On Wed, 6 Jun 2001, Steve Riley (MCS) wrote:
> The typical complaint against encrypted communications -- whether IPSec
> transport mode or tunnels of various kinds -- is that once a machine is
> compromised, then the attacker has a direct invisible route into other
> machines. This seems a reactionary stance.
I think it's more than routes in, it's really about defense in depth and
ease of defense.
Proper host security obiously is a lot more effective than perimeter
network security, yet we all employ various levels of firewalls because we
understand the implications and failure modes of complete host security in
a common network environment.
> If (as Jose mentions) we force strong machine-to-machine authentication,
> then the previous concern is moot: how can an attacker compromise a
> machine at all? Am I missing something basic here, or is it that simple?
You're missing the fact that in modern systems the encryption boundary is
*weak*. If you had the old "Red Book" model of a strong encryption
boundary, then authentication would win. You don't- you have an untrusted
desktop OS that in Microsoft's ideal world downloads pseudo-trusted object
code from Web sites administered by folks who hit the enter key long
enough to get IIS up and running. Anytime you break the boundary by
allowing connectivity vectors that aren't at the same trust level and you
don't have multiple layers of information management so that an untrusted
layer can touch a trusted layer you tend to lose the value of the model as
soon as an exploit becomes easy. Exploits on common desktop OS' are easy
these days and you've got zero trust boundaries for code in most
organizations. Change that model and you'll spend a *lot* of money on
administrative issues and you'll end up with a management nightmare.
You'd be surprised what breaks when you make things stick to the model's
protection mechanism if you can even enforce it in most hetrogeneous
network environments.
If every connection a machine made was at a significant trust level and
included strong authentication, the model would be intact.
DNSSEC isn't deployed yet, there goes one encryption boundary- and it's
one that's hung off of winsock, where we know there's sufficient malicious
code already deployed that takes advantage of that vector on Win9x
machines to provide a good basis for new trojans moving forward.
Hey, you got this mail, there goes another boundary- one that's a known
vector for distribution of malcode (and no, all those problems are *not*
solved yet.)
How do you do comprehensive Anti-Virus if all the e-mail is encrypted and
there's no inspection? Anna Kournikova pictures anyone?
And so it goes, usefull connectivity piece by piece creates doors in the
wall that would be the encryption/authentication boundary, and sooner or
later something goes through the door...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
