Re: HannaH from SecureWare Inc.

[mulligan @ future . incog . com]

Gary wrote:
> Hannah is centrally administered although you have to install the
> product on all the platforms. So there is a central security
> administrator. Software distribution, installation, and configuration
> managment mechanisms and policies need to exist for network/node
> management anyway, so the addition of one more product shouldn't
> negate the overall concept.

Oh and this points to another potential problem, they have combined the
administrative system with the Certification Authority.  This is very
very bad.  The CA is the box that holds the very sensitive CA private
key and having this box on the network just begs to have that key
compromised  - then anyone and everyone can sign certificates saying
they are anyone.  All security is lost, the war is lost, the count is 10
and your out.

Key management/negotiation overhead is another very critical issue.
Their document doesn't mention the protocol used to do this negotiation.
What about support for different encryption mechanisms.

In addition I haven't heard anything about the actual protocols.  They
certainly aren't open and publically available.  What about
interoperability with other systems.  They don't seems to be talking
with any standards groups.

On the other hand there are systems being developed and available that
provide much the same functionality (end to end encryption and
authentication) without some of the drawbacks (key management overhead,
lack of support to multiple encryption techniques, private/closed
proprietary protocol, lack of multi-protocol support) such as SKIP and
others being worked on in the IPSEC working group.

	geoff