Most IT professionals are already aware that government intelligence agencies have taken liberties with collecting data from networks around the world.
Recent revelations show that these government efforts may have extended beyond anti-terrorism activities. For example, this article published in Brazil claims that the NSA was spying on Petrobas, Brazil's government-controlled oil company.
The article, referencing documents released by Snowden, also cites targets including French diplomats and the Society for Worldwide Interbank Financial Telecommunication (Swift), a global network for the international exchange of financial transactions.
WAN Encryption Is Mandatory
What do these revelations mean for network engineers and their WANs? Today, it is rare to encrypt traffic that moves across a WAN service provided by a national carrier.
The assumption has always been that WAN circuits such as MPLS, Frame Relay and ATM are "secure and trusted" and that multi-tenancy is assured by carrier processes. The trust is that unencrypted data sent across networks is assured to be safe from theft, intrusion, or copying.
[Traditional security systems aren't doing much to manage risk, but enterprises keep buying. Find out why in "Security Snake Oil for Sale."]
That trust is gone. The national intelligence bodies have provably breached the carrier networks and gathered data for the benefit of their respective economies in the "national interest."
The price premium paid to service providers for the presumption of information security is no longer applicable. WAN services must be discounted to more closely match Internet circuits because they are now at the same level of trust. It may be possible to stop using dedicated WAN Services completely.
First, network engineers must build scale-out, encrypted VPN networks between physical locations. This will require investment in encryption hardware in the central offices. Branch and remote sites should consider replacing dedicated WAN services with Internet connections and encrypted VPNs using IPSec or SSL.
Second, implement new security practices for VPN encryption using public key cryptography instead of pre-shared Keys. It must be assumed that pre-shared keys are no longer sufficient. Read this article for more details on crypto weakness.
Third, consider new devices for VPN end points. It is possible and practical to manage VPNs in remote offices with virtual machines on x86 servers. It is not necessary to expend capital on expensive hardware solutions. Also consider cloud-managed VPN networks that are offered by a number of providers to further reduce the burden.
Customers should note that "MPLS VPNs" are not encrypted or secure in any significant way. There term "Virtual Private Network" has been used for more than a decade to describe IPsec and SSL encryption overlays, but MPLS providers use the literal meaning to describe the capability of sharing a single network between many customers.
The integrity and security of the corporate WAN has not been regarded a major risk in IT security analysis, but the ongoing revelations from NSA/Snowden leaks show that service providers have insecure systems and/or are collaborating with government agencies.
It seems clear that for most companies WAN connections should be encrypted using IPSec or SSL VPNs. Customers should take this opportunity to switch to cheaper Internet services because the presumed advantage of the security of dedicated WAN connections no longer exists. Internet services are significantly less expensive, easier to provision and, often, more readily available that dedicated WAN services.
[Is it possible for security and operational efficiency to coexist? Michele Chubirka dives into this thorny topic in her Interop workshop "Beware the Firewall, My Son! The Jaws that Bite, the Claws that Catch!" Register today!]