
GovTechGuy writes "NSA chief Keith Alexander, also the head of the US Cyber Command, told reporters that he would like to see the creation of a secure zone on the Internet for government and critical private sector industries such as utility companies and the financial sector. Alexander has repeatedly emphasized the dramatic nature of the cyber threat facing American networks and his comments were a further sign that the Pentagon does not think the war against foreign hackers can be won. Alexander denied the military has any role in safeguarding civilian networks currently, but didn't rule out the option in the future."
Re:Someone didn't get the memo (Score:5, Informative)
The DoD owns those... NIPR is mostly bureaucratic military stuff, while SIPR is the secure one. Good luck with the Pentagon letting folks like HHS, DOI, DOE, congress-critters, or (heh) your local utility co-op getting latched onto to those.
Speaking of "realistic security policies", just to even think of hooking into NIPR, you have to harden your boxes to the these specs [disa.mil] (ever had to put all of /usr onto its own partition and lock the whole thing read-only? I guess it all depends on your definition of "realistic"). SIPR's requirements are only 'slightly' more anal.
Re:It just takes one... (Score:4, Informative)
Partitioning is a pipe dream; any network with a significant number of users will have uncontrolled exchanges with the internet.
The only way to have reasonable security is to keep certain subsystems separate and accessible only via specific gateways; no user is ever logically placed on those segments, and they are only ever accessed over very few very specific interfaces.
There is a good reason for this (Score:5, Informative)
I used to work at a bank, and I really wished for something like this. Imagine a network with no home connections, nothing moving across it but VPNs. VPNs from bank to bank, power company to government, etc. Every node would be authenticated. No worms.
In this type of network, I can turn the logging on my firewall to the max, and anything that even looks at my bank's firewall with a ping can be reported to the agency that runs the show. Once it is confirmed that they're going where they should not, they're kicked off the network.
The issue I had is that because there are so many cases where bank A needs to talk to bank B, and neither want to have the T1 line under their name. If the Internet goes down, no money can be moved and there are big problems. Making a walled place for this would be great.
People need to understand that you can EITHER have security OR the ability to be anonymous. If you want one, you're losing the other.
Re:Uhh (Score:4, Informative)
You beat me to it, that's exactly what I was going to write.
Saying something as stupid as this "secure zone" proposal should be enough to get banned from ever working in a high responsibility government job again. "Secure zones" already exist [wikipedia.org], if they aren't being used correctly by the government is because people like Keith Alexander aren't doing their job.
The Government has this already! (Score:3, Informative)
The government and military already have a "partitioned" inaccessible "internet". The real name of the "internet" you are using to view this site is called NIPRNET, and the "secure partitioned" one is called SIPRNET. The secured internet has been around for decades and is still used by governments around the world.
So this proposition simply is a play on words, particularly a "partition" word, possibly for a total ground up restructuring scheme for sure. This is such a bold statement from a government official, it's baffling really.
Re:Someone didn't get the memo (Score:5, Informative)
> ever had to put all of /usr onto its own partition and lock the whole thing read-only?
No, because SunOS5 had this on installation, back about 1990. With symbolic links and such, it was really quite simple. You remounted /usr as RW only when you had to remake the kernel, and then rebooted after (once a month or less often). In fact, our /usr was on a separate disk that had a hardware RO/RW switch on it.
This stuff was worked out long ago. Then, it was ignored because someone decided to build from scratch with no more (prior) thoughts of security than a HAL-9000 had.
Re:So, what they want is... (Score:1, Informative)
"The only real hard part is making sure you don't connect any machines to this network that also have connections to the public Internet."
And that, my dear Watson, is the kicker. On the scale he's talking about, it's untenable. Someone, somewhere on the network, will hook up a modem, or an AP with WEP or a default PSK, or what-have-you, Maybe even deliberately. And then you get serious havoc.
And yes, it already happened. "TJX", anyone? I'm sure you can find more where that one came from.
Re:So, what they want is... (Score:2, Informative)
It's even easier than that - just patch every host (and every router, unfortunately - but hey, Cisco, here's where you get your billion dollar contract) to set the version field of IP packets to something that's invalid on the internet - let's say 3 - and to reject all other versions. That's got to be, what, a ten line patch? After that you can use off-the-shelf software for all the higher protocol layers, but if someone accidentally connects the private network to the internet, no packets will pass between the two networks.
Re:Someone didn't get the memo (Score:3, Informative)
It's not an error or misconfiguration, you don't have the .mil CA in your trusted CAs. The DOD runs it's own CA because they're pushing PKI for everything and don't want to have to pay another CA for each and every cert issues.