On Wed, 6 Jun 2001 [EMAIL PROTECTED] wrote:
> An article by your TrueSecure CTO, Dr. Peter Tippet, in that issue is
> also very illuminating on this. It explains that network sniffingis
> much less of a problem than server security anyway. The risks that SSL
> et al are aimed at are not the real risks on the Internet.
Yep, Peter and I have discussed this issue a lot (he's my boss), and we're
in almost complete agreement. Unfortunately this industry spends very
little effort on globally fixing things which are actually attacked the
most often. If half the effort put into SSL/HTTPS/SHTTP went into Web
server and browser security models, we'd be in a much, much better place.
That brings up an interesting thing that I've been pondering for the last
few years, but never got to do proof-of-concept code on.
Sniffing risks are really troublsome in two places, the first is local
area networks. The second is ISP networks between customer access routers
and backbone routers. Once you're on the backbone (unless you're Echelon
paranoid) the risk of someone getting anything is pretty low.
I've always thought that it would be interesting to extend the firewall
paradyne to be more of a trusted introducer than a particularly heavy
generic policy engine, and have firewalls enforce trust relationships
rather than connectivity relationships (since we've pretty much lost that
war with tunneling everything over HTTP.) In that case, encrypting to the
network boundary, decrypting, then inspecting for maliciousness starts to
make some sense. Unfortunately, trust relationships are difficult to
model and extension of trust is fairly difficult to control without some
sort of baseline. I think however, that we'll get to a commonly accepted
baseline and be able to extend at least business to business trust fairly
well over the next few years. I've done some WAN models that worked
pretty well in that way, and extending it out to the Internet and
inter-LAN stuff seems to work well on paper.
I'm not comfortable with end-to-end encryption in a business environment
without a better trusted OS model than general purpose systmes typically
allow. Things like .NET and documentation on self-extracting .exe's,
automatic system updates, etc. make that even more important. Tunneling
and malicious content pretty much mandate some sort of inspection for
trending and analysis and code trust issues. Unfortunately you can't do
that without either MITM, ADKs, or key escrow.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
