US government's $6bn super firewall doesn't even monitor web traffic The US government's firewall, named Einstein, is not as smart as its name would suggest. A report [PDF] by the General Accounting Office (GAO) into the National Cybersecurity Protection System (NCPS) has concluded that it is only "partially meeting its stated system objectives." Which is a polite way of saying it sucks. Among …
FTFY....
I've just been looking at the F22 and F35 tragedies. 10% of the national debt pissed against the wall making two useless generations of planes. The only thing achieved was spending vast amounts of money, with each state making sure they get a good slosh of the gravy.
This reminds me of the Great Wall of China. Good idea* on paper, pretty much useless after implementation.
*Some claim that it was an even bigger failure as usually percieved. Alledgedly the project wasn't meant to shield the whole kingdom against babarian hordes, it started as a garden wall for the emeror's summer palace and then somehow snowballed. Given how bureaucracies worked even then, well...
Not government. Cops.
In the US, Law Enforcement Agencies actively go out of their way to NOT hire the best and brightest. Their philosophy, tested by Court Rulings, is that smart people get bored with police & security work, and don't stay around. So why hire them? (See for example, http://abcnews.go.com/US/court-oks-barring-high-iqs-cops/story?id=95836 )
Really, nothing to see here. Typical Homeland Security. Move along.
This post has been deleted by its author
Instead of reinventing the wheel (and making it square, from the sounds of things) wouldn't it have been about 5.5 billion cheaper to pick up the phone and call one of the established firewall/security companies? They could've even supported some US company like Palo Alto or Dell Sonicwall...
Dear Sir/Madam
We are fascinated by this curious concept called "cheaper".
Can we get you and your consulting team at the standard rate of $500/person/hour + expenses to explain it to us? How many years do you think it will need to describe this idea adequately?
Yours sincerely
Congressional Procurement Office
"If all your top IT people are hoovered up into the NSA then you're gonna be left with idiots."
Is the USA really THAT different from the UK and probably every other country in the world? Surely the best are in private industry earning the big bucks and not just taking home a "civil service" wage?
If he had never made "Heartbreak Ridge", I possibly never would have heard of the term "clusterfuck", which so perfectly describes this situation.
Gotta love this article, including some examples of the use of leading-edge technology, such as:
"In 2009, a second version was deployed that added signatures". Really!? Wasn't signature-based antivirus pretty much solidified by say, 1991 or 1992? Way to win Gulf War #1, guys!! What's next? Is the DHS working on something to "Keep the damned Krauts from coming at our boys in the Ardennes" again?
Throw another $5.7 billion on the national debt bonfire, why don't you? Hey, it's not like its real money, after all!
Isn't there a CAPEX rule that says
"Is there a COTS solution?"
Hasn't this been done?
I mean; "Really" done?
I mean; Have I been hallucinating?
Perhaps this http://archive.oreilly.com/pub/h/1393 page does not exist and I've not made my own rules?
It's a bit harder to have a good fully working SSL bump to get all HTML but really just buy some pfSense boxes and be done with it.
Pay for the support too. They will need it.
still have change for a Mars base...
It's 50/50 FAIL/WTF
could have written this article after being told nothing more than the name of the department in charge of the firewall, although he/she might not have gotten the statistics exactly right.* That would apply to a British version as well.
*The only surprising information is that the firewall caught as much as 29% of the intrusions. I'd have guessed somewhere in the 6-9% range.
Diodelogic wrote:
> The only surprising information is that the firewall caught as much as 29% of the intrusions. I'd have guessed somewhere in the 6-9% range.
It didn't. It caught 29 of them. 29, not 29%. Which was indeed, as both your guess and the article say, around 6%.
It's still better than the TSA is at their job, so by DHS standards this project exceeded expectations.
For even $57 dollars, I could throw together OpenBSD, Squid, Bro, OpenSMTPD, and ClamAV on a basic, off-the-shelf piece of hardware that actually does what the project should've been capable of doing. Point the machines to update from an internal server for the super-secret signatures they are checking for and you're good to go.
A quad-core box, 32 GB of RAM, and 640+ GB of disk would be enough for such a system. (Pricing such a thing on NewEgg comes out to about $750). Those applications support clustering, so there's your reliability and scale.
I was about to write the same thing, but then I got to thinking. The first 6% is probably way cheaper than the last 6%. In fact the curve might even be exponential. I'd say it would be closer to $1 trillion to get into the 90% range. Anyway, in the end it's just a lolfest on salary. Like others have suggested, putting the money toward a workable solution might be more prudent.
I've always seen it as a bath-tub curve. The first 5% is near impossible since the product is untested and there is still a bit of a teething phase, the next 90% flies by without issue, then the last 5% would be those weird corner cases and mission-critical stuff that can't be down for changes. And it always seems to be that that last 5% is the group that needs it the most, such as the systems that everything is dependent on and thus needs the most protection, but you can't take it down because everyone is depending on it being accessible constantly...
Don't forget the luxury team-building retreats to Dubrovnik or the industry trade shows in Maui. The expensive auditors to ensure that the development process is complying with all the random ISO standards and six-sigma training, then halfway through, trying to implement the "lean" methodology (Because something that works for Toyota is -totally- going to work fro a software product...)
I wish I was being facetious, but that happened to me last year. A project that was supposed to be 6 weeks (which I almost finished in week 3) but has been going on for 8 months now because the managers keep going to seminars about how to get projects back on track by using some new, cutting edge process...
This post has been deleted by its author
It doesn't cost $5.7 billion to make firewall. They spend $5.7 billion on firewall systems because its not an import from China. So the money is spent in the US, and grows the US economy.
When you're major business is printing money, finding bigger mattresses to stuff it under becomes ever harder. So they spend it on military and security stuff, knowing they can *require* that money be spent on US companies for 'security' reasons, hence the money stays in the US, at least for one iteration.
Take a look, this is *adjusted* numbers to 2005 dollars! The devalued dollars would look much much worse:
http://www.usgovernmentspending.com/us_gdp_history
It's not going to get better, they moved from manufacturing stuff to manufacturing fear.
more of a slightly warm wall...
So its a system set up to defend other departments networks build and run by a department that says its not its job to defend.
It finds 6% of threats which is just as likely to be random failures of the controls than actual detections
And you expect admins to integrate with the service provider without a service and allow it to packet inspect all of your traffic???
Thus making it insecure, unreliable, expensive, complex...and unbelievable (as a non american...)
Seriously, though, it us exactly a firewall.
What has happened is that people have got used to all sorts of non-primary functions being built in to domestic firewall products and have started mistaking them for what a firewall has as its primary function.
Raises questions about the procurement process, and who worked out the specification and what was in it. I suspect it was really inadequate, and the actual firewall does what is specified, but that could be wrong.
Mind you, I'm not sure how you can spend that much on a firewall, even if you try to spend to the max. Even if you are the gubmint...
What has happened is that people have got used to all sorts of non-primary functions being built in to domestic firewall products and have started mistaking them for what a firewall has as its primary function.
Your point notwithstanding, setting -A INPUT --dport 80 -j ACCEPT hardly counts as a firewall...
Vic.
This system wouldn't belong to the same government that wants back doors in crypto and certificates.
A government who work closely with UK security organisations who themselves failed to produce a communications protocol, a protocol l that is inherently flawed against any moderatley aggressive attack.
Does this mean that Homeland security system users don't need to use Open Vpn to hide their porno adventures. Yep sound like a government project.
I'll have some of that then, I'm sure I could do this for under £300 quid all in and I'll buy my own Lunch.
.. that no one has suggested:
a) it's deliberate misdirection to lull us into a sense of superiority
or
b) it was hamstrung from within by people who didn't like where this could lead.
No shortage of commentards here usually proclaiming conspiracy and dissemination of orchestrated disinformation ...
Or maybe Occam would call it just right
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
