Mark wrote:
>
> I wouldn't have thought that encryption was something that
a
> firewall
> would notice or care about. It only means that the people
> logging the
> information on the firewall cannot tell what traffic is being
> passed, which
> is probably quite a big issue for some types of organisation.
>
> Thinking about it, for some organisations perhaps all
> external
> communications should be in clear text, only public domain
> information is
> allowed to be discussed. Mind you that's probably a
prehistoric
> point of
> view :-).
>
The encryption issues fall into three parts.
1. Some risk is generated that vandals, criminals, commercial spies
might intercept, use, modify, or spoof mail.
2. Some people see government agencies using public networks to spy
on citizens/businesses.
3. Which ever (or both) is the requirement motivator there is then
the question of how this applies to the firewall.
There is risk of external attack, but this risk level is different
for every user and many sites may find in analysis that the risk is
so low in probability and impact that they dont need to take any
steps to moderate the risk - but then they might also have no need of
a firewall either.
The conspiracy theory of government is a great emotional debate.
In some countries there is probably every reason to worry about
sinister government activities. However, encryption will not address
that possible situation.
In many countries, the governments will be able to break your
encryption either because they hold the keys or because they choose
to devote resources to breaking encryption. You might decide to
employ illegal encryption to make it difficult for them but then you
introduce new risk for yourself which may be much greater than the
risks of using legal encryption or no encryption.
Dont forget that governments often have the capability and funding to
break very strong encryption used by other governments, and systems,
such as PGP, are trival protection against this type of cracker.
As far as firewalls are concerned there may be benefits in encrypting
at the firewall.
One benefit may be that you remove the possibility of a user
forgetting to encrypt at workstation level (for example, some
organisations treat encrypted traffic as being
non-sensitive/classified material but that only works if the user
remembers to encryption using the appropriate algorithm).
You may wish to apply different forms of encryption for different
purposes if your private network is multi-level and driven be
security profiles for each user.
Also you may wish to be able to read and authorise communication as
it passes the barrier because the high % risk involves people inside
the barrier being dishonest, stupid, or just human.
It all comes down to what you see as your risk management
requirements.
Ian J-B.
References:
|
|
