Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 08/20/04
- Previous message: Shivdasani, Meenoo: "RE: [fw-wiz] Gauntlet 6 "adaptive proxy""
- In reply to: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Reply: Eugene Kuznetsov: "RE: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Gary Flynn" <flynngn@jmu.edu>, firewall-wizards@honor.icsalabs.com Date: Fri, 20 Aug 2004 16:31:35 +0100
Personally, I would think their greatest threat would come from
availability attacks. I'm sure they would use appropriate cryptography to
protect the confidentiality and integrity but DOS attacks on such a
network could be quite easy:
1) classic flood attacks, including reflected and zombie attacks, could be
targetted at their points-of-presence. While the location of these could
be kept reasonably secure from the general public (using obfuscated domain
names and unlisted ip addresses, for example), I would expect spotting
their traffic would be a reasonably simple task for another intelligence
agency.
2) Bearing in mind they would essentially use cryptography to maintain
integrity, continuous packet modification by an intermediary could
effectively kill a connection (as could some malicious RST packets).
3) Points of attack could be where their packets utilise portions of the
Internet in aggressive countries, or at ISPs and core network services
should an employee be 'purchased' by an aggressive intelligence agency.
In terms of confidentiality, whereas the packets may be protected
in-transit, utilising the Internet would essentially mean they would need
a crypto-gateway between the Internet and their Top Secret networks. This
must be a major concern for them as compromise of these gateways could
cause all sorts of upset. I would expect them to only utilise in-house
products for this service.
And, for everyone else, you may wish to bear these risks in mind when
implementing VPNs across the Internet for your commerical customers. Yes,
the risk to commerical customers is lower (generally because the attackers
are less well equiped and commercial companies are literally one in a
million), but they should be considered nonetheless. Particularly
prominent companies could find their worldwide operations stiffled as fax
and phone replaces securish email between offices in the event of a decent
sized attack.
Just some thoughts...
Kev
>
> http://www.gcn.com/vol1_no1/daily-updates/26971-1.html
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.262 / Virus Database: 264.6.4 - Release Date: 19/08/2004 _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Shivdasani, Meenoo: "RE: [fw-wiz] Gauntlet 6 "adaptive proxy""
- In reply to: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Reply: Eugene Kuznetsov: "RE: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
