In Sweden, there is a private network (Sjunet) which is isolated from the Internet. It is used by healthcare providers. Its purpose is to make computers valuable communication devices (I love how the article points this out), but without exposing your hospital IT to the whole Internet. Members of Sjunet are expected to know their networks and keep tight controls on IT.
I guess Sjunet can be seen as an industry-wide air-gapped environment. I'd say it improves security, but at a smaller cost than each organization having its own air-gapped network with a huge allowlist.
I bet that gives hospital IT a false sense of security. A huge intranet is kinda the opposite of modern best practices: https://en.wikipedia.org/wiki/Zero_trust_security_model
It's not exactly like just a WAN or intranet over the Internet. It's a separate network with agreed on availability guarantees.
The problem is that you think it’s private but it isn’t. If an attacker wants access they’ll get access. At that point the false sense of security is a hindrance, because systems might not have been secured like they would have been on the public Internet.
Who says they're not securing anything apart from being air-gapped from the internet?
It's not necessarily air-gapped. There are many ways to accidentally or deliberately patch the intranet and internet together.
Sjunet is not air-gapped though. Clients can connect via vpn over the internet.
It's not only about security but also availability. If the regular Internet goes down for some reason, the private network (is meant to) keep operating.
So they actually have multiple physical sets of cables?
Yes, I think so. There's not much public information, perhaps on purpose.
Yes, because we all know how secure the tings on the public Internet are. /s
Nobody's saying that a private network doesn't have to be properly secured, you're fighting a strawman argument
Maybe knowing there are many institutions on the network is a good motivation to keep services secure. It's apparent any hospital or vendor may be breached. So if you overcome the false sense of security, the separate network will give you another layer of defense.
Secure is not a binary term.
If sjunet is managed as a number of interconnected airgapped networks then I for sure find that more secure than a Internet connected network. The attacker surely still have vectors in but whole classes of common attacks are mitigated.
Even if it is just "one big intranet" it is still better than one big intranet with one really good ((zero) trust me bro!) firewall to the Internet.
Various levels of zero trust principles can easily be applied within sjunet. That makes it better in my eyes.
For critical infrastructure I find this an important step. In the end security relies on us stupid humans. And it is easier to manage an airgap. It is the number of things we do afterwards to bypass it which is the problem.
The idea of an Intranet is still sound. But private does not mean secure. It is just a security layer. The next layer is if you run it fully open. Are the rooms locked? Do you require 802.11X certificates for connectivity? Are all ports open for all clients/hosts. Do you have a sensible policy for you host configuration? Have you segmented the network even further? Etc. Etc.
So your point is still valid for sure! You should secure it like on the public Internet aka a hostile environment. That is the important takeaway.
My point is that is should no be used as an argument against a private network. For large critical infrastructure such as hospitals it makes good sense. It is an added layer for the attacker to overcome - it is not security theater. For some the hassle might not be worth the while but that is then the trade off as with all forms of security.
It ain't binary but discussion often end up like that. Done right it can be additive. Done wrong it just adds pain and agony.
We all dread the security theatre. I boldly claim this aint't it.
You know what I've seen give decision-makers a false sense of security?
"Zero Trust Architecture" and not thinking to deeply about the extent to which you're not actually removing overall trust from the system, just shifting and consolidating much of it from internal employees to external vendors.
I'm not even thinking about CS here. It's curious to see what the implications on individual agency and seem to become when the "Zero Trust" story is allowed to play out - not by necessity but because it's "the way we do things now".
(As the wiki page you linked notes, the concept is older and there are certainly valuable lessons there. I am commenting on the "ZTA" trend kicked off by NIST. I bet the NSA are happy about warm reception of the message from industry...)
In principle, there are many good practice for zero trust architecture that make it viable to have a secure network while keeping it open. And also in principle, even then you'd still not want to make it open because you gain nothing by it.
In practice, no big company follows any of those practices. So, yeah, anything that's derived from "Zero Trust Architecture" is wrong from its inception.
I think we saw how it plays out in the last few days.
If you can't trust anything, you can't do anything. The result is that people who actually need to get their job done then circumvent the entire system and reduce security to absolute zero. As much as the average security expert would like to lock everyone in a padded room forever, there needs to be an acceptable trade-off level of safety and usability.
Post-its with passwords are the most classical example, but removing internet access from an entire institution is just gonna lead to people bringing their own mobile networked devices and does honestly sound like a completely braindead idea.
Post-it‘s with passwords aren’t the worst in security. Physical access to the note is required to get the password. One post-it under each keyboard with a different password is better than the same password shared widely.
Why?
They can just as effectively use (e.g.) Nessus/Rapid7/Qualsys to do security sweeps of that network as any other.
At my last job we had an IoT HVAC network that we regularly scanned from a dual-homed machine where the on-network devices could not get to the general Internet (no gateway).
That is a solution for companies like Google or non-essential cloud software provider. For all others serious network segmentation is the safer approach. You could argue that this network is far too large and that is probably true.
There is future tech on ancient software stacks. There is no safe solution to put it on the net directly.
AWS was an example in the article. Easy to get a fixed IP? True. Getting a fixed IP for outgoing traffic? Not that easy anymore - AWS is nice, but for many application it just isn't a solution.
Denmark has something quite similar (Sundhedsdatanettet).
What a tongue twister for non danish speaking people :D
It’s even better when you know that the proper pronunciation is essentially “soondhldlddlnl”
(Source: I speak Danish as a second language. I used to think Georgian was the language with the most consecutive consonants but then I learned how little the Danes respect their vowels so now I know better)
Obligatory reminder of https://youtu.be/s-mOy8VUEBk?si=QTjx6KEmOuPUoq9I
"Why Danish sounds funny" is more informative: https://www.youtube.com/watch?v=eI5DPt3Ge_s
In English we would put spaces between parts of a "compound" word.
Sund-hed is "sound-ness" (or even "sound-hood"), i.e. health.
In Norway this is called engelsk orddeling and is a source of gentle amusement, or occasionally outbursts of irritation.
See https://www.diskusjon.no/blogs/entry/878-orddeling-en-engels...
Yep. not putting spaces on compound words doesn't twist the tongue but twist the eyes!
Eyetwister
Sundhedsdatanettet actually runs on "public IPs". They aren't public, they aren't routed and they certainly are not connected to the internet, but they do exist within a public range. Not sure why a private range wasn't picked, but I'd guess it's to avoid conflicts with other networks.
Could that actually provide a benefit, in that if someone accidentally DOES connect it to the public internet, all sorts of things break immediately and obviously?
If the two networks are entirely separate, and they absolutely must be, then there's no reason for addressing concerns of one to influence the other one iota. (Except that certain OSes might have baked-in assumptions about things like the 127/8 network, so you'd have to work around those.)
Sjunet also uses public IP, but never exposes those on the Internet. No clue why, probably it turned out to be the easiest solution to avoiding collision with private ranges used at all member organizations.
UK has that (called the HSCN). I don't think it's a good thing. Couple of years ago you had to pay hundreds of dollars for a a TLS certificate because there were only a couple of 'approved' certificate providers. It also provides a false sense of security and provides an excuse to bad security policies. The bandwidth is low and expensive.
Whether an implementation is bad is orthogonal to whether the idea itself is good.
I don't agree fully. If some idea looks really good but implementations tend to be very problematic then the idea is likely presented incompletely or inaccurately, because it carries some hidden/non-apparent risk.
Some good-looking ideas almost always result in beneficial implementations, some good-looking ideas almost always result in bad implementations.
If all implementations of a "good" idea are bad then that's a strong indication that the "good" idea might have some significant flaws.
If the "good" idea has some bad implementations as well as some good implementations (like the swedish network example?) then perhaps you shouldn't dismiss the "good" idea so quickly
Sure, let's get to concrete things. What is a separate physical network worth, availability wise? Kind of hard to answer. It depends on the threat model. Even geography.
In this case though the two things are closely intertwined. The reason we all use the internet is because it is the most fit-for-purpose network for moving bits around between intranets. If there was a substantially more effective way to do it then it'd be cheaper or better and we'd all migrate to it over time. Countless businesses at all levels of the abstraction stack labour to make the internet cheaper and more convenient (CDNs are unbelievable, I say!).
So people choosing to create a new network are, with high confidence, going to end up with networks that are substantially worse at moving bits around cost effectively than the internet. The reality that they are inconvenient and expensive is built in once the deliberate choice is made to avoid the internet. It might be worth the cost, but the cost comes with the idea.
Not sure what you are even refering to. Could you be specific? Got examples in mind?
It’s not sure it’s quite the same, HSCN does provide border connectivity to Internet as well as a peering exchange. Sjunet on the other hand is an entirely private network with no border connectivity. I have dealt with both.
That's a (highly predictable) implementation problem of HSCN, not a problem with the idea. These complaints boil down to the same old thing: stupidly written law setting a (potentially) good policy up for failure.
The same argument was against seat belts in cars and bicycle/motorcycle hemlets. IMHO this arguments is rarely good. False sense of security should not be addressed by removing protection.
It should not be used as an excuse but bad policies in air-gaped network is less bad than bad policies in the Interned connected one. I doubt policies will be quickly improve as soon as you connect to the Internet.
Given the state of IT in healthcare in pretty much every other country, is there any reason to believe "Members of Sjunet are expected to know their networks and keep tight controls on IT" has any meaning? Does the government audit every computer on the network? Are they all updated with the latest patches? Do we know people aren't plugging in random USB devices, etc..?
Yeah. As someone who has literally been in this industry.. As sad as it is, its a pretty massive ask to expect all healthcare places to have their security "tight". All it takes is one lax clinic or hospital (and truth be told they are ALL lax in their security in one way or another) for it to come crumbling down.
Are the latest patches security updates ?
My understanding is that the members need to sign a contract to join Sjunet. I'm not sure of penalties, but being kicked out of Sjunet is likely an incentive for decent IT staffing.
I kinda wish there was a WAN the way internet used to be in the 90s. With more hobby stuff, no commercial things and no regulations.
A bit like tor but without all the creepy stuff I guess.
There are several overlay WANs for fun and learning. For example, check out DN42.
Interesting, thanks! I will check it out.
Poland has the little-known "źródło" (meaning "source" in English).
It's a network that interconnects county offices, town halls and such, giving them access to the central databases where citizens' personal information are stored. It's what is used when e.g. changing your address with the government, getting a new ID card, registering a child or marriage etc.
As far as I know, the "Źródło" app runs on separate, "airgapped" computers, with access to the internal network but not the internet, using cryptographic client certificates (via smart cards) for authentication.
No computers connected to the internet in Swedish hospitals?
If there are, a bridge could be made willingly or not. OFC it's more secure than everything on the internet.