Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?
From: Chris Pugrud (chris_at_pugrud.net)
Date: 08/20/04
- Previous message: Srini: "Re: [fw-wiz] NAPT - NAT Port selection"
- In reply to: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Gary Flynn <flynngn@jmu.edu>, firewall-wizards@honor.icsalabs.com Date: Fri, 20 Aug 2004 10:43:09 -0700 (PDT)
Reading the first few responses there are some obvious misinterpretations of
what is being said in the article. If you read the article closely, each of
the networks mentioned are currently being run air-gapped, or effectively
air-gapped via hardware encryption. An organization that maintains links to
each of the networks must bring in seperate links for each network, an
expensive process essentially tripling costs.
The networks are air-gapped for good reason. What is being investigated is
methods or opportunities for utilizing a common backbone, rather than
maintaining multiple backbones. It is actually a very challenging research
problem as you look at the complexities, and I imagine the organization that
can get it right, with rigorous verification and proof, will be very well
rewarded. Imagine building and maintaining a VPN with many thousand endpoints
and correctly governing the operation and conenctions of that VPN. The
networks are physically separate because an air-gap is the only proven method
of maintaining separation.
As for "recent compromises in encryption", what was shown to have potential
compromises are hash algorythms. Birthday attacks in hash algorythms are
known, what has been identified is much more efficient methods in finding and
creating these attacks. This does not compromise encryption, it compromises
authentication.
None of this traffic will traverse the public Internet backbone. That was not
a direct quote, so I admit I'm intriguied as to what was really being said or
thought. Receating the numerous layers of defense in depth that protect DoD
organizations from malware, flooding, jamming, and attack at multiple locations
would seem much more expensive than some long haul OC-48's. Architecurally I
can see some good, and secure, ways to do it, but only if you willing to accept
the SLA of the Internet (I hope it's still working today).
-- chris
--- Gary Flynn <flynngn@jmu.edu> wrote:
>
> http://www.gcn.com/vol1_no1/daily-updates/26971-1.html
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Srini: "Re: [fw-wiz] NAPT - NAT Port selection"
- In reply to: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
