On Fri, 20 Apr 2001, Mogren, Jack L. wrote:
> This may be a bit off-topic from firewalls, but I'd like to hear other
> people's opinion. We (information security) are having a minor holy war
> with our internal audit folks concerning the requirement for employees using
> remote access to also use encryption. We understand that there are cases
> where encryption may be required. But we feel it's a matter of performing
> an analysis of the risk. Wiretapping of public telephone services by
> someone intent on reading your email is a possibility, but a mile-wide
> asteroid might hit the planet today too. Of greater importance for the
> occasional remote access user is the use of strong authentication of both
> parties and specific access authorization. Now it may be a different matter
> for the telecommuter, say a transcriptionst. Their exposure is greater
> because they're connected longer and the data may be more sensitive. In
> this case, maybe encryption is warranted.
> I've done a bit of searching for instances of wiretapping on the Web and
> have come up empty-handed. I've seen a lot of news stories concerning
> wiretapping laws, mis-use by law enforcement or government entities, and
> Lynda Tripp taping Monica. But I have not found an instance of someone
> tapping into an established modem-connected session, then expoiting this
> connection to steal data in transmission. I also see a lot of talk from
> "consultants" and vendors about what a widespread issue this is. Has anyone
> out there had first-hand experience with an incident?
I examine comprimised systems for a living. In almost every case where a
system has been breached, a sniffer has been installed. Those sniffers
filter for every password used in the clear travelling over that
particular subnet.
If you are using a modem bank, then you at least want the authentication
that cryptography provides. People have been war dialing for modem banks
since I was a kid. (And that was a while ago.) You want to know that the
people accessing your systems are the ones authorized to do so.
But do you know where those packets flow once they get inside the internal
network? If the information is confidential, you should encrypt anyways.
You never know when some temp has a sniffer installed "just because he
can". (Not to mention nosey admins who use "less" to read your mail
spool.)
Think that they won't get in just because there is a password? In the
last two places I worked, over 50% of the staff used easily guessable
passwords. Many of them still had a password of "changeme". Getting
marketing people to change passwords is difficult, especially when they
are unwilling to understand the risks involved. (Actually, getting
managers who should know better to change passwords is even harder.)
The big question I have is "why do you *not* want to encrypt your
traffic"?
[EMAIL PROTECTED] | Note to AOL users: for a quick shortcut to reply
Alan Olsen | to my mail, just hit the ctrl, alt and del keys.
"In the future, everything will have its 15 minutes of blame."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
