Letter: Fewer Internet links mean more risks

Regarding “OMB to limit number of Internet connections for agencies,” I am having a hard time understanding the Office of Management and Budget’s decision to decrease the number of gateway connections, especially when it is trying to frame it around security. The vast majority of attacks target the application layer and endpoints. Unless you intend to deny services, one gateway is all that is needed. Limiting connections will not only make it easier for an adversary to disrupt connectivity to a much larger segment of a network, but the spear phishing, malware, Trojan horses, viruses, worms, etc., will have a larger pool of systems to choose from through fewer connections.

I truly believe we do a fairly good job of maintaining a hard network shell in our current state, but the gooey insides make for quite the enticing treat. How easy will it be to recover from a zero-day worm sent in via a carefully crafted spear phishing exploit, which infests a network segment that used to be just a satellite office of 200 computers but is now a Class B segment consisting of 65,000 systems? Will any of this truly make a difference when a laptop computer/removable drive/thumb drive/DVD/desktop computer/personal digital assistant is stolen or a hard drive is improperly disposed of? When are we going to realize that it doesn't matter any more how good the boundary is? 


We need to start focusing on the endpoints for what they have truly become -- compromisable. Just like the old days, put the endpoints in a “demilitarized zone." Treat the systems that connect to your core services as hostile. Force all endpoints to connect to your core only via virtual private network connections that are protected by NAC devices that can enforce well-constructed policy before ever letting them have access to the core, then interlink the cores via closed networks. With interlinked cores inside a closed network, data sharing will be easier to accomplish and data can be replicated and stored at multiple locations to increase survivability. Treating the endpoints as external devices will also increase survivability because they can be relocated and re-attached from anywhere. Almost sounds like going back to the mainframe days, doesn't it?


Anonymous
Air Force


What do you think? Paste a comment in the box below (registration required), or send your comment to [email protected] (subject line: Blog comment) and we'll post it.

Featured

  • Acquisition
    network monitoring (nmedia/Shutterstock.com)

    How companies should prep for CMMC

    Defense contractors should be getting ready for the Defense Department's impending cybersecurity standard expected to be released this month.

  • Workforce
    Volcanic Tablelands Calif BLM Bishop Field Office employee. April 28, 2010

    BLM begins move out of Washington

    The decision to relocate staff could disrupt key relationships with Congress and OMB and set the stage for a dismantling of the agency, say former employees.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.