Network security on multiple levels (was Re: NYT covers China cyberthreat)

• Previous message (by thread): Network security on multiple levels (was Re: NYT covers China cyberthreat)
• Next message (by thread): Network security on multiple levels (was Re: NYT covers China cyberthreat)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Feb 20, 2013, at 3:20 PM, Jack Bates <jbates at brightok.net> wrote:

> On 2/20/2013 1:05 PM, Jon Lewis wrote:
>> 
>> See thread: nanog impossible circuit
>> 
>> Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident.
>> 
> 
> This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks.
> 
An amazing percentage of "private" lines are pseudowires, and neither you nor your telco salesdroid can know or tell; even the "real" circuits are routed through DACS, ATM switches, and the like.  This is what link encryptors are all about; use them.  (Way back when, we had a policy of using link encryptors on all overseas circuits -- there was a high enough probability of underwater fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our circuits mighty suddenly end up on a satellite link.  And we were only worrying about commercial-grade security.)


		--Steve Bellovin, https://www.cs.columbia.edu/~smb

• Previous message (by thread): Network security on multiple levels (was Re: NYT covers China cyberthreat)
• Next message (by thread): Network security on multiple levels (was Re: NYT covers China cyberthreat)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]