D-Star and network security

[kg4ulp]

I am trying to get a D-Star system going at an EOC (Emergency Operations Center) and am having issues convincing the folks who run the network that D-Star does not present a security hole. Basically, the radio club has the D-Star hardware up and running as well as the repeater and tower, but have not gotten approval to run off of the EOC's network.

I have suggested (partly at the behest of someone who responded to my earlier query) that port forwarding and setting up a DMZ for our machine should accomplish this, but I am just a volunteer / long term Linux geek and my word does not carry any weight.

The IT Director states that his network "conforms with PCI (payment card industry) standards" and has to continue that, ensuring the integrity of the network. He also stated that he is trying to contact other county EOCs and has not yet found one who is running D-Star to discuss this with.

If anyone who is in a similar situation and found a solution to this is willing to help out I would appreciate it. I think the best way to get this to work would be for someone who is has D-Star system working in a situation where network security is paramount and is satisfied with their network security could contact me, perhaps I could put you in contact with the IT guy and you could let him know what you did. We have no choice but to share the network with the EOC because we cannot afford our own dedicated network. Thanks for any help. If you want to email me privately, my callsign @ arrl.net works.

Leigh Orf KG4ULP

[Pete AE5PL]

I have suggested (partly at the behest of someone who responded to my earlier query) that port forwarding and setting up a DMZ for our machine should accomplish this, but I am just a volunteer / long term Linux geek and my word does not carry any weight.

The IT Director states that his network "conforms with PCI (payment card industry) standards" and has to continue that, ensuring the integrity of the network. He also stated that he is trying to contact other county EOCs and has not yet found one who is running D-Star to discuss this with.

Leigh Orf KG4ULP

Hi Leigh,

I will speak from the standpoint of my CISSP certification (your EOC IT Director should know what that means).  The D-STAR gateway is as secure as any other system on their network, Windows or Linux.  There is no inherent security risk in the gateway software if properly protected behind a router/firewall.

The outbound connections it makes are for UDP (not really a connection but it does send UDP packets to the Internet) and TCP communication with other D-STAR servers.  If you have the CentOS being automatically updated, then it also makes connections to the CentOS update servers.

Only set up the stated UDP port forwarding and any absolutely necessary port forwarding for auxiliary software such as DPlus.  DStarMonitor and javAPRSSrvr only make outbound TCP connections so port forwarding is not required for those.  Do not open the SSH or HTTP/HTTPS ports as these do pose a potential inbound hacker's hole.

Finally, you cannot use a DD "repeater".  The DD repeater essentially opens the local network to attacks from RF because the DD repeater is on the "inside" of the EOC firewall.  While unlikely, it is still a wide open portal.  If the gateway is put on its own network with restricted connectivity (only has access to the outside world, not the EOC LAN) via a physical DMZ in the EOC's router (separate port, etc.), then you should be able to use a DD repeater as well as possibly opening the SSH and HTTPS ports (although we recommend redirecting the SSH port).

Hope this helps.

73,

Peter Loveall CISSP
AE5PL

[n5ebw]

While I don't have Pete's certification, I have worked in an environment where payment services is our primary security concern for quite some time now, so my opinion may (or may not be) of some importance.  I'm gonna play a little devils advocate here, but please know that I am rooting for you.

That being said, I can see where they would be iffy on allowing you into the internal network, no matter how secure your server is.

If it were my environment, these are the issues I would have with your installation:

1) The server belongs to your group, and they are not paid to maintain it, therefore they have no obligation nor desire to do so.  A lot of environment's, particularly of a government nature, have a status quo of not letting anything reside in their environment that is not an asset of theirs because of liability.  Your server greatly increases liability because it is not contained in their service level agreements or operating level agreements.  Even if you agree to keep the server up to date, and lock it down per their security policy, it still makes them liable.  Would I want to have something like that in my environment?  No.

(Note that 2 and 3 tie in with the above, but as separate issues needing to be addressed)

2)   In order to be acceptable, your installation must decrease their liability to zero by either totally mitigating -or- preferably, eliminating it.  Port forwarding does not entirely mitigate the risk because you are still passing traffic on the same collision and broadcast domains where their network resides.  In the realm of payment services, this is unacceptable at times.  You may be onto something by putting it in the DMZ, but it isn't a total solution in my mind.  If it were on a network I managed, it would only be acceptable to me if you were on your own VLAN, segregated from anything on my network.  You may want to propose that scenario.  Because of the still new and experimental nature of D-Star, there's no way in the world I'd agree to it being anywhere near something on my network.

3) Physical security is also an issue.  Because you are not an entity of their organization, you are likely not covered by their insurance.  Since you are likely not going to get remote access to this machine, you will need to be physically present to apply any updates, or address problems. This, probably moreso than others, would be my concern.  It gives you, a volunteer, total access to my network, which I am accountable and liable for, and that puts customers at risk.

Again, I'm not trying to discourage you, but I wanted to give you insight to the valid questions that they have here that definitely need to be addressed.

My proposed solution would be a separate VLAN on the outer bastion of their firewall.  Even the DMZ isn't really an exceptable option to me.  That would expose them to no further risk than they already are exposed to.  Basically, you're going to have to totally go out of your way to convince them that there is no risk entered into their network.