One place to start is to build a US Cyberborder, not a great firewall but a cyberborder.

A possible a US Cyberborder would need to do a few things very well:

1) It would need to let terabits of all types of IP traffic flow freely both ways at line rate speeds.

2) It would need to protect US public and private networks from overseas based DoS, Worm, and Botnet attacks…the major significant common benefit.

3) It would need to maintain US privacy standards on all data flows with FISA exceptions.

4) It would need to provide netflow traffic visibility to the recipients (NSA, DoD, DHS and the private carrier) via a quad mirror view of the flow data…meaning a SNMP view of the realtime netflows (not detailed DPI where privacy concerns would be a factor) of percentages of P2P traffic, percentages of http, of voip, ftp, etc. The private carrier would only get a view of data from the devices on their submarine cable connections, not that of other providers. DHS, NSA and DoD would each build unique national views of that same data with mission enhancement overlays so that privacy of data is maintained, FISA exceptions are allowed and escalations of DoS threats arriving inbound via multiple providers networks against public and private networks are seen proactively and defended successfully.

5) It could provide a layer 3 screen for network islands of trust (AKA Internet Commons) internal to the national perimeter so that the national islands of trust would be unreachable to outside attackers via short IPv6 inbound ACLs.

6) There would need to be two different Cyberborder architecture designs:
The carrier Cyberborder architecture would have to support MPLS. The other Cyberborder architecture would be a private network Cyberborder architecture without MPLS. The carrier architecture would use the carrier’s routers for Layer 3 ACLs, and the private architecture could use a device that combines the IP flow management with the Layer 3 filters. Both designs would have Anagran devices for Layer 2 line rate netflow visibility. Customization of each design for specific networks would have to be possible.

7) Individual network elements that combine to form the national Cyberborder would have almost zero maintenance requirements on the networks (99.999%- five 9s uptime).

8) A Cyberborder network architecture would always be positioned to accommodate increasing international traffic volume so the individual cyberborder elements scale equally with the carrier’s or private network’s bandwidth requirements.

9) A DHS Cyberborder Network Operations Center (NOC) would require a national out-of-band low latency WAN architecture to backhaul the border flow visibility data and communicate out-of-band with the border flow devices. The WAN would have to be created using multiple providers (preferably with dark fiber), be physically diverse, and separated from all of the Cyberborder submarine cables and terrestrial links and their traffic. Rapid revisions to mitigate hostile network flows in the event of attack(s) would be deployed via the Cyberborder WAN.

10) The US cyberborder should also function as an early warning alert system for rising threats in a major cyberattack against critical US infrastructure from nation states, cybercriminals, and cyberterrorists.

This subset of ideas for the design of a border architecture are spun out from a paper I’ve been working on called a “A Logical Framework for a United States Internet Commons Architecture”.

http://www.afit.edu/CCR/Publications.cfm

and download the paper titled

“Cyberspace as a Theater of Conflict: Federal Law, National Strategy and The Departments of Defense and Homeland Security”

it will change your point of view on several COCOM-DISA-Service relationship issues.

That post includes references to others writing about this subject. The comments to the article include several perspectives, including one that is NSA-centric.

A discussion thread at the Small Wars Journal on this subject is at http://tinyurl.com/SWJ-CyberForceDiscussion