1999-09-22-15:26:22 Fabio Rocha:
> I need to set up a network that will demand strong user authentication. In
> order to achieve this, we plan to use the Private Wire suite from
> Algorithmic Research. (www.arx.com).
>
> But I am concerned with this product reliability. Does anybody has good/bad
> experiences with it? Anyone knows of any spread known security flaws? Or has
> advices on similar products?
No experience with it, but from a quick read of their web site, I wouldn't
pursue it. There are a few problems that immediately leap to mind:
(1) While they cite various cryptographic algorithms they use (including, as
their first choice for symmetric-key algorithms, plain old 56-big DES
which is a poor choice), they don't describe anything about the
cryptographic _protocols_ --- the way those algorithms are deployed to
authenticate, protect confidentiality, etc. This may well mean that they
invented the protocols themselves, and that is Bad --- as anyone who has
watched the IPSec design process knows well. Or even watched the
evolution of Kerberos. Designing sound crypto protocols is every bit as
tricky as designing sound crypto algorithms, and it doesn't happen inside
a small company that doesn't publish the protocols.
(2) According to their web site, Private Wire clients are available for
Windows in various flavours, that's it --- so if you are fortunate enough
to have any users running more secure client OSes, they cannot get in;
only the people whose machines are throbbing sores on the internet, open
vectors for attack into your net, can tunnel in. That sucks. That will
tend to worsen security.
(3) I didn't see any sign that their source code is available; this means that
people aren't going to have an easy time helping them catch and fix their
implementation bugs, most especially in the hard bit,
generated-symmetric-key entropy management.
I'd give 'em a miss. If you want VPN tunneling, go with IPSec.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]