i think i'll wade into this flaming pit ...
i'm a big fan of strong crypto. anyone who knows me know that. i love
tunnels, i think they have a place. i think that paul's piece in
infosecmag is spot on in some places, and completely misses the boat in
others.
crypto, and tunnels, dont just provide confidentiality, they can be used
to force authentication, *strong* authentication, not only of the server
but also of the client. forcing client authentication you can prevent, in
some instances, a malicious client from shoving data down the pipe you may
not want them to.
secondly, this was brought up here earlier, if all you think about when
you think 'intrusion detection' is a sniffer on the wire, you should sit
back and think more about it. move to agent based intrusion detection,
utilizing some central analysis station.
alternatively, and i haven't seen this done, include the NIDS in the
crypto negotiation via some secure key passing mechanism and (probably
utilizing hardware based accelerators on the NIDS boxes) have it analyze
the traffic as well. just a pipe dream right now.
anyhow, crypto has its place, but it's not counter to intrusion detection.
keep that in mind.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
