(again: you probably shouldn't listen to a word I'm saying)
"Marc E. Mandel" wrote:
>
> [firewall management interfaces...]
>
> - An https management interface where both the firewall and the
> administrator(s) have valid certificates.
Hmm.. for what kind of environment? Aren't you worried about all the
client-side vulnerabilities in browsers?
> - a secure version of Simple Network Management Protocol (SNMP). SNMP
> Version 2 was designed to provide secure management.
RFC1445, "Administrative Model for SNMPv2":
4.5. Public Key Configuration
This section presents an example configuration predicated upon
a hypothetical security protocol. [...]
Nice. Hypothetical.
5. Security Considerations
In order to participate in the administrative model set forth
in this memo, SNMPv2 implementations must support local, non-
volatile storage of the local database of party information.
Accordingly, every attempt has been made to minimize the
amount of non-volatile storage required.
In my book, that's not a security consideration.
(Yes, that's the full text)
For encryption, plain old DES is used. No good.
It also uses a _constant_ IV. Useless.
Also, it's all based on static keys. Where are the session keys?
Break one old session and you get unlimited access to future
messages.
>From a cryptography perspective, the SNMP security protocol is
a complete disaster. Maybe, _maybe_, it's good enough for some
uses (for some value of "some"), but _I_ for one don't want
code for SNMP write access anywhere near my firewalling process,
let alone let it make changes to my policy.
(And don't get me started on the inherent complexity of the
entire SNMP protocol. Recent incidents speak for themselves,
I believe.)
> - an Secure Shell (SSH) implementation that supports both secure
> telnet and secure ftp.
SSH has problems too; perhaps not so much design-wise as complexity-
wise, which the recent and not-so-recent stream of bugs in various
SSH implementations has shown us.
Granted, these problems could probably be worked around by writing
a minimalistic implementation that scraps SSHv1 compatibility
and a few other things that one really shouldn't need in a
firewall.
Then again, if I had to choose from the above three, SSH would
definately be my choice.
Regards,
Mikael Olsson
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
