In Sweden, there is a private network (Sjunet) which is isolated from the Internet. It is used by healthcare providers. Its purpose is to make computers valuable communication devices (I love how the article points this out), but without exposing your hospital IT to the whole Internet. Members of Sjunet are expected to know their networks and keep tight controls on IT.
I guess Sjunet can be seen as an industry-wide air-gapped environment. I'd say it improves security, but at a smaller cost than each organization having its own air-gapped network with a huge allowlist.
You know what I've seen give decision-makers a false sense of security?
"Zero Trust Architecture" and not thinking to deeply about the extent to which you're not actually removing overall trust from the system, just shifting and consolidating much of it from internal employees to external vendors.
I'm not even thinking about CS here. It's curious to see what the implications on individual agency and seem to become when the "Zero Trust" story is allowed to play out - not by necessity but because it's "the way we do things now".
(As the wiki page you linked notes, the concept is older and there are certainly valuable lessons there. I am commenting on the "ZTA" trend kicked off by NIST. I bet the NSA are happy about warm reception of the message from industry...)
In principle, there are many good practice for zero trust architecture that make it viable to have a secure network while keeping it open. And also in principle, even then you'd still not want to make it open because you gain nothing by it.
In practice, no big company follows any of those practices. So, yeah, anything that's derived from "Zero Trust Architecture" is wrong from its inception.
> I bet that gives hospital IT a false sense of security.
Why?
They can just as effectively use (e.g.) Nessus/Rapid7/Qualsys to do security sweeps of that network as any other.
At my last job we had an IoT HVAC network that we regularly scanned from a dual-homed machine where the on-network devices could not get to the general Internet (no gateway).
That is a solution for companies like Google or non-essential cloud software provider. For all others serious network segmentation is the safer approach. You could argue that this network is far too large and that is probably true.
There is future tech on ancient software stacks. There is no safe solution to put it on the net directly.
AWS was an example in the article. Easy to get a fixed IP? True. Getting a fixed IP for outgoing traffic? Not that easy anymore - AWS is nice, but for many application it just isn't a solution.
If you can't trust anything, you can't do anything. The result is that people who actually need to get their job done then circumvent the entire system and reduce security to absolute zero. As much as the average security expert would like to lock everyone in a padded room forever, there needs to be an acceptable trade-off level of safety and usability.
Post-its with passwords are the most classical example, but removing internet access from an entire institution is just gonna lead to people bringing their own mobile networked devices and does honestly sound like a completely braindead idea.
Post-it‘s with passwords aren’t the worst in security. Physical access to the note is required to get the password. One post-it under each keyboard with a different password is better than the same password shared widely.
The problem is that you think it’s private but it isn’t. If an attacker wants access they’ll get access. At that point the false sense of security is a hindrance, because systems might not have been secured like they would have been on the public Internet.
If sjunet is managed as a number of interconnected airgapped networks then I for sure find that more secure than a Internet connected network. The attacker surely still have vectors in but whole classes of common attacks are mitigated.
Even if it is just "one big intranet" it is still better than one big intranet with one really good ((zero) trust me bro!) firewall to the Internet.
Various levels of zero trust principles can easily be applied within sjunet. That makes it better in my eyes.
For critical infrastructure I find this an important step. In the end security relies on us stupid humans. And it is easier to manage an airgap. It is the number of things we do afterwards to bypass it which is the problem.
The idea of an Intranet is still sound. But private does not mean secure. It is just a security layer. The next layer is if you run it fully open. Are the rooms locked? Do you require 802.11X certificates for connectivity? Are all ports open for all clients/hosts. Do you have a sensible policy for you host configuration? Have you segmented the network even further? Etc. Etc.
So your point is still valid for sure! You should secure it like on the public Internet aka a hostile environment. That is the important takeaway.
My point is that is should no be used as an argument against a private network. For large critical infrastructure such as hospitals it makes good sense. It is an added layer for the attacker to overcome - it is not security theater. For some the hassle might not be worth the while but that is then the trade off as with all forms of security.
It ain't binary but discussion often end up like that. Done right it can be additive. Done wrong it just adds pain and agony.
We all dread the security theatre. I boldly claim this aint't it.
Maybe knowing there are many institutions on the network is a good motivation to keep services secure. It's apparent any hospital or vendor may be breached. So if you overcome the false sense of security, the separate network will give you another layer of defense.
It's not only about security but also availability. If the regular Internet goes down for some reason, the private network (is meant to) keep operating.
UK has that (called the HSCN). I don't think it's a good thing. Couple of years ago you had to pay hundreds of dollars for a a TLS certificate because there were only a couple of 'approved' certificate providers. It also provides a false sense of security and provides an excuse to bad security policies. The bandwidth is low and expensive.
It’s not sure it’s quite the same, HSCN does provide border connectivity to Internet as well as a peering exchange. Sjunet on the other hand is an entirely private network with no border connectivity. I have dealt with both.
I don't agree fully. If some idea looks really good but implementations tend to be very problematic then the idea is likely presented incompletely or inaccurately, because it carries some hidden/non-apparent risk.
Some good-looking ideas almost always result in beneficial implementations, some good-looking ideas almost always result in bad implementations.
If all implementations of a "good" idea are bad then that's a strong indication that the "good" idea might have some significant flaws.
If the "good" idea has some bad implementations as well as some good implementations (like the swedish network example?) then perhaps you shouldn't dismiss the "good" idea so quickly
Sure, let's get to concrete things. What is a separate physical network worth, availability wise? Kind of hard to answer. It depends on the threat model. Even geography.
In this case though the two things are closely intertwined. The reason we all use the internet is because it is the most fit-for-purpose network for moving bits around between intranets. If there was a substantially more effective way to do it then it'd be cheaper or better and we'd all migrate to it over time. Countless businesses at all levels of the abstraction stack labour to make the internet cheaper and more convenient (CDNs are unbelievable, I say!).
So people choosing to create a new network are, with high confidence, going to end up with networks that are substantially worse at moving bits around cost effectively than the internet. The reality that they are inconvenient and expensive is built in once the deliberate choice is made to avoid the internet. It might be worth the cost, but the cost comes with the idea.
HSCN was said to be imperfect. It is inherent in the idea of building something like HSCN that sometimes the implementation is just bad in some aspects. actionfromafar's objection to that (idea independent from implementation) is invalid, because inherent in the idea of building something like HSCN rather than just using the internet is that implementations will suffer from relative imperfect. The fact there are relative imperfections is baked in to the idea.
Using Latin words isn’t a suitable substitute for critical thought. You aren’t applying any here. There’s a clear difference between these two scenarios. The argument with communism tends to hinge on the assertion that there’s been no good real-world implementation of communism. Here, OP is asserting that an implementation is good. That’s yet to be refuted based on the actual characteristics of the implantation. You’re at the very least being tone deaf.
The same argument was against seat belts in cars and bicycle/motorcycle hemlets. IMHO this arguments is rarely good. False sense of security should not be addressed by removing protection.
> provides an excuse to bad security policies
It should not be used as an excuse but bad policies in air-gaped network is less bad than bad policies in the Interned connected one. I doubt policies will be quickly improve as soon as you connect to the Internet.
That's a (highly predictable) implementation problem of HSCN, not a problem with the idea. These complaints boil down to the same old thing: stupidly written law setting a (potentially) good policy up for failure.
Poland has the little-known "źródło" (meaning "source" in English).
It's a network that interconnects county offices, town halls and such, giving them access to the central databases where citizens' personal information are stored. It's what is used when e.g. changing your address with the government, getting a new ID card, registering a child or marriage etc.
As far as I know, the "Źródło" app runs on separate, "airgapped" computers, with access to the internal network but not the internet, using cryptographic client certificates (via smart cards) for authentication.
Given the state of IT in healthcare in pretty much every other country, is there any reason to believe "Members of Sjunet are expected to know their networks and keep tight controls on IT" has any meaning? Does the government audit every computer on the network? Are they all updated with the latest patches? Do we know people aren't plugging in random USB devices, etc..?
My understanding is that the members need to sign a contract to join Sjunet. I'm not sure of penalties, but being kicked out of Sjunet is likely an incentive for decent IT staffing.
Yeah. As someone who has literally been in this industry.. As sad as it is, its a pretty massive ask to expect all healthcare places to have their security "tight". All it takes is one lax clinic or hospital (and truth be told they are ALL lax in their security in one way or another) for it to come crumbling down.
It’s even better when you know that the proper pronunciation is essentially “soondhldlddlnl”
(Source: I speak Danish as a second language. I used to think Georgian was the language with the most consecutive consonants but then I learned how little the Danes respect their vowels so now I know better)
Sundhedsdatanettet actually runs on "public IPs". They aren't public, they aren't routed and they certainly are not connected to the internet, but they do exist within a public range. Not sure why a private range wasn't picked, but I'd guess it's to avoid conflicts with other networks.
Could that actually provide a benefit, in that if someone accidentally DOES connect it to the public internet, all sorts of things break immediately and obviously?
If the two networks are entirely separate, and they absolutely must be, then there's no reason for addressing concerns of one to influence the other one iota. (Except that certain OSes might have baked-in assumptions about things like the 127/8 network, so you'd have to work around those.)
Sjunet also uses public IP, but never exposes those on the Internet. No clue why, probably it turned out to be the easiest solution to avoiding collision with private ranges used at all member organizations.
As others suggest: Sjunet is not really "private", in the sense that you can bet that there are unsupervised machines connected to it via some of the legit machines (or via some of the comm. equipment), which are also connected to the rest of the Internet via another Ethernet or WiFi connection. These can in principle expose open ports for interested parties to act as they wish on the "private" network. And they do so despite the reassuring contract which Sjunet members sign.
I guess Sjunet can be seen as an industry-wide air-gapped environment. I'd say it improves security, but at a smaller cost than each organization having its own air-gapped network with a huge allowlist.