Network security on multiple levels (was Re: NYT covers China cyberthreat)

Warren Bailey wbailey at satelliteintelligencegroup.com
Wed Feb 20 18:21:37 UTC 2013


I did not approach the inline encryption units on purpose. Obviously
anything that leaves .mil land not riding something blessed by DISA is
going to have something like a KG on both ends. Generally Satellite
systems use TRANSEC, though in our line of work it's an extremely
expensive add-on to an otherwise decent security implementation. I'm not
saying it can NEVER be owned, I'm just saying that 90% of the l33t hax0rs
who are going to look to own something are doing so because it is somehow
exposed to public infrastructure. If I were to put up an SCPC (single
channel per carrier, synonymous to point to point circuits) circuit
between point A and B, the persons looking to intercept my traffic would
need to know quite a bit of information about my signals.. Origination
Point, Destination Point, Modulation, Symbol Rates, Center Frequencies, PN
codes, TRANSEC keys, IP lay out, etc.

You won't hear me talk about how something is absolutely and completely
secure, but you will hear me preach from the rooftops the application of
technology that many people believe is outdated and abandoned. There is a
reason media providers and MSO's still use Satellite to downlink video
signals. The military is still heavily invested in this type of technology
because you are able to completely bypass traditionally used
infrastructure, and Utility companies are jumping on the band wagon as
well. I know of several SCADA (massive power companies) networks that ride
satellite completely for this reason. You can justify the cost and latency
with the security of owning a network that is completely removed from the
usual infrastructure.


On 2/20/13 10:05 AM, "Jamie Bowden" <jamie at photon.com> wrote:

>> From: Warren Bailey [mailto:wbailey at satelliteintelligencegroup.com]
>
>
>> If you are doing DS0 splitting on the DACS, you'll see that on the
>> other
>> end (it's not like channelized CAS ds1's or PRI's are difficult to look
>> at
>> now) assuming you have access to that. If the DACS is an issue, buy the
>> DACS and lock it up. I was on a .mil project that used old school
>> Coastcom
>> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some
>> pretty
>> top notch traffic and the microwave network (licensed .gov band)
>> brought
>> it right back to the base that project was owned by. Security is
>> expensive, because you cannot leverage a service provider model
>> effectively around it. You can explain the billion dollars you spent on
>> your global network of CRS-1's, but CRS-1's for a single application
>> usually are difficult to swallow. I'm not saying that it isn't done
>> EVER,
>> I'm just saying there are ways to avoid your 1998 red hat box from
>> rpc.statd exploitation - unplug aforementioned boxen from inter webs.
>
>Our connections to various .mil and others are private ds1's with full on
>end to end crypto over them.  You can potentially kill our connections,
>but you're not snooping them or injecting traffic into them.
>
>Jamie
>






More information about the NANOG mailing list