Network security on multiple levels (was Re: NYT covers China cyberthreat)
Owen DeLong
owen at delong.com
Wed Feb 20 19:18:29 UTC 2013
Many DACS have provision for "monitoring" circuits and feeding the data
off to a third circuit in an undetectable manner.
The DACS question wasn't about DACS owned by the people using the
circuit, it was about DACS inside the circuit provider. When you buy a
DS1 that goes through more than one CO in between two points, you're
virtually guaranteed that it goes through one or more of {DS-3 Mux,
Fiber Mux, DACS, etc.}. All of these are under the control of the circuit
provider and not you.
Owen
On Feb 20, 2013, at 09:47 , Warren Bailey <wbailey at satelliteintelligencegroup.com> wrote:
> If you are doing DS0 splitting on the DACS, you'll see that on the other
> end (it's not like channelized CAS ds1's or PRI's are difficult to look at
> now) assuming you have access to that. If the DACS is an issue, buy the
> DACS and lock it up. I was on a .mil project that used old school Coastcom
> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty
> top notch traffic and the microwave network (licensed .gov band) brought
> it right back to the base that project was owned by. Security is
> expensive, because you cannot leverage a service provider model
> effectively around it. You can explain the billion dollars you spent on
> your global network of CRS-1's, but CRS-1's for a single application
> usually are difficult to swallow. I'm not saying that it isn't done EVER,
> I'm just saying there are ways to avoid your 1998 red hat box from
> rpc.statd exploitation - unplug aforementioned boxen from inter webs.
>
> If you created a LAN at your house, disabled all types of insertable
> media, and had a decent lock on your front door, it would be pretty
> difficult to own that network. Sure there are spy types that argue EMI
> emission from cable etc, but they solved that issue with their tin foil
> hats. We broadcast extremely sensitive information (financial, medical,
> etc) to probably 75% of the worlds population all day long, if you walk
> outside of your house today my signal will be broadcasting down upon sunny
> St. Petersburg, Florida. Satellite Communications are widely used, the
> signal is propagated (from GSO generally) over a relatively wide area and
> no one knows the better. And for those of you who say.. I CAN LOOK AT A
> SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread
> spectrum TDMA operation - my signal to noise on my returns is often -4dB
> to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as
> far as the planet is concerned they are awgn. I guess it's my argument
> that if you do a good enough job blending a signal into the noise, you are
> much more likely to maintain secrecy.
>
> On 2/20/13 9:13 AM, "Jay Ashworth" <jra at baylink.com> wrote:
>
>> ----- Original Message -----
>>> From: "Warren Bailey" <wbailey at satelliteintelligencegroup.com>
>>
>>> We as Americans have plenty of things we have done halfass.. I hope an
>>> Internet kill switch doesn't end up being one of them. Build your own
>>> private networks, you can't get rooted if someone can't knock. Simple
>>> as that.
>>
>> Well, Warren, I once had a discussion with someone about whether dedicated
>> DS-1 to tie your SCADA network together were "secure enough" and they
>> asked
>> me:
>>
>> "Does it run through a DACS? Where can you program the DACS from?"
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth Baylink
>> jra at baylink.com
>> Designer The Things I Think RFC
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land
>> Rover DII
>> St Petersburg FL USA #natog +1 727 647
>> 1274
>>
>>
>
>
More information about the NANOG
mailing list