RE: bloomberg on supermicro: sky is falling
--- SNaslund@medline.com wrote: From: "Naslund, Steve" <SNaslund@medline.com> The other thing I am highly skeptical of is the suggestion of attempting to tap sensitive intel agency systems this way. Talking to a C&C server is suicide from within their network. ---------------------------------------------------------- Classified networks do not connect to other networks unless they are equally or higher classified. No internet connection. Period. scott
On Thu, 04 Oct 2018 14:10:07 -0700, "Scott Weeks" said:
Classified networks do not connect to other networks unless they are equally or higher classified. No internet connection. Period.
Well, if your classified network is connecting to a higher classified net, then *that* network is connecting to a lower classified net, right? That, plus I think the Snowden escapade was ample proof that security rules will get bent when needed to get work done - it turned out that Snowden was able to walk off with terabytes of data because security restrictions had been disabled because they were putting a crimp in the analysts' style...
Classified networks do not connect to other networks unless they are equally or higher classified. No internet connection. Period.
Not quite but there are at least application level gateways. For example, there are usually gateway that can let unclassified email flow into classified systems. However there is an application gateway to allow ONLY email protocols and only in the desired direction.
Well, if your classified network is connecting to a higher classified net, then *that* network is connecting to a lower classified net, right?
In a very highly controlled manner. The lower classified network may only be allowed to send data to the higher classified network. If the higher level network is multilevel capable it will be allowed to move documents to the lower level network if they are at the right level of classification. Again this is application layer security and all levels below that would not be trusted between the two networks. A gateway with a specialized application would have vetted connectivity to both networks.
That, plus I think the Snowden escapade was ample proof that security rules will get bent when needed to get work done - it turned out that Snowden was able to walk off with terabytes of data because >security restrictions had been disabled because they were putting a crimp in the analysts' style...
That is completely different. We are talking HUMINT instead of ELINT or SIGINT. Snowden flat out stole the data as an insider. Steven Naslund Chicago IL
Classified networks do not connect to other networks unless they are equally or higher classified.
that sentence makes no sense. if A can connect to B because B is more highly classified than A, then B is connecting to a less classified network A. randy
Remember it's the data that is classified, not the network. It does not matter if you have IP connectivity, it matters if the classified data is allowed to move over the connection. When a government agency talks about a "classified network" they are talking about a network that has been approved to transport the data and has appropriate access controls. Just because your email server is attached to the Internet does not mean I have access to its data. Same in the classified world, just because you can send an email from the Internet to SIPRNET does not mean you have SIPRNET access. Steven Naslund Chicago IL
Classified networks do not connect to other networks unless they are equally or higher classified.
that sentence makes no sense. if A can connect to B because B is more highly classified than A, then B is connecting to a less classified network A.
randy
On Thu, Oct 4, 2018 at 5:17 PM Scott Weeks <surfer@mauigateway.com> wrote:
--- SNaslund@medline.com wrote:
The other thing I am highly skeptical of is the suggestion of attempting to tap sensitive intel agency systems this way. Talking to a C&C server is suicide from within their network.
Classified networks do not connect to other networks unless they are equally or higher classified. No internet connection. Period.
Which makes the traffic that wanders towards the default route where nothing should go *very* noticeable. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
It would be really noticeable. In the secure networks I have worked with "default routes" were actually strictly forbidden. Also, ACLs and firewall policy is all written with Deny All policy first. Everything talking through them is explicitly allowed. The government especially in the three letter intel agencies is not a clownish as they are depicted. Steven Naslund Chicago IL
Which makes the traffic that wanders towards the default route where nothing should go *very* noticeable.
Regards, Bill Herrin
You are what you allow -- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Oct 4, 2018, at 17:07, Naslund, Steve <SNaslund@medline.com> wrote:
It would be really noticeable. In the secure networks I have worked with "default routes" were actually strictly forbidden. Also, ACLs and firewall policy is all written with Deny All policy first. Everything talking through them is explicitly allowed.
The government especially in the three letter intel agencies is not a clownish as they are depicted.
Steven Naslund Chicago IL
Which makes the traffic that wanders towards the default route where nothing should go *very* noticeable.
Regards, Bill Herrin
participants (6)
-
Jason Hellenthal
-
Naslund, Steve
-
Randy Bush
-
Scott Weeks
-
valdis.kletnieks@vt.edu
-
William Herrin