|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Fri, 20 Dec 2002, Christopher L. Morrow wrote: :Cough! Heh. Bless you. ;) :This is incorrect, this isn't implemented, its not implementable, current :routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER, :juniper will allow you to copy packets on an interface in 5.5 or perhaps a :bit later code, this is one way to implement this... however having a new :oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the :amount of fiber the OCS/NCS/NPIC wants to monitor? I was told it was implemented when I called security a couple of years ago, and then my other questions were met with "no comment". "No comment" is the appropriate response to a stranger calling and asking for security information, and doesn't imply any other answer, and I am willing to accept that it is no longer implemented, but somebody told me it was. I am willing to accept that the person I spoke to misinterpreted my question. That said, I don't think it's economical to want to tap an oc-X, but being able to grab single sessions doesn't necessarily have to scale if they aren't grabbing lots of them, and can access them relatively close to their source. It's the same issues as running IDS's. Lets say you have a an IDS load balancer sitting on a GigE span port with a few sensors watching everything go by. If an alert is triggered, a script is executed which goes out to the router closest to the origin of the session and initiates the overlaid tunnel. :even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked :right and scaled correctly things would still be 'expensive'... to :monitor/maintain/manage. Well, one would assume that these features would be necessary for the maintainance of a robust security policy and architecture implementation. The value is the same value that you get from regular IDS's, just with a new customer. :Sure, or they could ask carriers to tap lines for them silently... in fact :they can do that today with a court order. Indeed, and building features for automating the initialization of those taps into the network is not extrordinarily difficult. (I retract my "profoundly simple" comment.) The cost of doing so is another loss avoidance cost that would be integrated into the overhead cost that we currently call security anyway. Are you suggesting that there might be money to be made by someone who offered to integrate this sort of surviellence architecture into a network? -- batz
|