On Wed, 22 Oct 1997, Craig S. Wright wrote:
> Why should it stop at the VPN. Most attacks are internal. The overhead
> to exchange keys on "modern" machines is low. Why stop at the
> firewalls. At least cover all the servers if not workstations.
While this has been somewhat bashed about on firewall-wizzards, it's not
been around here yet;
If you don't stop at a firewall, how do you expect to enforce a security
policy? Encryption is only a great solution where there is nothing which
comes from outside the trust boundry and hits the machine in the clear,
and nothing from inside the encrypted trust boundry does the same. Given
24 hour cable modem access in the home, and wireless mobile access, I
don't think those assumptions will be valid for too much longer. With a
VPN which doesn't allow for legitimate man-in-the-middle at a gateway,
there is absolutely no way to enforce a policy without compete host
security. No audit points, no trend analysis, no intrusion detection
except at each individual host.
100% encryption only works in closed environments with strict host
security and auditing. Me? I want to man-in-the-middle SSL to enforce my
security policy. Anything less is an open tunnel into my network without any
audit points. Assuming you have legacy equipment that won't encrypt,
sits on older WANs that you can't deprecite, legacy protocols which some
equipment will accept that don't encrypt, or anything like that, you're
likely to have enough machines breaking the trust boundry of the
encryption to fail the model.
> The next thing is that IPsec on firewalls with X.509 does not solve
> all the problems. X.509 amy specify a null-null-null MAC/encryptor. If
> the internal network uses PCKS#x signed packets the firewall must just
> allow them through. Either that or we religate users to clear text again.
I am *very* seriously concerned that none of the proposed cryptographic
protocols being looked at seem to want to allow a *legitimate*
man-in-the-middle. Encryption can make security more or less difficult,
but when you talk about extending the trust boundry of the network to
someone's home, hotel, or remote office, you should look very closely at
how that extendes your vulnerability profile, and how you'll audit that
connection for intrusion at the remote end.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."