Two weeks ago I strayed into the territory of secure networks with a gripe I posted about the GOVNET proposal that was floated by the Advisor for Cyberspace Security and the General Services Administration. I wasn’t saying that a secure private network of that size is impossible to build (which some security experts are saying); I was mainly poking fun at what I saw as imprecise thinking in the GOVNET Request for Information. But a reader turned me on to a secure network that has been operational for six years—and one that’s profitable and growing.

This successful network is called ANX. It started up to serve the automotive industry, and now connects 80% of that industry’s largest companies to a huge collection of suppliers. It is also spreading to other industries. In this weblog I’ll list the security characteristics that make ANX work, and draw some conclusions about what might or might not work if the government tried to build its own network.

Security in ANX

ANX is a secure private network that uses standard, open Internet protocols but carries all traffic over private lines leased from various carriers. Through IPSEC and end-to-end encryption, ANX provides secure service to its customers like that of a typical VPN. Where it’s different from a typical VPN is that the routers that make up the network check every packet to make sure it comes from an IP address on the private network. Thus, nobody but customers can get into the network. Triple DES encryption protects a customer’s data from the potential malicious behavior of another customer.

ANX consists of a core of ATM lines and large routers along with access points at the edge. These access points are Certified Service Providers (CSPs) and include AT&T, Worldcom, Equant, Bell Canada, Ameritech, and Ideal Technology Solutions. As the term suggests, CSPs are essentially ISPs. They sign up customers and manage connectivity like ISPs, but they have to be rigorously certified by ANXeBusiness Corp., the company that runs ANX. CSPs must also adhere to stringent service level agreements that apply end-to-end between users. In fact, Quality of Service on ANX would probably make an interesting article of its own. Among the tasks of the CSP is intrusion detection.

Development began on ANX in 1995 and the network has been in production since 1998. Security is very good; they have never had a known breach. Let’s look at what they actually deliver, and what is left up to the customer.

First, the routers (typical firewall routers from Cisco, Checkpoint, etc.) at each customer end-point are configured to stop all traffic from the Internet. ANXeBusiness Corp. buys blocks of public IP addresses, but assigns them to internal or customer systems. You will never see one of these addresses on the Internet, and ANX customers will never see anything else on their ANX interfaces. Even if somebody tried to route a packet from the Internet through an ANX router to the private ANX network, the packet would get dropped.

The only way around this security is for a customer to attach a system to both the Internet and ANX—which often happens because many workstations are on an Internet-connected LAN—and for some intruder to break into a legitimate user account on an ANX-connected system. To the best of their knowledge, nobody has done this, but it clearly depends on security at the end-user.

ANXeBusiness Corp. offers “best practices” to its customers, but it cannot take responsibility for customer security failures, such as omitting to authenticate a user. “We have something you might think of as a common carrier exemption,” says CTO Erik Naugle.

User authentication is a key aspect of security, and it involves policies and procedures—not just the machine activity of checking keys. ANX does not deal with end-user registration or authentication; it offers only the checks in IPSEC. “We know that Ford Motor Company really is Ford Motor Company, but we don’t have user authentication,” says Naugle. Rather, it is expected that customer applications will authenticate users. This is a universal task in such traditional applications as database query programs, so customers should equipped to register and validate users.

Still, if customers choose to run garden-variety applications like email over ANX and use insecure software, viruses or other abuses can spread. Right now, most customers don’t face this danger because they use a small range of applications such as EDI or CAD/CAM exchanges. But Naugle said there is an evolution toward using ANX for email.

ANX is centrally managed, unlike the Internet, but it is not a monolith. The CSPs that deal directly with customers are privately managed, and in fact I was informed by Naugle and Industry Relations Manager Gregg Halberstadt that a lively competition exists among them. Prices for connecting to a CSP are comparable to business-quality connections on the Internet. A monthly fee for ANX is added on top of this, though. That pays for the certification and management activities performed from the center. According to Naugle, “The return on investment for companies using ANX comes almost immediately, because [so far as connecting to other ANX customers] they can replace the mess of many access points with a single, reliable connection to our network.”

ANX scales. They now serve almost 1000 companies, and they’ve expanded beyond their original base in the U.S. automotive industry. ANX is now serving the aerospace industry and financial services, and they are finding particular interest among health care providers, who have particularly sensitive data and who are required by the federal Health Insurance Portability and Accountability Act to secure that data.

What we can learn in regard to a government network

An examination of what ANX tries to do, and what they shy away from, can provide some guidelines to proponents of GOVNET. This section is my personal analysis and does not contain any input from ANX.

First, the software you run and who you allow to run it is just as important as what network it travels. You can’t just set up a private network and assume that everything will come up roses. Each application is responsible for security. If you allow buggy applications to run, you’ll have security breaches. That applies to software that manages systems and networks, too. GOVNET is not going to be secure unless applications are specially developed or hardened for it—no ActiveX, automatic macro execution, etc.

A private network like ANX does not provide user authentication. So promise to make each application authenticate remote users. Even after you achieve that, you still have to set up a system to grant identities to users, and administrators must understand how to make sure that only trusted people get identities. These tasks are part of what I call “cyber-hygiene,” and it’s required on both the Internet and on any large private network.

ANXeBusiness Corp. does not threaten users with fire and brimstone if they choose to connect their LANs to the Internet. First of all, it recognizes that some communications between customers cannot be secured, so it accepts that they’ll use insecure channels for those communications. GOVNET should recognize this too. It cannot provide a secure application for every activity that comes to the user’s mind (instant messaging, Web browsing) and even if it could, people would want to reach sites that aren’t on GOVNET. They won’t want to transfer a vendor proposal from an Internet-connected system to a GOVNET-connected system by swapping disks.

The ANX solution is more realistic, and so far it’s worked well. People will use the Internet and they will use the private network, all from the same computer system. The barrier is not unsurmountable to an intruder, but it creates a big double hump they have to leap without being detected.

ANXeBusiness Corp. recognizes what it is responsible for (encryption, preventing unauthorized network use) and what it cannot control. It regulates its CSPs rigorously to uphold its part of the bargain; meanwhile, the customer must be responsible for its part. GOVNET does not include any distinction between the provider and the end-user. If the proponents of GOVNET really believe they can be responsible for everything—no intrusions, no breakdowns, no viruses—they have to be prepared to train every staffer who uses an application on GOVNET. In an organization the size of the federal government that’s a daunting task, even if nobody ever gets fired. (Actually, some positions experience turnover every four years.)

So that’s my list of suggestions for improving government security. It’s an expensive and long-term proposition, and by no means is it a perfect one. I learned it from ANX. And while ANX is a very impressive service that can’t be duplicated on the Internet, its success has a lot to teach Internet users. End-to-end encryption is good; IPSEC is good; intrusion detection is good. You can improve security a lot by adopting good ANX practices even if you don’t want or need ANX’s private lines.

Is ANX a model for other commercial and government communications systems?

Related link: http://news.cnet.com/news/0-1005-200-7577542.html

Current anti-trust investigations will potentially bear out what I wrote six months ago in What Price Innovation? Using copyright as both sword and shield, studios have been squelching new media.

Related link: http://news.cnet.com/news/0-1003-200-7560391.html

Microsoft wants to stop the publication of security exploits. When I see Congress lumping computer intrusions together with terrorist acts, and when I see a phrase in the article like, “Microsoft intends to force the issue”–particularly in the shadow of the Sklyarov arrest–I worry whether it will soon become illegal to publish software that could be used to exploit security holes.

I just missed it by one day, but Perl 5 was released on the
17th of October, 1994. This makes Perl 5 seven years old, and Perl itself nearly fourteen years old. Doesn’t time fly when you’re getting lots of useful work done?

A grandiose scheme for a self-contained government network has
been reported in
Wired
and
internet.com.
The proposal has already received enough criticism to suggest that it
will quietly vanish, but the
Request for Information
(available only in Microsoft Word format) makes for amusing reading,
if nothing else. Several passages illustrate the naïve errors
that tend to be made by people who haven’t been initiated in the practices of computer
security. Because of that, the proposal leaves me doubting the ability
of the new Advisor for Cyberspace Security or the more established
General Services Administration to rise to the challenge presented by
our current crisis.

First off, no computer user of any sophistication can miss the irony of
an agency promising iron-clad security, which “shall be impossible for
malicious code (e.g., computer viruses) to penetrate,” while requiring
both the Request for Information and all responses to be in Microsoft
Office formats.

Voice communication and potential video will include
“multicast/broadcast” capabilities. What do the authors mean by
“broadcast”? Outside of Ethernet or spread spectrum radio, I don’t
understand how that term applies to digital media. And every kind of
broadcast I can think of implies easy interception by unintended
listeners.

Read O’Reilly’s Security Bibliography, a list of the best security books by O’Reilly and other publishers, which should help you find resources to protect your systems and your privacy in these troubled times.

Perhaps broadcasting—whatever it is—will not be a problem
if strong encryption is used, as the Request for Information
promises. But it does not ask what mechanism will be used to
distribute keys or authenticate users. Those little details, as
security experts always say, are probably more critical to get right
than the simple statement that encryption will be used.

And why do the authors explicitly say, “No encryption of routing or
addressing information is contemplated at this time”? If that
information is unimportant, why was Attorney General Ashcroft so
anxious to put interception capabilities into the Anti-Terrorism Act
(now called the USA act)?
And if you try to save some trouble by not encrypting the routing or
addressing information, how can you prevent spoofing and
man-in-the-middle attacks?

Threats to the proposed infrastructure are not the only things that
the Request for Information puts on indefinite hold. Also relegated to
“a later date” are such fundamental questions as “security management
requirements” and “security of network management and control
technologies.” It’s not hard to define a fully secure system, so long
as you don’t mind leaving a few back doors.

I wish I could find some point of merit, or even something showing
careful consideration, in this Request for Information. Why didn’t
they start with the fundamental security question—controlling who uses the system
and how accounts are assigned and revoked?
Why didn’t they include the standard, well-known advice that
the source code for all software be vetted for security before it can
be loaded on any system? Why don’t they address the obvious question
of how to exchange information with collaborators (such as vendors or
non-federal agencies) who lie outside the network, instead of
blustering that “There will be no interconnections or gateways to the
Internet or other public or private networks”?

Absent such considerations, which pop into my mind within the first
couple minutes of reading the document, I am left with just the
evidence of bluffing and irresponsible overconfidence. GOVNET “will
support critical government functions and will be immune from
malicious service and/or functional disruptions to which the shared
public networks are vulnerable (i.e., so-called cyber attacks).”
However, they are quite confident that the network will “evolve to
maintain technology and service currency with state of the art
commercial services to the maximum extent practical.” (Microsoft
Office?) Meanwhile, it will “provide the highest levels of reliability
and availability” (although they deliberately refuse to “specify a
particular requirement for availability or reliability”).

It’s getting late. The country needs a strategy. It doesn’t necessarily
have to be controlled from any center. I have always said
that true security comes from grass roots. (See my article
Cyber Hygiene, Not Cyber Fortress Protects Our Networks, for instance.)
Furthermore, security for federal agencies is not uppermost among my
worries (except for obvious cases like the military and the FBI). I
would rather have someone mess around with records at Housing and
Urban Development (federal) than screw up a water filtration plant
(local) or delete hospital records (private). But this does not free
federal agencies to engage in buffoonery such as this Request for
Information.

Can this plan be fixed?

A recent

article
reveals that the people who proposed the

W3C Patent Policy Framework
are bending in response to criticism.
The best news, which comes from working group chair Danny Weitzner,
is that two staunch proponents of free software are joining the working group. But the very existence of the working group poses the risk that it will have to adopt some kind of policy simply to justify its existence.
Now Apple Computer and Hewlett-Packard are asking the W3C to rule out royalties
(payments for patented technologies).
But royalties are only a part of the problem, as I recently

pointed out.
It would be a shame for the royalties to be removed and the rest of this dangerous
framework to be adopted in the interests of “compromise.”

The following message was submitted to the W3C in
response to its request for comment on its proposed
Patent Policy Framework.

O’Reilly & Associates, as a member of the W3C, objects to the
proposed Patent Policy Framework, dated August 16, 2001. We
believe that the Web’s success depends on fully open standards
that can be implemented without restrictions by open source
developers as well as commercial developers, large and small.

Therefore, we oppose RAND licensing as an option
for W3C working groups that are developing standards.
W3C work should be done exclusively on a Royalty-Free basis, as
it has up until now. That is the only way the W3C can
ensure that a Web standard truly serves the public good.
We oppose RAND because requiring developers to pay is discriminatory.

We see the proposed patent policy framework as changing the rules
of the game at the midway point. This especially affects
independent developers who were the first to support the
Web by implementing new technology based on Web standards. One
need only look to the wide range of free XML tools to
appreciate the tremendous contribution of these developers.

The proposed patent policy framework states that “Members invest
significant research effort in the development of their own intellectual
property portfolios, so are concerned about protecting and benefiting from
proprietary technology they have developed or acquired.” One
must conclude that the W3C is really about maximizing the investments
of its members rather than increasing the public benefit of the Web.
The policy makes no mention of the interests of those independent developers
who have contributed heavily to the success of the Web by
investing in the development of non-proprietary technology. The
proposed policy states that the Web community has “a longstanding preference
for Recommendations that can be implemented on a royalty-free (RF) basis.”
It is much more than a preference; it is an absolute requirement.

Under the proposed patent policy framework,
the W3C commits to keeping core standards royalty-free,
but sets up the opportunity for “higher layer” standards
to be chartered under RAND licensing. The W3C will
be forced to decide whether a working group is
working on a higher or lower layer. One
reason the W3C exists is that the IETF once determined
that the Web was a higher level application, not
deserving of the same consideration as its lower-level
protocols. The distinction between high and low often
proves meaningless and depends on the interests of
those drawing the maps of the layers.

We recognize that the proposed patent policy does
attempt to address the challenges that patents are
presenting to collaborative standards development.
We support the W3C’s efforts to tighten the rules that
force the disclosure of patents and IPR of those involved
in the development of standards under the auspices
of the W3C.

In fact, we’d like to see the W3C lead the Web community in
fighting the imposition of patent rights on the Web.
As an international organization, the W3C should take a global view
of the public good and oppose the narrow, US-centric view that
rationalizes software and business-method patents.

The Web is rooted in openness, much more radically so
than any computer system before it. The W3C should
champion this radical view as the reason why
the Web flourished and the reason for the W3C’s existence.
It should not compromise its mission by granting its members
the ability to impose special rights and restrictions on
the Web community.

The W3C’s responsibility to the entire world of web users must
come before its obligations to its members.
We would like to see Tim Berners-Lee affirm
his commitment to completely open standards and use his position
as the Director of the W3C as well as the inventor of the Web
to defend the Web against academic, governmental or commercial
efforts to impose new restrictions. At the very least, the
W3C should not be endorsing such restrictions, as the patent
policy framework clearly does. W3C policy should seek to
remove obstacles to openness rather than accommodate members who
come bearing patent portfolios.

In summary, we believe that there are no reasonable restrictions
that could be placed on Web standards, and the proposed
patent policy framework should be rejected because it introduces RAND
licensing. To do otherwise would erode the public’s confidence
in the W3C as well as alienate independent developers whose
free and open source implementations are critical to the
Web’s ecology.