Recently, internet access was cut off at Maxwell Air Force Base in Alabama, because personnel at the facility "hadn't demonstrated — in our view at the headquarters — their capacity to manage their network in a way that didn't make everyone else vulnerable," [said] Air Force Chief of Staff Gen. Norton Schwartz.
I absolutely love this. While in the AFCERT I marvelled at the Marine Corps' willingness to take the same actions when one of their sites did not take appropriate defensive actions.
Let's briefly describe what needs to be in place for such an action to take place.
- Monitored. Those who wish to make a blocking decision must have some evidence to support their action. The network subject to cutoff must be monitored so that authorities can justify their decision. If the network to be cut off is attacking other networks, the targets of the attacks should also be monitored and use their data to justify action.
- Inventoried. The network to be cut off must be inventoried. The network must be understood so that a decision to block gateways A and B doesn't leave unknown gateways C and D free to continue conducting malicious activity.
- Controlled. There must be a way to implement the block.
- Claimed. The authorities must know the owners of the misbehaving network and be able to contact them.
- Command and Control. The authorities must be able to exercise authority over the misbehaving network.
You might notice the first four items are the first four elements of my Defensible Network Architecture 2.0 of a year ago.
Number five is very important. Those deciding to take blocking action must be able to exercise a block despite objections by the site. The site is likely to use terms like "mission critical," "business impact," "X dollars per hour," etc. The damage caused by leaving the malicious network able to attack the rest of the enterprise must exceed the impact of lost network connectivity to the misbehaving network.
It is usually much easier to wrap impact around a network outage than it is to determine the cost of sustaining and suffering network attacks. Loss of availability is usually easier to measure than losses of confidentiality or integrity. The easiest situation is one where downtime confronts downtime, i.e., cutting off a misbehaving site will allow its targets to restore their networks. This would be true of a malicious site conducting a DoS attack against others; terminating the offending denies his network availability but restores the victim's availability. That is why sites are most likely to allow network cutoffs when rogue code in one site is aggressively scanning or DoS'ing a target, resulting in the target losing services.
Does your enterprise have a policy that allows cutting off misbehaving subnets?
Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.