Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
I did not approach the inline encryption units on purpose. Obviously anything that leaves .mil land not riding something blessed by DISA is going to have something like a KG on both ends. Generally Satellite systems use TRANSEC, though in our line of work it's an extremely expensive add-on to an otherwise decent security implementation. I'm not saying it can NEVER be owned, I'm just saying that 90% of the l33t hax0rs who are going to look to own something are doing so because it is somehow exposed to public infrastructure. If I were to put up an SCPC (single channel per carrier, synonymous to point to point circuits) circuit between point A and B, the persons looking to intercept my traffic would need to know quite a bit of information about my signals.. Origination Point, Destination Point, Modulation, Symbol Rates, Center Frequencies, PN codes, TRANSEC keys, IP lay out, etc. You won't hear me talk about how something is absolutely and completely secure, but you will hear me preach from the rooftops the application of technology that many people believe is outdated and abandoned. There is a reason media providers and MSO's still use Satellite to downlink video signals. The military is still heavily invested in this type of technology because you are able to completely bypass traditionally used infrastructure, and Utility companies are jumping on the band wagon as well. I know of several SCADA (massive power companies) networks that ride satellite completely for this reason. You can justify the cost and latency with the security of owning a network that is completely removed from the usual infrastructure. On 2/20/13 10:05 AM, "Jamie Bowden" <jamie@photon.com> wrote:
From: Warren Bailey [mailto:wbailey@satelliteintelligencegroup.com]
If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs.
Our connections to various .mil and others are private ds1's with full on end to end crypto over them. You can potentially kill our connections, but you're not snooping them or injecting traffic into them.
Jamie
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
participants (1)
-
Warren Bailey