This Sheymov guy is an ex-KGB security and comms officer that started working for
the NSA and the CIA during the coldwar and he has ex CIA guys working with him...
Sounds like they want to switch to some sort of trusted security model with the servers
talking to an access control device that works like a loadbalancer/firewall/dns proxy
that is
capable of stitching all the sessions together with the hosts that are modulating
their IP's.
Okay, so what if this device presents your services to the world on a fixed set of
addresses and manages the sessions and DNS itself (like a ServerIron). A hacker
can still attack these servers using the external addresses presented by the load
balancer. If the attack is being made thru a buffer overflow on port 80, that overflow
traffic is still going to reach your internal webserver even if it is modulating it's
addressing.
Trusted security models have been around for a while now. It will be interesting to see
if he has really come up with a better way to do it, or if this is just vaporware that
does
not work well in a real world network.
----- Original Message -----
From: "Eric Johnson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 13, 2001 6:43 AM
Subject: Has anyone heard of this?
> >From <http://news.zdnet.co.uk/story/0,,s2087257,00.html>:
>
> The new system can change the cyber-addresses
> on a network faster than once a second, cloaking
> them from all but authorized parties, said Victor
> Sheymov -- founder, president, and chief executive
> of Invicta Networks.
>
> ...
>
> Standard approaches to computer security rely on
> encryption, or data scrambling, plus devices such
> as firewalls aimed at screening out abnormal traffic
> patterns that look threatening.
>
> But any network protected this way is a sitting duck
> for a determined hacker, Invicta said. Instead, it
> puts the network in cybermotion through a
> continuous change of "Internet Protocol" addresses --
> the chain of digits underlying the Web to route traffic
> to its destination.
>
> The Invicta system uses special cards to link
> protected computers to a central control unit. It lets
> clients decide how often they wish to vary IP addresses
> and specify which applications may be accessed on
> their network. The number of IP addresses drawn on may
> be in the billions thanks to an artificial increase in
> cyberspace, Sheymov said.
>
> I've been pretty busy lately so this could have been discussed on
> this mailing list and I could easily have missed it.
>
> Anyway, changing ip addresses once a second would seem to
> make it pretty tough for DNS servers to keep up. And even tougher
> on maintaining a connection to the host.
>
> Eric Johnson
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
