Network security on multiple levels (was Re: NYT covers China cyberthreat)

Warren Bailey wbailey at satelliteintelligencegroup.com
Wed Feb 20 17:47:27 UTC 2013


If you are doing DS0 splitting on the DACS, you'll see that on the other
end (it's not like channelized CAS ds1's or PRI's are difficult to look at
now) assuming you have access to that. If the DACS is an issue, buy the
DACS and lock it up. I was on a .mil project that used old school Coastcom
DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty
top notch traffic and the microwave network (licensed .gov band) brought
it right back to the base that project was owned by. Security is
expensive, because you cannot leverage a service provider model
effectively around it. You can explain the billion dollars you spent on
your global network of CRS-1's, but CRS-1's for a single application
usually are difficult to swallow. I'm not saying that it isn't done EVER,
I'm just saying there are ways to avoid your 1998 red hat box from
rpc.statd exploitation - unplug aforementioned boxen from inter webs.

If you created a LAN at your house, disabled all types of insertable
media, and had a decent lock on your front door, it would be pretty
difficult to own that network. Sure there are spy types that argue EMI
emission from cable etc, but they solved that issue with their tin foil
hats. We broadcast extremely sensitive information (financial, medical,
etc) to probably 75% of the worlds population all day long, if you walk
outside of your house today my signal will be broadcasting down upon sunny
St. Petersburg, Florida. Satellite Communications are widely used, the
signal is propagated (from GSO generally) over a relatively wide area and
no one knows the better. And for those of you who say.. I CAN LOOK AT A
SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread
spectrum TDMA operation - my signal to noise on my returns is often -4dB
to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as
far as the planet is concerned they are awgn. I guess it's my argument
that if you do a good enough job blending a signal into the noise, you are
much more likely to maintain secrecy.

On 2/20/13 9:13 AM, "Jay Ashworth" <jra at baylink.com> wrote:

>----- Original Message -----
>> From: "Warren Bailey" <wbailey at satelliteintelligencegroup.com>
>
>> We as Americans have plenty of things we have done halfass.. I hope an
>> Internet kill switch doesn't end up being one of them. Build your own
>> private networks, you can't get rooted if someone can't knock. Simple
>> as that.
>
>Well, Warren, I once had a discussion with someone about whether dedicated
>DS-1 to tie your SCADA network together were "secure enough" and they
>asked 
>me: 
>
>"Does it run through a DACS? Where can you program the DACS from?"
>
>Cheers,
>-- jra
>-- 
>Jay R. Ashworth                  Baylink
>jra at baylink.com
>Designer                     The Things I Think                       RFC
>2100
>Ashworth & Associates     http://baylink.pitas.com         2000 Land
>Rover DII
>St Petersburg FL USA               #natog                      +1 727 647
>1274
>
>






More information about the NANOG mailing list