Thursday, February 19, 2009

Thoughts on Air Force Blocking Internet Access

Last year I wrote This Network Is Maintained as a Weapon System, in response to a story on Air Force blocks of blogging sites. Yesterday I read Air Force Unplugs Bases' Internet Connections by Noah Shachtman:

Recently, internet access was cut off at Maxwell Air Force Base in Alabama, because personnel at the facility "hadn't demonstrated — in our view at the headquarters — their capacity to manage their network in a way that didn't make everyone else vulnerable," [said] Air Force Chief of Staff Gen. Norton Schwartz.

I absolutely love this. While in the AFCERT I marvelled at the Marine Corps' willingness to take the same actions when one of their sites did not take appropriate defensive actions.

Let's briefly describe what needs to be in place for such an action to take place.

  1. Monitored. Those who wish to make a blocking decision must have some evidence to support their action. The network subject to cutoff must be monitored so that authorities can justify their decision. If the network to be cut off is attacking other networks, the targets of the attacks should also be monitored and use their data to justify action.

  2. Inventoried. The network to be cut off must be inventoried. The network must be understood so that a decision to block gateways A and B doesn't leave unknown gateways C and D free to continue conducting malicious activity.

  3. Controlled. There must be a way to implement the block.

  4. Claimed. The authorities must know the owners of the misbehaving network and be able to contact them.

  5. Command and Control. The authorities must be able to exercise authority over the misbehaving network.


You might notice the first four items are the first four elements of my Defensible Network Architecture 2.0 of a year ago.

Number five is very important. Those deciding to take blocking action must be able to exercise a block despite objections by the site. The site is likely to use terms like "mission critical," "business impact," "X dollars per hour," etc. The damage caused by leaving the malicious network able to attack the rest of the enterprise must exceed the impact of lost network connectivity to the misbehaving network.

It is usually much easier to wrap impact around a network outage than it is to determine the cost of sustaining and suffering network attacks. Loss of availability is usually easier to measure than losses of confidentiality or integrity. The easiest situation is one where downtime confronts downtime, i.e., cutting off a misbehaving site will allow its targets to restore their networks. This would be true of a malicious site conducting a DoS attack against others; terminating the offending denies his network availability but restores the victim's availability. That is why sites are most likely to allow network cutoffs when rogue code in one site is aggressively scanning or DoS'ing a target, resulting in the target losing services.

Does your enterprise have a policy that allows cutting off misbehaving subnets?


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.

3 comments:

Mubix said...

Applying consequences for lack of compliance is one of those fundamental sociological constructs that for some reason hasn't fully made it's way into the security realm.

But applying those 5 steps are usually 'too much work' to be applied by management.

The other problem is #2. Having good documentation of the network is rarely seen in experiences.

Anonymous said...

So I just asked some people what the deal was here - and the answer is disappointing. The network was cut off because it wasn't using Websense. In true bureaucratic fashion an auditor looked at his checklist, noticed a missing check-mark, and things snowballed from there.

Now just because a network is not using Websense doesnt make it insecure. In fact, the comm folk at Maxwell were using a different product to provide the same functionality. But since it didn't say "Websense" it was obviously bad...

*sigh*

Gunnar said...

From the linked article: "Network administrators at Air Force bases already put strict limitations on what sites their troops can and cannot visit. Many airmen can't access Danger Room, for example — or any site with the word "blog" in the URL. That's in addition to Defense Department-wide bans on YouTube, MySpace and other social networking sites."

So they are going to defend against malicious websites with network based security mechanisms? That should work well