[160948] in North American Network Operators' Group
RE: Network security on multiple levels (was Re: NYT covers China
daemon@ATHENA.MIT.EDU (Jamie Bowden)
Wed Feb 20 13:07:23 2013
From: Jamie Bowden <jamie@photon.com>
To: Warren Bailey <wbailey@satelliteintelligencegroup.com>, Jay Ashworth
<jra@baylink.com>, NANOG <nanog@nanog.org>
Date: Wed, 20 Feb 2013 18:05:04 +0000
In-Reply-To: <CD4A492D.7C23%wbailey@satelliteintelligencegroup.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> From: Warren Bailey [mailto:wbailey@satelliteintelligencegroup.com]
> If you are doing DS0 splitting on the DACS, you'll see that on the
> other
> end (it's not like channelized CAS ds1's or PRI's are difficult to look
> at
> now) assuming you have access to that. If the DACS is an issue, buy the
> DACS and lock it up. I was on a .mil project that used old school
> Coastcom
> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some
> pretty
> top notch traffic and the microwave network (licensed .gov band)
> brought
> it right back to the base that project was owned by. Security is
> expensive, because you cannot leverage a service provider model
> effectively around it. You can explain the billion dollars you spent on
> your global network of CRS-1's, but CRS-1's for a single application
> usually are difficult to swallow. I'm not saying that it isn't done
> EVER,
> I'm just saying there are ways to avoid your 1998 red hat box from
> rpc.statd exploitation - unplug aforementioned boxen from inter webs.
Our connections to various .mil and others are private ds1's with full on e=
nd to end crypto over them. You can potentially kill our connections, but =
you're not snooping them or injecting traffic into them.
Jamie
