Forwarded from: William Knowles <wkat_private> http://www.washingtonpost.com/wp-dyn/articles/A33447-2002Mar28.html By David McGuire Newsbytes Friday, March 29, 2002; Page E05 Squatting unobtrusively on the banks of a man-made pond in an unremarkable corporate subdivision a few miles outside the Beltway, the home of the Internet's authoritative root server and master registry of dot-com addresses is virtually indistinguishable from the other red-brick office buildings that surround it. Despite its humdrum facade, VeriSign's Network Operations Center (NOC) is one of the most important physical locations in the virtual world, and since Sept. 11 it has proven irresistible to dozens of government officials who have sought to assure themselves that the Internet is safe from physical and electronic attacks. "Security and stability are like Siamese twins. You cannot have stability without security," said Mark Rippe, vice president of technical operations for VeriSign Global Registry Services. "If people can come and mess with your system, one way or another, you have no control over your systems. . . . Our primary function is the stability of the global Internet." Obscurity is the first line of defense. The building is unmarked, its address unspecified in company literature and its managers tight-lipped about disclosing driving directions or identifying markings to strangers. While the location of the building is not a true secret -- dozens if not hundreds of Internet addressing insiders know where it is -- it would be difficult for a casual vandal or criminal to stumble across it, Rippe said. Visitors start with a stroll through a metal detector and past a guard desk, much as they would in any moderately secure office building. They take an elevator to the top floor, where security is tightest and inconspicuous cameras monitor the hallways. The few entrances to the operations center and server rooms can only be reached through antechambers called "mantraps" which are outfitted with scanners that read the unique contours of visitors' palms. If an unauthorized visitor places his hand in the scanner it triggers a lockdown, sealing the intruder in one of the narrow, wood-paneled closets until security forces arrive to remove them. Beyond the first mantrap, inside the operations center, a handful of employees keep tabs on rows of computer monitors and a wall of flat screens that continuously scroll diagnostics across maps of the world that show locations of key Internet servers. The constantly updated figures map the number of requests the servers are receiving each moment, and how well they are handling the load. From here, technicians watch for unusual activity that could signal some sort of electronic attack. "We see a lot of spikes or peaks or things that might indicate [denial of service] attacks," Rippe said. Those blips represent a much more substantial security concern for the addressing officials than do the threat of physical attacks, Rippe said. From the operations center, technicians can take steps to counter threatening electronic activity, Rippe added. Adjoining the operations center, behind another mantrap, are twin rooms that house the essential computers that serve as the heart of the Net. Here, hundreds of whirring computer fans and an industrial-strength air conditioner drown out anything quieter than a close-range shout. Black, seven-foot-tall computer server towers are aligned in rows that stretch nearly the length of the room. The white floor is slotted to allow airflow and a steady, conditioned breeze streams up from below, making all metal surfaces in the room cool to the touch. Small dome-like security cameras, similar to those used in casinos, pock the white ceiling, evenly spaced between chemical fire suppression devices. There isn't a cranny of the server area where a person could hide from surveillance. Between the server hedgerows are several equally tall storage units, where the continually updated master lists of the addresses registered in dot-com, dot-net and dot-org are stored. And tucked away in a less-traveled back corner of one of the server rooms, behind the door of a black tower that looks no different than any of the others, is the principal reason for all the precautions: the A root server. Most people envision the Internet as a global network that resides on no single physical system or network of systems. While that picture is roughly correct, key pieces of the Internet's technological backbone are concentrated in a handful of physical locations around the world. The Domain Name System (DNS) makes the Web easy to navigate by translating long Internet protocol (IP) numbers into memorable Web and e-mail addresses. It relies on a hierarchy of physical root servers to inform computers connected to the Internet where they need to look to find specific locations online. At the top of that hierarchy is the A root server, which every 12 hours generates a "zone" file, which in turn tells a dozen other root servers spread around the world what Internet domains exist and where they can be found. One rung below the root servers in the Internet hierarchy are the servers that house Internet domains such as dot-com, dot-biz and dot-info. Three of the largest and most widely used of those domains -- dot-com, dot-org and dot-net -- are run alongside the A root server at the Network Operations Center. VeriSign manages the A root server and dot-com registry under contracts with the Commerce Department and global Internet addressing authorities. But despite the precautions that go into protecting the assets in the facility, Rippe said the Internet would not be irreparably harmed if the building were to vaporize tomorrow. "The last thing I'd want someone to think is that they could put a bomb around their waist and hug the A root and think they're going to significantly impact the Internet," Rippe said. Rippe said that while such an attack could kill many employees, the Internet's addressing system is designed to withstand the destruction of much of the physical infrastructure that houses it. The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN manages the DNS and sets policies for registry operators and domain name retailers. "Theoretically, if 'A' were to disappear, we could pick it up from one of the other servers," Crain said. "Moving the place where the zone is picked up is very simple." Although the functions of the A root server could be moved elsewhere, Rippe said that VeriSign is well aware that it makes a much more visible target than the other root servers, which perform their functions in comparative anonymity around the world. Rippe said that he is always cognizant of the potential threat facing the building. High-ranking U.S. officials have also started taking a greater interest in the security of the complex. After Sept. 11, as agencies and departments throughout the federal government began reexamining the security of the critical infrastructure under their jurisdictions, VeriSign hosted a slew of high-ranking visitors. While the Web may be worldwide, American scientists relying on U.S. government funding created the technology at the core of the Internet and its global addressing system. The Internet may be a global resource, but much of its infrastructure is still ultimately controlled by the U.S. government. In recent years, the government has ceded day-to-day management of the addressing system to the more internationally representative ICANN, but the Commerce Department still has final say in any changes made to the DNS. Deputy Commerce Secretary Sam Bodman and White House electronic security adviser Richard Clarke took a guided tour of the center in November. "The Internet is a critical component of our economy," said Commerce Department spokesman Trevor Francis. "The reason why you're seeing such a focus on VeriSign is that the safety and the integrity of these systems needs to be analyzed and needs to be improved upon regardless of how safe they currently are." Francis said that Bodman and Clarke walked away from their visit satisfied with the security measures protecting the VeriSign facility. Still, despite clean report cards from high-level observers, the center is likely to remain a focus of scrutiny for some time, as the most visible physical element of a global communications network that has become indispensable in government, commerce and day-to-day life. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 03:18:10 PST