On Fri, 15 Oct 1999, Bob Dolliver wrote:
> traditional point to point links. In addition many cable organizations are
> combining VPNs with broadband to insure strong encryption and authentication
> from end to end.
The problem is that encryption isn't a magic bullet. VPNs are flawed for
such usage unless the encryption boundary is enforced. The problem is
that people expect to be able to connect to the World at large and open
unencrypted sockets at the same time they're using the VPN. That means
the security of the information channel is based on the security of the
endpoints. Before you even get to key managment, key storage, keychange
interval, algorithm and keysize you need to look at the model.
Network-to-node or network-to-network encryption models come from the
traditional government "secure networking" practices outlined in things
like the old Red Book (Trusted Networking Implementation.) In those
cases, the encryption boundary was strong and actively enforced. In the
case of a VPN, the boundary isn't generally enforced at all. That's a
very weak foundation to build upon.
Last week brought an in-the-wild kernel mode virus for WindowsNT, the
"strongest" of the Microsoft line- the fact that it's wild means that
there's a group of NT administrators who aren't practicing safe
administration, Win9x is an even more open playground for an attacker.
"From end to end" needs to include the ends themselves or it's all
generally a moot point, especially with 24x7 access by untrained and
illadvised family members downloading actively executing "Greeting
Cards", games, OS updates and anything else you can imagine over clear
connections without verification mechanisms.
Don't kid yourself, cable networks aren't any more secure than telco
networks, and in most cases are a great deal less secure internally as well.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
