[160954] in North American Network Operators' Group
Re: Network security on multiple levels (was Re: NYT covers China
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Feb 20 14:21:04 2013
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CD4A492D.7C23%wbailey@satelliteintelligencegroup.com>
Date: Wed, 20 Feb 2013 11:18:29 -0800
To: Warren Bailey <wbailey@satelliteintelligencegroup.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Many DACS have provision for "monitoring" circuits and feeding the data
off to a third circuit in an undetectable manner.
The DACS question wasn't about DACS owned by the people using the
circuit, it was about DACS inside the circuit provider. When you buy a
DS1 that goes through more than one CO in between two points, you're
virtually guaranteed that it goes through one or more of {DS-3 Mux,
Fiber Mux, DACS, etc.}. All of these are under the control of the =
circuit
provider and not you.
Owen
On Feb 20, 2013, at 09:47 , Warren Bailey =
<wbailey@satelliteintelligencegroup.com> wrote:
> If you are doing DS0 splitting on the DACS, you'll see that on the =
other
> end (it's not like channelized CAS ds1's or PRI's are difficult to =
look at
> now) assuming you have access to that. If the DACS is an issue, buy =
the
> DACS and lock it up. I was on a .mil project that used old school =
Coastcom
> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some =
pretty
> top notch traffic and the microwave network (licensed .gov band) =
brought
> it right back to the base that project was owned by. Security is
> expensive, because you cannot leverage a service provider model
> effectively around it. You can explain the billion dollars you spent =
on
> your global network of CRS-1's, but CRS-1's for a single application
> usually are difficult to swallow. I'm not saying that it isn't done =
EVER,
> I'm just saying there are ways to avoid your 1998 red hat box from
> rpc.statd exploitation - unplug aforementioned boxen from inter webs.
>=20
> If you created a LAN at your house, disabled all types of insertable
> media, and had a decent lock on your front door, it would be pretty
> difficult to own that network. Sure there are spy types that argue EMI
> emission from cable etc, but they solved that issue with their tin =
foil
> hats. We broadcast extremely sensitive information (financial, =
medical,
> etc) to probably 75% of the worlds population all day long, if you =
walk
> outside of your house today my signal will be broadcasting down upon =
sunny
> St. Petersburg, Florida. Satellite Communications are widely used, the
> signal is propagated (from GSO generally) over a relatively wide area =
and
> no one knows the better. And for those of you who say.. I CAN LOOK AT =
A
> SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at =
spread
> spectrum TDMA operation - my signal to noise on my returns is often =
-4dB
> to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but =
as
> far as the planet is concerned they are awgn. I guess it's my argument
> that if you do a good enough job blending a signal into the noise, you =
are
> much more likely to maintain secrecy.
>=20
> On 2/20/13 9:13 AM, "Jay Ashworth" <jra@baylink.com> wrote:
>=20
>> ----- Original Message -----
>>> From: "Warren Bailey" <wbailey@satelliteintelligencegroup.com>
>>=20
>>> We as Americans have plenty of things we have done halfass.. I hope =
an
>>> Internet kill switch doesn't end up being one of them. Build your =
own
>>> private networks, you can't get rooted if someone can't knock. =
Simple
>>> as that.
>>=20
>> Well, Warren, I once had a discussion with someone about whether =
dedicated
>> DS-1 to tie your SCADA network together were "secure enough" and they
>> asked=20
>> me:=20
>>=20
>> "Does it run through a DACS? Where can you program the DACS from?"
>>=20
>> Cheers,
>> -- jra
>> --=20
>> Jay R. Ashworth Baylink
>> jra@baylink.com
>> Designer The Things I Think =
RFC
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land
>> Rover DII
>> St Petersburg FL USA #natog +1 727 =
647
>> 1274
>>=20
>>=20
>=20
>=20
