Arguing against using public IP space
jgreco at ns.sol.net
Mon Nov 14 08:58:37 CST 2011
> On 11/14/11 10:24 , Joe Greco wrote:
> >> Sure, anytime there's an attack or failure on a SCADA network that
> >> wouldn't have occurred had it been air-gapped, it's easy for people to
> >> knee-jerk a "SCADA networks should be airgapped" response. But that's
> >> not really intelligent commentary unless you carefully consider what
> >> risks are associated with air-gapping the network.
> > Not to mention that it's not the only way for these things to get
> > infected. Getting fixated on air-gapping is unrealistically ignoring
> > the other threats out there.
> > There needs to be a whole lot more security work done on SCADA nets.
> Stuxnet should provide a fairly illustrative example.
> It doesn't really matter how well isolated from direct access it is if
> it has a soft gooey center and a willing attacker.
That's basically the case for so many things.
I was reading, recently, two articles on Ars Technica ("Die, VPN" and
"Live, VPN") which made it exceedingly clear that these sorts of designs
are still the rule for most companies. I mean, I already knew that, but
it was *depressing* to read.
We've been very successful for many years designing things as though they
were going to be deployed on the public Internet, even if we do still put
them behind a firewall. That's just belt-and-suspenders common sense.
We do run a VPN service, which I use heavily, but it really has little
to do with granting magical access to resources - the VPN endpoint is
actually outside any firewall. I've so frequently found, over the years,
that some "free" Internet connection offering is crippled in some stupid
manner (transparent proxying with ad injection!), that the value added
is mostly just that of getting an Internet connection with no interference
by third parties. The fact that third parties cannot do any meaningful
snooping is nice too.
I also recall a fairly surreal discussion with a NANOG'er who was
absolutely convinced that SSH key based access to other servers was
more secure than password based access along with some ACL's and
something like sshguard; my point was that compromise of the magic
host with the magic key would tend to be worse (because you've suddenly
got access to all the other servers) while having different secure
passwords for each host, along with some ACL's and sshguard, allow you
to retain some isolation within the network from an infected node. It's
dependent on design and forethought, of course...
Basically, getting access to some point in the network shouldn't really
allow you to go on a rampage through the rest of the network.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG