Just some random comments...
> -----Original Message-----
> From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 07, 2001 4:57 AM
> To: Jose Nazario
> Cc: [EMAIL PROTECTED]
> Subject: Re: Encryption vs. inspection.
>
>
> On Wed, 6 Jun 2001, Jose Nazario wrote:
>
[...]
> > i think that paul's piece in
> > infosecmag is spot on in some places, and completely misses
> the boat in
> > others.
>
> I'm interested in where you think I missed the boat[...]
>
> > crypto, and tunnels, dont just provide confidentiality,
> they can be used
> > to force authentication, *strong* authentication, not only
> of the server
> > but also of the client. forcing client authentication you
> can prevent, in
> > some instances, a malicious client from shoving data down
> the pipe you may
> > not want them to.
>
> Tunnels can't be used to force strong authentication, only to
> carry it.
>
> Nothing on the market currently prevents a malicious client
> from being the
> source of authentication, and that's the biggest tunnel issue
> out there--
> the "Microsoft source code out the window" stuff.
I take it you're talking about Joe Luser VPN'ing in to work when his PC is
already r00ted by some trojan, or similar circumstances? I've seen at least
one client (Cisco - the old SafeNet one) that can chop off all other traffic
if a VPN connection is up. That doesn't prevent time-bombs, but it does
prevent interactive hackery. I think Jose mentioned that the Axent client
also does this. If you're doing user/password auth to actually bring up the
VPN tunnel _as_well_as_ box auth (L2TP in IPSec does this, f'rinstance) then
you can prevent someone just walking off with a laptop that has the client
all configured on it.
[...]
> VPNs are sold as security solutions when in reality they're
> trust boundary
> weakeners- if you understand their limitations, then
> deploying them isn't
> as much of an issue as if you don't understand that key point and go
> happily extending trust to every employee and business partner's own
> private networks with their own weak and weaker trust boundaries.
Yeah, that's all pretty much true. It's exactly the same as the dialup
problem, really. Many VPN clients are now configured to effectively only
need one password - not even a username/password combo. After that the
tunnel is up and people can start grinding at the network for second-tier
logons.
> Paul
So, to go back to a throw-away point you made, Paul:
> I've always thought that it would be interesting to extend the firewall
> paradyne to be more of a trusted introducer than a particularly heavy
> generic policy engine, and have firewalls enforce trust relationships
> rather than connectivity relationships
I had a crazy idea which I posted a long time ago, involving LAN PCs all
having IPSec Ah-only SAs with the firewall. Using L2TP in IPSec stuff you
can also make this effectively a username/password auth which would allow
for nice portable trust relationships based on users rather than boxes. You
seem to be talking about a similar thing - could you flesh your concept out
a little?
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
