Fog Creek Software
Discussion Board




Physically separate networks

In a writeup around some network security concerns for embedded systems ( http://www.semack.net/Articles/PracticalSecurityInMissio.html ), Semack writes:

"At my place of employment, we have two computer networks.  Our external network is connected to the outside world, and handles things like e-mail and web traffic.  Our internal network is where all of our critical data lies (source code, board schematics, accounting records, etc).  The internal and external networks are physically separate.  Sure, it's inconvenient, but it is the only way to be truly confident that our most sensitive data is kept safe from hackers (disgruntled employees are another story).
"
Is this a common practice at your workplace? I have been leaning towards this, and informally suggested it, but I am still a little bit reluctant to go this route, for the obvious inconvenience. If you are truly 100% separate, this means e.g. your SUS server is not directly fetching updates from Microsoft, but you do a DVD transfer scenario? Also, do all people then have 2 machines, one on the expernal net and one on the internal net, and a KVM?

Just me (Sir to you)
Monday, May 17, 2004

It's defenitely not common at my workplace, but I've heard of this being done. In the two situations I know of, the internal network machines have no floppy drives, USB ports, etc. They're locked down pretty tight.

Of course, a phone with integrated camera can get around this, but it certainly is a large step towards the unattainable perfect security. As well, portable electronic devices are not permitted in these secure areas.

At one of these installations, you can't even walk out with a CD, even if it is your favourite Clay Aiken single. There's a central set of rooms that contains computers with access to the secure network, that has CD/DVD readers for installing new software. ANY media that enters this room is destroyed after being used, or is stored in that room.

I've heard rumours that the secure computers also have their empty internal slots disabled physically, but I'm not too sure about this.

As well, there were whispers around that the monitor and keyboard ports were "encrypted" somehow to prevent data being copied out from there, but I'd have no idea how that works. They didn't use KVM's here; perhaps this is why. That's just a guess though.

Edward
Monday, May 17, 2004

Just one more interesting point. They had also removed the status LED's from the front of the secure machines. Maybe they didn't want it used a slooooow optical serial port?

All in all, a very frustrating environment for users.

Edward
Monday, May 17, 2004

Posting anonymously for obvious reasons...

A few months ago, I was working in a secure enviroment with most of those rules in place:

* any removable media which enters the room(s) does not exit.
* two-man teams at all times, most times different pairs, each time had one DoJ or DoD personnel member at all times.
* using DoD wiping utilities to write over a drive 5 times before allowing exit.
* closed circuit cameras on the terminal/user at all times (not on the keyboard itself, but always showing the screen).

The worst part was that the data and the processing involved was relatively dull.  The only cool thing was the software and hardware being used.  Impressive stuff.

NothingToSeeHere
Monday, May 17, 2004

The main problem with a dual network scenario is inconvenience to the user.  Imagine two computers on your desk.  You're slogging through some difficult code and thinkg, "Wait, I've seen this done somewhere."  So you switch computers, google for the code and find a great class that does just what you need.  Now you get to manually copy all that work over, character by character.  Not a problem if it's a few lines, but a major problem if it's a large chunk of code.

The NSA made news a few years ago.  They run mutliple physically separate networks and wanted to modify Linux and PC hardware to have all networks accessible from one box without making them see each other.  Last I heard they thought it could be done but hadn't acheived their goal.

Perhaps the best option is the more traditional option.  Set up a good Firewall system.  Keep Email, WAP, and external facing servers on a DMZ.  Use an enterprise strength WAP encryption scheme (not WEP, look at WPA), watch your ports on the firewall, and keep good backups physically removed from the network.

If you could get 15% better security, is it worth 40% in developer time/frustration?  Your numbers will vary of course, but I think you'd be better off investing in upgrading your existing infrastructure and making it more secure than estabishing two and making users learn a new method of operation.

Lou
Monday, May 17, 2004

Like the article hints at, this is usually only used in situations where failure can not be tolerated. At all. Such as in reactor control systems.

If you're talking about shrink-wrap dev shop, and you're just looking for IP (intell. prop.) security, this is overkill. If you're going to produce software for outside consumption, your vulnerability is de-compilers, etc., not crackers getting into your dev network.

Edward
Monday, May 17, 2004

> and find a great class that does just what you need

Aha, but isn't it generally a bad idea to just copy code from the net? Large codeblocks even. Aside from license issues if you have to check-proof it you can just write it down yourself, too.

_
Monday, May 17, 2004

Can Myron comment more on the implementation? I haven't seen him here in a while though!

Prakash S
Monday, May 17, 2004

Just to provide a bit more background on our IT setup:

A lot of the people who use PC's don't require Internet access (people doing PCB and system assembly) don't require Internet access, so they don't need two PCs on their desk.  All they need is an internal machine that connects to our manufacturing applications.

At various places in the building, we have "public" computers which people can use to browse the web and check their e-mail.

Most people in engineering and management have a laptop and a desktop.  They laptop is on the external, the desktop is on the internal.

It's actually not that difficult to work with.  A little inconvenient at times (think products which require activation).  Downloading things used to be difficult, but almost everyone here has a USB key now.

As other posters have suggested, our setup may not work for everybody.  We develop embedded systems.  If I was developing Internet-enabled applications, this dual-network arrangement would be a pain in the ass.

Myron A. Semack
Monday, May 17, 2004

thanks..

Prakash S
Monday, May 17, 2004

> We develop embedded systems

How about accessing the internet for looking up bugs,
code you can use, discussion groups, programming groups,
algorithms, etc. Without an inflow of information you
are less than you could be.

son of parnas
Monday, May 17, 2004

Laptops/USB key things could be a point of failure (transmitting viruses). I recall a few companies with separate networks were surprised when they were infected with some of the recent MS virii by employees' laptops.

Dan Maas
Monday, May 17, 2004

I have read somewhere that the Half Life 2 source code leak fiasco revealed that the company did use this model to some extent, however the security broke down somehow anyway. I really don't know the whole story so big salts.

Li-fan Chen
Monday, May 17, 2004

Well, employees are smart and have incentive to perform.  You make their life difficult with the segregated networks.  Suppose I work at home on my laptop, and I've got code to check in.  Instead of providing a VPN for me to call in to, you require me to use a floppy disk or some other storage/transfer method.

I get impatient.  I've got a big code change on my laptop, and its error prone to try and copy all the revs and do it right, not to mention a big waste of time.  I plug my laptop into the secure net.  Voila, I've just defeated a major reason for the segregated network.

Perhaps there is a compromised machine on the secure network.  The secure network itself won't be leaking information to the internet, but my laptop may be when I take information home.  This is exactly the scenairo CIA director Deutch faced some years ago: http://www.robertscheer.com/1_natcolumn/00_columns/022900.htm
Not that he was leaking data, but that he violated rules designed to keep data from leaking.

Anyhow, I think one size fits all security is not the way to go.  You need to have multi-layered access, so that if your external firewall  is compromised, the ability to access data inside is almost as difficult.  Further, logs and alerts should be in place to notify sysadmins of breaches.

I think that you actually have to pay people to be sysadmins and pay them well (I'm not a sysadmin, but admire some really good ones).  Sysadmins don't directly contribute to the bottom line, and therefore are not looked upon favorably by management.

Instead, managers want a security blanket.  A nice set of rules which makes them feel safe, and in the CIA's case, the top level felt that they did not have to live by.  Hmm.

The more secure you make the boxes and networks you use, the llower your productivity.  Finding the technologies and network topologies which contribute to both productivity and security is the real trick.  Bigger is obviously harder.

hoser
Monday, May 17, 2004

"How about accessing the internet for looking up bugs,
code you can use, discussion groups, programming groups,
algorithms, etc. Without an inflow of information you
are less than you could be."

As I said in my earlier post, I have a laptop connected to the Internet.  If I need to check e-mail, look something up on the web, I use my laptop, which is about 2 feet away from my desktop.

Myron A. Semack
Monday, May 17, 2004

"Laptops/USB key things could be a point of failure (transmitting viruses). I recall a few companies with separate networks were surprised when they were infected with some of the recent MS virii by employees' laptops. "

We have virus scanning on both networks.  I think you're thinking of worms like Blaster and Sasser, which spead by someone PLUGGING their laptop into the secure network.  That is not allowed here.

You are not allowed to connect a machine to a different network.  If you try to connect an external machine to the internal network, you get in BIG trouble.

Myron A. Semack
Monday, May 17, 2004

Furthermore, no one is allowed to do development on an external machine.  The external network is for web and e-mail only.

Myron A. Semack
Monday, May 17, 2004

Myron,

Did you guys look into a thin client strategy for web & email?

Prakash S
Monday, May 17, 2004

"If you could get 15% better security, is it worth 40% in developer time/frustration?"

Honestly, I don't see any developer frustration here.  If anything, I think it makes things easier.  I don't have Outlook and IE windows cluttering up the desktop of my development system.

Myron A. Semack
Monday, May 17, 2004

We did actually.  The problem is that they seem to end up being more expensive.

Thin clients are only slightly cheaper than a cheap PC, and then you have the costs of the centralized management stuff.

Now, this was a while ago, and I wasn't involved in the decision.  Things could have changed between then and now.

Myron A. Semack
Monday, May 17, 2004

"which spead by someone PLUGGING their laptop into the secure network.  That is not allowed here."

It wasn't allowed at CIA either.  The only way I know to truly prevent this would be to issue smart cards.

hoser
Monday, May 17, 2004

It would be ironic if we returned to the sneaker net for data transfer. Nevertheless it would certainly slow down virus propagation. With external USB2 and firewire drives of up to 500GB available dirt cheap it is becoming feasible, and think of how it will help programmers health doing all that walking.

Stephen Jones
Monday, May 17, 2004

"It wasn't allowed at CIA either.  The only way I know to truly prevent this would be to issue smart cards. "

If we were a larger company, we might do that.  One of the other ideas that come up was restricting the DHCP leases by MAC address.

We're under 40 people total.  Of that, maybe 15 people have laptops.  All of them are pretty firm believers in the dual-network system, and understand the consequences.  We also make all employees that are issued laptops sign an agreement that they won't connect their system to the wrong network.

At some point, you do have to put a little bit of trust in your employees :-)

Myron A. Semack
Monday, May 17, 2004

Some guys at Microsoft did a proof-of-concept for running multiple isolated networks on a single box using Virtual PC. The host system had *no* TCP stack installed - the Virtual PC's each connected to their dedicated NIC card, and never the twain did meet.

I remember VMWare pursuing a similar solution a few years ago; I'm sure they've accomplished it, but I'm just not smart on it.

The MS solution is called "Typhon"

Philo

Philo
Monday, May 17, 2004

Typhon is the offspring of Gaia and Tartarus. His mate is Echidna and both were so fearful that when the gods saw them they changed into animals and fled in terror. Typhon's hundred, horrible heads touched the stars, venom dripped from his evil eyes, and lava and red-hot stones poured from his gaping mouths. Hissing like a hundred snakes and roaring like a hundred lions, he tore up whole mountains and threw them at the gods.

from http://www.pantheon.org/articles/t/typhon.html

and googling typhon

MilesArcher
Monday, May 17, 2004

One of the other ideas that come up was restricting the DHCP leases by MAC address.

That would work very nicely - I mean it keeps honest people honest.  But it can be bypassed rather easily for people wanting to bypass security "just this once".

I have to say that I'm glad that we're allowed to VPN into work.  I get alot of work done during home hours.

So much of security has to do with user practices.  Just Sir() mentioned at least once something like "I've been running windows for years and never been attacked by a virus" or something like that.

And yet we've had several of our people catch "I love you" type virii in the last 3 years.

The subject fascinates me - wish I knew more...

hoser
Tuesday, May 18, 2004

*  Recent Topics

*  Fog Creek Home