Network security on multiple levels (was Re: NYT covers China cyberthreat)
Owen DeLong
owen at delong.com
Wed Feb 20 19:39:09 UTC 2013
If you have that option, I suppose that would be one way to solve it.
I, rather, see it as a reason to:
1. Cryptographically secure links that may be carrying private data.
2. Rotate cryptographic keys (relatively) often on such links.
YMMV, but I think encryption is a lot cheaper than building a telco. Especially
over long distances.
Owen
On Feb 20, 2013, at 11:33 , Warren Bailey <wbailey at satelliteintelligencegroup.com> wrote:
> Isn't this a strong argument to deploy and operate a network independent
> of the traditional switch circuit provider space?
>
> On 2/20/13 11:22 AM, "Jay Ashworth" <jra at baylink.com> wrote:
>
>> ----- Original Message -----
>>> From: "Owen DeLong" <owen at delong.com>
>>
>>> Many DACS have provision for "monitoring" circuits and feeding the
>>> data off to a third circuit in an undetectable manner.
>>>
>>> The DACS question wasn't about DACS owned by the people using the
>>> circuit, it was about DACS inside the circuit provider. When you buy a
>>> DS1 that goes through more than one CO in between two points, you're
>>> virtually guaranteed that it goes through one or more of {DS-3 Mux,
>>> Fiber Mux, DACS, etc.}. All of these are under the control of the
>>> circuit provider and not you.
>>
>> Correct, and they expand the attack surface in ways that even many
>> network engineers may not consider unless prompted.
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth Baylink
>> jra at baylink.com
>> Designer The Things I Think RFC
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land
>> Rover DII
>> St Petersburg FL USA #natog +1 727 647
>> 1274
>>
>>
>
>
More information about the NANOG
mailing list