[ISN] Getting to the Root of All E-Mail

From: InfoSec News (isnat_private)
Date: Sun Mar 31 2002 - 23:55:03 PST

  • Next message: InfoSec News: "[ISN] Whatever Happened to Carnivore?"

    Forwarded from: William Knowles <wkat_private>
    By David McGuire
    Friday, March 29, 2002; Page E05 
    Squatting unobtrusively on the banks of a man-made pond in an 
    unremarkable corporate subdivision a few miles outside the Beltway, 
    the home of the Internet's authoritative root server and master 
    registry of dot-com addresses is virtually indistinguishable from the 
    other red-brick office buildings that surround it.
    Despite its humdrum facade, VeriSign's Network Operations Center (NOC) 
    is one of the most important physical locations in the virtual world, 
    and since Sept. 11 it has proven irresistible to dozens of government 
    officials who have sought to assure themselves that the Internet is 
    safe from physical and electronic attacks.
    "Security and stability are like Siamese twins. You cannot have 
    stability without security," said Mark Rippe, vice president of 
    technical operations for VeriSign Global Registry Services. "If people 
    can come and mess with your system, one way or another, you have no 
    control over your systems. . . . Our primary function is the stability 
    of the global Internet."
    Obscurity is the first line of defense. The building is unmarked, its 
    address unspecified in company literature and its managers 
    tight-lipped about disclosing driving directions or identifying 
    markings to strangers.
    While the location of the building is not a true secret -- dozens if 
    not hundreds of Internet addressing insiders know where it is -- it 
    would be difficult for a casual vandal or criminal to stumble across 
    it, Rippe said.
    Visitors start with a stroll through a metal detector and past a guard 
    desk, much as they would in any moderately secure office building. 
    They take an elevator to the top floor, where security is tightest and 
    inconspicuous cameras monitor the hallways. The few entrances to the 
    operations center and server rooms can only be reached through 
    antechambers called "mantraps" which are outfitted with scanners that 
    read the unique contours of visitors' palms.
    If an unauthorized visitor places his hand in the scanner it triggers 
    a lockdown, sealing the intruder in one of the narrow, wood-paneled 
    closets until security forces arrive to remove them.
    Beyond the first mantrap, inside the operations center, a handful of 
    employees keep tabs on rows of computer monitors and a wall of flat 
    screens that continuously scroll diagnostics across maps of the world 
    that show locations of key Internet servers. The constantly updated 
    figures map the number of requests the servers are receiving each 
    moment, and how well they are handling the load. 
    From here, technicians watch for unusual activity that could signal 
    some sort of electronic attack.
    "We see a lot of spikes or peaks or things that might indicate [denial 
    of service] attacks," Rippe said. Those blips represent a much more 
    substantial security concern for the addressing officials than do the 
    threat of physical attacks, Rippe said. From the operations center, 
    technicians can take steps to counter threatening electronic activity, 
    Rippe added.
    Adjoining the operations center, behind another mantrap, are twin 
    rooms that house the essential computers that serve as the heart of 
    the Net. Here, hundreds of whirring computer fans and an 
    industrial-strength air conditioner drown out anything quieter than a 
    close-range shout. Black, seven-foot-tall computer server towers are 
    aligned in rows that stretch nearly the length of the room. The white 
    floor is slotted to allow airflow and a steady, conditioned breeze 
    streams up from below, making all metal surfaces in the room cool to 
    the touch. Small dome-like security cameras, similar to those used in 
    casinos, pock the white ceiling, evenly spaced between chemical fire 
    suppression devices. There isn't a cranny of the server area where a 
    person could hide from surveillance.
    Between the server hedgerows are several equally tall storage units, 
    where the continually updated master lists of the addresses registered 
    in dot-com, dot-net and dot-org are stored.
    And tucked away in a less-traveled back corner of one of the server 
    rooms, behind the door of a black tower that looks no different than 
    any of the others, is the principal reason for all the precautions: 
    the A root server.
    Most people envision the Internet as a global network that resides on 
    no single physical system or network of systems. While that picture is 
    roughly correct, key pieces of the Internet's technological backbone 
    are concentrated in a handful of physical locations around the world.
    The Domain Name System (DNS) makes the Web easy to navigate by 
    translating long Internet protocol (IP) numbers into memorable Web and 
    e-mail addresses. It relies on a hierarchy of physical root servers to 
    inform computers connected to the Internet where they need to look to 
    find specific locations online.
    At the top of that hierarchy is the A root server, which every 12 
    hours generates a "zone" file, which in turn tells a dozen other root 
    servers spread around the world what Internet domains exist and where 
    they can be found.
    One rung below the root servers in the Internet hierarchy are the 
    servers that house Internet domains such as dot-com, dot-biz and 
    dot-info. Three of the largest and most widely used of those domains 
    -- dot-com, dot-org and dot-net -- are run alongside the A root server 
    at the Network Operations Center.
    VeriSign manages the A root server and dot-com registry under 
    contracts with the Commerce Department and global Internet addressing 
    But despite the precautions that go into protecting the assets in the 
    facility, Rippe said the Internet would not be irreparably harmed if 
    the building were to vaporize tomorrow.
    "The last thing I'd want someone to think is that they could put a 
    bomb around their waist and hug the A root and think they're going to 
    significantly impact the Internet," Rippe said.
    Rippe said that while such an attack could kill many employees, the 
    Internet's addressing system is designed to withstand the destruction 
    of much of the physical infrastructure that houses it.
    The DNS is built so that eight or more of the world's 13 master root 
    servers would have to fail before ordinary Internet users started to 
    see slowdowns, according to John Crain, manager of technical 
    operations for the Internet Corporation for Assigned Names and Numbers 
    ICANN manages the DNS and sets policies for registry operators and 
    domain name retailers.
    "Theoretically, if 'A' were to disappear, we could pick it up from one 
    of the other servers," Crain said. "Moving the place where the zone is 
    picked up is very simple."
    Although the functions of the A root server could be moved elsewhere, 
    Rippe said that VeriSign is well aware that it makes a much more 
    visible target than the other root servers, which perform their 
    functions in comparative anonymity around the world.
    Rippe said that he is always cognizant of the potential threat facing 
    the building.
    High-ranking U.S. officials have also started taking a greater 
    interest in the security of the complex. After Sept. 11, as agencies 
    and departments throughout the federal government began reexamining 
    the security of the critical infrastructure under their jurisdictions, 
    VeriSign hosted a slew of high-ranking visitors.
    While the Web may be worldwide, American scientists relying on U.S. 
    government funding created the technology at the core of the Internet 
    and its global addressing system. The Internet may be a global 
    resource, but much of its infrastructure is still ultimately 
    controlled by the U.S. government.
    In recent years, the government has ceded day-to-day management of the 
    addressing system to the more internationally representative ICANN, 
    but the Commerce Department still has final say in any changes made to 
    the DNS.
    Deputy Commerce Secretary Sam Bodman and White House electronic 
    security adviser Richard Clarke took a guided tour of the center in 
    "The Internet is a critical component of our economy," said Commerce 
    Department spokesman Trevor Francis. "The reason why you're seeing 
    such a focus on VeriSign is that the safety and the integrity of these 
    systems needs to be analyzed and needs to be improved upon regardless 
    of how safe they currently are."
    Francis said that Bodman and Clarke walked away from their visit 
    satisfied with the security measures protecting the VeriSign facility.
    Still, despite clean report cards from high-level observers, the 
    center is likely to remain a focus of scrutiny for some time, as the 
    most visible physical element of a global communications network that 
    has become indispensable in government, commerce and day-to-day life.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 03:18:10 PST