Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

GovNet- Dream or Reality?

By relayswitch in Internet
Tue Oct 16, 2001 at 10:22:23 AM EST
Tags: News (all tags)

According to this link over at CNN, the new Special Advisor to the President for Cyberspace Security, Richard Clarke, wants to create a 'secure' version of the Internet for the US government, called GovNet. GovNet will be in no way connected to the current Internet, and it aims to alleviate the current issues, such as virus vulnerability and other security concerns.

Mr. Clarke apparently contacted the U.S. General Services Administration (GSA) for more information about building a secure telecommunications network. As mentione din the article:

"The key feature of GovNet, the agency said in a release, 'is that it must be able to perform functions with no risk of penetration or disruption from users on other networks, such as the Internet.'"
I found this to be the most amusing piece of the article:
"Most importantly, the government Net should be "immune from malicious service and/or functional disruptions" and all computer viruses, the RFI states

The GSA has posted an RFI (Request For Information) in its website, but it is a MS Word Doc. The main point of contact is:
Mr. John (Jack) Braun
(703) 306-6423

So, my question to the K5 community is this:
Is it possible to build a network using existing (read: off the shelf) tools that is completely seperate from the current Internet and is even REMOTELY close to being 'totally secure'?

And if it ISN'T possible, what is? Can we devise a network capable of serving hundreds of thousands of people across the world using the Internet as a model, but disconnected from the world's largest network? What kind of connectivity technology is needed? What is an acceptable timeframe?

Any who are interested in helping out with the project are encouraged to read the document and then send their comments to this address: govnet.ts.fts@gsa.gov



Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o link
o website
o point of contact
o jack.braun @gsa.gov
o govnet.ts. fts@gsa.gov
o Also by relayswitch

Display: Sort:
GovNet- Dream or Reality? | 16 comments (15 topical, 1 editorial, 0 hidden)
VPNs (3.00 / 4) (#1)
by delmoi on Sun Oct 14, 2001 at 07:18:52 PM EST

It's all about the VPNs
"'argumentation' is not a word, idiot." -- thelizman
Should be possible... (3.66 / 3) (#2)
by khym on Sun Oct 14, 2001 at 07:36:33 PM EST

As delmoi noted, a GovNet could be made over the existing Internet using VPN software; just configure the gateways so that only traffic to/from other VPN government sites are accepted. However, this might not meet the requirements: the gateways could still be hacked (especially if they're configured poorly), and traffic over the Internet could be disrupted, even if it couldn't be monitored or hijacked.

Also, no matter how the network is implemented, making it immune to all viruses might be a problem. If someone saves a Word document to a floppy to take it home and work on it, it could get infected with a macro virus at home, a macro virus which would create an email virus once it got into GovNet. So to really make it secure, all the software at all the GovNet sites would have to be locked down real tight, with all the patches/configs applied to prevent macro viruses, email viruses, and so forth. To make sure local admins didn't screw things up, there'd need to be a central authority that made standard hard drive images to be installed on all the computers, and to release official patches and config changes, leaving little autonomy to the local admins.

Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life.
my two cents' worth (4.33 / 6) (#3)
by eudas on Sun Oct 14, 2001 at 07:58:19 PM EST

pardon me, but isn't this a bit of a stupid question? what i mean is this: of course it is possible. it's just building their own private Internet without connecting the two. It would mean laying their own infrastructure instead of piggybacking off of existing stuff, but it could certainly be done.

What i think the more important question is, would it be worth the effort? Do you think that a separate Internet (GovNet) would be any better run than the existing one?

"We're placing this wood in your ass for the good of the world" -- mrgoat
Of course it's possible (4.62 / 8) (#4)
by theR on Sun Oct 14, 2001 at 08:03:11 PM EST

Of course GovNet is possible. The question is whether it's feasible. It would not be difficult to create another internetwork that has no connections to the current internet, and I'm pretty sure some government agencies, like the CIA, already have such things. The GovNet they are pondering now would obviously be much more extensive, but all it would take to implement is people and money.

Would the added security outweigh the disadvantages, though? There are two possible ways to implement this, I suppose. One is having an actual seperate government network with no physical connections to the internet. The other has already been mentioned, something along the lines of VPNs. The problem with VPNs is the same as the current problem. Everything has to be set up correctly to be secure, and it is still not 100% secure.

Would a seperate physical network solve the problems of security? Not in my opinion. Considering the number of people who work for the U.S. government, the number of contractors, and the fact that the vast majority of networks are comprimised from the inside, it seems like the better plan would be to get serious about security with the current situation.

If there is a seperate GovNet, wouldn't it sort of defeat the purpose of the internet? How do you download software, drivers, etc, get online support, and whatever else you need to do? Running two parallel networks, a public one and a private one, with no physical connection seems like more trouble than it's worth for most government agencies. I can see where it may make sense for some, but it seems like overkill to me. Also, if security currently is bad, my Spidey sense tells me it would be more sensible to fix the current situation rather than starting over from scratch and creating a whole new set of problems.

All that said, I'm of course assuming that whatever they come up with will have little base in reality. If they come up with something that seems sensible, then good for them. It is possible but seems unlikely considering some of the government's , and specifically Congress', views on technology. I assume Congress will have to approve funding for something like this.

Very doable. (2.66 / 3) (#5)
by emc2 on Sun Oct 14, 2001 at 08:04:00 PM EST

First thing: put the govnet in a different physical network.

Second: a govnet could not use of the shelf products , this would open it to viruses of all kind. This includes OSes, applications and perhaps more interestingly formats and protocols to be used only by this hypotetical govnet.

Third: the most important part of a secure net are policies, procedures and education of computer users. Without that, there is no way one can secure any network.
As I see it this could be a very important and positive development: a new, huge network, implemented from scratch would inject vitality in the computer industry by promoting solutions that would not include the normal computer giants, or that at least would force some of them to innovate for once.

I am all for it.

Not necessarily... (2.00 / 1) (#10)
by dachshund on Mon Oct 15, 2001 at 10:54:10 AM EST

As I see it this could be a very important and positive development: a new, huge network, implemented from scratch would inject vitality in the computer industry by promoting solutions that would not include the normal computer giants

Of course, given that the network is supposed to remain secure (and that generally means the protocols and designs will not be public information), I doubt that this would contribute much to the computer industry-- except for maybe cash to the companies who get gov't contracts.

Looks to me like this network would be an obsolete dog by the time it filtered out to the rest of the world. Besides, there are lots of state-of-the-art networking standards that aren't being implemented in the public networks already. Adding more isn't necessarily going to improve our lives.

[ Parent ]

It's not avout physical links. (4.33 / 6) (#6)
by Surial on Sun Oct 14, 2001 at 08:17:47 PM EST

If such a project is truly started, perhaps the US Government should focus its energies and its budget on the non-physical link parts; software and inter-security (checks between nodes; always verify connections to spoil IP/DNS spoof attacks, virus scan everything, abuse of a high bandwidth pipe, etcetera).

A separate pipe network is easily gained virtually through VPN technologies. Assuming all client machines are behind a VPN-enabled limited access firewall, there is no reason to say that a VPN system is any more open to attack then a GovNet.

In fact, VPNs will probably be more effective because they also provide an inherent defense against wiretapping and/or tempesting GovNet network cables.

Getting everyone a registered public/private keypair (well, everyone working at the US government for starters anyway) should help.
"is a signature" is a signature.

VPNs not invulnerable (5.00 / 1) (#13)
by dennis on Mon Oct 15, 2001 at 05:35:16 PM EST

See Schneier's analyses of VPN protocols: Microsoft's and IPSec. Firewalls aren't necessarily bulletproof, either.

[ Parent ]
Not only is it possible, it already exists (4.33 / 3) (#7)
by Carnage4Life on Sun Oct 14, 2001 at 11:07:40 PM EST

The US defence and national intelligence folks already have their private networks that aren't connected to the Internet. this is simply expanding the concept to include all government agencies. Here're are links to posts on Slashdot by people more knowledgable about this
  1. Nothing New
  2. Re:You have never worked in corporate have you ?

not as long as they use it for word documents... (4.00 / 1) (#15)
by gps on Tue Oct 16, 2001 at 03:40:49 AM EST

If govnet will be used to share word documents they might as well forget their request for immunity from viruses.

[ Parent ]
They Already Exist (none / 0) (#8)
by Bad Harmony on Mon Oct 15, 2001 at 02:36:26 AM EST

Besides the military and intelligence networks already mentioned, NASA has private Internets that are used for mission critical tasks such as communicating with satellites. These private Internets are physically isolated from the public Internet. It isn't too big of a problem. Desktop PCs are connected to the public Internet for email, web access etc. Mission operations computers are connected to one of the private Internets. Different functions, different networks.

5440' or Fight!

Hasn't this already been tried before? (none / 0) (#9)
by xj479 on Mon Oct 15, 2001 at 08:01:33 AM EST

It would probably meet the same fate as SIPRNET and NIPRNET: someone that knows next to nothing about technology thinks that the lack of communication between the public and private networks is a design flaw, and the two nets should be "safely" connected.

Users also exchanged viruses between the two networks by the use of floppie disks to transport easily infected documents.

SIPRNET & NIPRNET (none / 0) (#16)
by Armaphine on Wed Oct 17, 2001 at 03:06:02 PM EST

Actually, SIPRNET & NIPRNET are both used by the military to this day. Granted, NIPRNET is nothing more than a basic internet connection, but SIPRNET is encrpyted. And trust me, God help the dumbass tech that links the two. Last I checked, it was still considered a cryptographic incident, which involves a number of people going to jail for a long time.

Question authority. Don't ask why, just do it.
[ Parent ]

This is a joke, right? (3.25 / 4) (#12)
by quartz on Mon Oct 15, 2001 at 11:36:12 AM EST

I mean, their HUMAN infrastructure is so unreliable that they keep unearthing Soviet spies in the FBI 10 years after the Cold War is over, and their first concern is to secure their computer networks? Heloo! You can build the most secure network the world has ever seen, it isn't worth squat if you can't trust the people who are using it.

Fuck 'em if they can't take a joke, and fuck 'em even if they can.
Having their cake and eating it, too (4.50 / 4) (#14)
by Global-Lightning on Mon Oct 15, 2001 at 11:31:32 PM EST

I'd be interested to see what responses the government gets to this wishlist.

Some issues I see in the requirements:

"GOVNET will be a private Internet Protocol (IP) network shared by government agencies and other authorized users only."
"There will be no interconnections or gateways to the Internet or other public or private networks."

How will they enforce no interconnections or gateways? By specifying IP, the most likely options will be managerial, not technical solutions. It should be noted that for other networks (SIPRNET), this has worked reasonably well.
I take "other authorized users" will mean contractors and their corporations. Extreme care must be take to ensure no interactions occur between the GOVNET, the contractor's own networks, and public networks.
Furthermore, do they intend on removing the floppy disk drive and serial port from every computer connected? Ban zip-drives, cd-rom burners, scanners, USB and Firewire? How will they deal with PCMCIA modems and hard-drives (I assume it will need PCMCIA for the FORTEZZA cards)?

"All GOVNET components and links must be located in the U.S. or Canada."

I can tell you immediately who won't be signing up for GOVNET: The Departments of State and Defense, and any other entity that does most of its business overseas. How will these organization's deployed assets reach back to the States? Will these organizations have to maintain separate networks for their non-US units and then sneak a around the interconnection ban to get information onto GOVNET?

"GOVNET will provide commercial-grade voice communications capabilities within the network among specified users using the data network components and protocols. Voice services to be supported will include, but not be limited to, conferencing and multicast/broadcast. No connections or gateways to the PSTN or SS7 are envisioned for voice communications"

Just like many classified users now have separate workstations for unclass and classified networks on their desks, so to will they have two phones, one for the GOVNET, the other to the PSTN. That's not very efficient.
Also, how efficient or effective is using IP for conferencing and multicast?

"GOVNET traffic will be secure (...), and will be suitable for carrying classified information."

Wait a minute: This network already exists. INTELink/SIPRNET has given the govt this capability for years. Do they intend for GOVNET to replace this network? Try selling that to the NSA, CIA, FBI, DoD, DoS, and 20 other departmental users.

"For purposes of this RFI, assume a single invoice with supporting detail presented monthly to GSA"
"GOVNET will offer bandwidth-on-demand services"

And they want this for the entire government? What poor GS-4 clerk will have to review this bill every month?!

"GOVNET shall evolve to maintain technology and service currency with state of the art commercial services to the maximum extent practical."

This statement should be re-written to:
"Welcome to GOVNET, sponsored by Microsoft and Cisco.
Unauthorized used of this network and open-source solutions are strictly prohibited"

Finally, there is one issue I don't see addressed: What to do about internal users? This documents carries the flawed concept of "all bad guys are on the outside". At least with classified systems, you have procedural steps, such as background investigations, as a check for access. If this system is to be unclassified, this will be a cost prohibitive solution. It could yield a network that's "hard on the outside, soft in the middle"

GovNet- Dream or Reality? | 16 comments (15 topical, 1 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!