>>>>> "Adam" == Adam Shostack <adam @
Adam> Making a vpn will protect against sniffing & spoofing, but if
Adam> all you do is set up a vpn, your machines are open to attack.
Adam> Set up a filtering router as well so that only encrypted packets
Adam> from your other networks can get in.
...which leads back to my original question... is that sufficient
protection, or is it necessary deploy some more sophisticated method
of attack prevention? Should the private frame relay service feeds
have the same protection as the Internet feeds.
I fear that for many the answer, according to a well thought-out
policy would be "yes," but in reality, such protection isn't there.
Adam> I'd be very interested in hearing about a deployed tool that
Adam> would allow you to crack even 40 bit rc4 fast enough to spoof
Adam> packets. (Assuming that your encryptors changed keys about once
Adam> per hour.) 40 bits of RC4 key would not protect you against
Adam> evesdropping, but it would add to the cost, and there is NO
Adam> reason (other than the ITARs) to not use 128 bit rc4, or use
Adam> DES, 3des or IDEA.
I would also be interested. In Applied Cryptography (ISBN
0-471-12845-7), Bruce Schneier has some average time estimates for
hardware brute force attacks (in 1995). The 40 bit keys range from 2
seconds with US$100,000 of hardware to .02 microseconds at a cost of
US$10 trillion. It seems that we're probably close to a point where
such a thing is possible with a reasonably well-funded group's
It seems that for protecting yourself against huge organizations,
governments, etc., a key size of at least 112 bits is necessary for
symmetric ciphers. Given the relatively small increase in processing
overhead for use of 128 bit (or slightly larger) keys, it seems worth
it. (Again according to Schneier, at a hardware cost of US$1 thousand
million, 56 bit keys can be broken in 13 seconds; 64 bits in 1 hour;
80 bits in 7 years; 112 in 10**10 years; and 128 in 10**15 years.)
Anyway, the point is that if you're serious about protecting your
organization's resources, taking a few extra steps can be the
difference between a mysterious leak in confidiential (damaging?)
information, a break-in, etc., or just another failed attempt.
C Matthew Curtin MEGASOFT, LLC Chief Scientist
I speak only for myself. Don't whine to anyone but me about anything I say.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet