"Your" network is not yours. That's right. Not yours. It belongs to someone else. You don't have a "private" network.
But before I continue with that, let me digress a bit. I want to start out the first posts of this blog with some foundation information. I want to make some posts where I talk about the security issues we face today. Because they might not be what many people think they are. If I jumped in and started talking about what we are working on and what we are trying to do, I think a lot of people might think we were crazy. They would think we are trying to solve problems that don't exist. But they do exist, and they need solving. So I'm going to start off my first several blog posts talking about some of the problems that we face that maybe aren't that well recognized.
Keep in mind this is a blog, not a formal document. I'm just going to go through and talk things out as they come through my head, and get the info out there. This isn't something that is reviewed and reviewed and edited and changed and re-reviewed and intended to explain in detail every possible angle, etc. That type of documentation is coming, but it will be out at a different time and a different place. This is just a blog. So I may have a tendancy to ramble. Like now. What was I talking about?
Oh yes, I remember now! Your network, and how it really isn't yours. Nope, not yours. OK, ok...some parts of it are definately yours. But I want to talk about the parts of it that aren't yours.
I want you to think about something for a minute. Have you noticed that so many people are so concerned about their Internet traffic being encrypted, but are much less concerned about their internal traffic being encrypted? Why is this? The obvious answer is "Because the Internet is public, and my internal network is private." Its too bad this obvious answer is so often wrong.
What am I referring to? Your WAN links. They are not private. They are not yours. You've got an office in the US, and an office in Asia? And they are connected by a WAN link? How'd you get that WAN link? You get a big ship and run your own trans-Pacific cable? Set up your own switching stations in the US and Asia? No? What'd you do, then?
What you did is this: You leased a line that is owned by one or more telco's (usually more than one, when it goes to another country). It isn't your WAN link. Its the telco's (or telcos') WAN link. You don't own your WAN links, the telcos do. It isn't your network. You are renting part of THEIR network.
You might be thinking "So what? I trust them to keep my stuff private." (We'll leave alone for a moment what a horrible practice "I trust other human beings" is, but for a starting point, I suggest reading up on the past 4000 years of human history.) You trust them to keep your stuff private, on your "private internal" network.
But here's the thing...you wouldn't trust that information to stay private if it went over the Internet from the US to Asia (nothing about Asia I'm picking on...I'm just staying with the example international link I picked earlier; I picked it because of the dramatic image of someone trying to run their own trans-Pacific cable). You'd insist on it being encrypted. To which I say: Why? THEY ARE THE SAME TELCOS!!! Internet link? Private leased line? Who cares? Its the same telcos! Who do you think owns those trans-Pacific cables, or those communication satellites, for your private leased line? Answer: the same telcos that own those trans-Pacific cables and communication satellites for Internet communications. Lots of the traffic probably goes over the same cables and satellites anyway. So why the difference in thinking?
I'm sure right now some of you are thinking "But what about the local stuff? ISP's? And hotel Internet access? And wireless hot spots?" My answer is: what's the difference? People are people. You think the difference is a matter of how many different people and organizations it goes through? I once worked on a WAN link to an international site, where once it left the offices of a large and famous US communications company, it went through FIVE DIFFERENT LOCAL TELCO'S before it got to the office it was going to. People are people, and data is data. If people you don't know can look at it, it is a problem.
It gets worse! You know those telcos in other countries? They don't have to follow your country's laws. And some of them are owned by the foreign governments in which they reside. And some of those foreign governments are actively engaged in industrial espionage against foreign companies operating offices on their soil. You think they never look at the traffic that crosses through their telco offices?
So what does this really mean, in the big picture of things? When we boil this down and try to identify what the problem is and what the solution is, what do we get? What we get is a problem, and a solution.
The problem is that any traffic that is not restricted entirely to that which you truly honestly do 100% own (such as your LAN's, and usually not much else), is open to someone being able to look at it. There is no technological barrier to prevent their doing so.
So what's the solution? End-to-end encryption. FOR EVERYTHING. All traffic on your network, from when it leaves one machine on the network, until it reaches the destination machine on the network. Any communication from one machine to another needs to be encrypted. Not encrypted part of the way, but end-to-end. Take away the capability for people to examine your traffic.
You might be thinking "But I WANT my traffic to be open to being examined! Because I need to examine it, too!" That is part of a much bigger issue. Which will be saved for another time...