On Wed, 6 Jun 2001, Jose Nazario wrote:
> i'm a big fan of strong crypto. anyone who knows me know that. i love
> tunnels, i think they have a place. i think that paul's piece in
> infosecmag is spot on in some places, and completely misses the boat in
> others.
I'm interested in where you think I missed the boat- even after the editor
had at it, it still represents my position, though it's not a complete
representation due to space/audience limitations.
> crypto, and tunnels, dont just provide confidentiality, they can be used
> to force authentication, *strong* authentication, not only of the server
> but also of the client. forcing client authentication you can prevent, in
> some instances, a malicious client from shoving data down the pipe you may
> not want them to.
Tunnels can't be used to force strong authentication, only to carry it.
Nothing on the market currently prevents a malicious client from being the
source of authentication, and that's the biggest tunnel issue out there--
the "Microsoft source code out the window" stuff.
> anyhow, crypto has its place, but it's not counter to intrusion detection.
> keep that in mind.
Yes it has its place, however it can also create security issues, just
like everything else it's not a magic bullet.
I don't think anyone is arguing that crypto doesn't have its place, we
however are debating where that place is and how that brings security
value.
VPNs are sold as security solutions when in reality they're trust boundary
weakeners- if you understand their limitations, then deploying them isn't
as much of an issue as if you don't understand that key point and go
happily extending trust to every employee and business partner's own
private networks with their own weak and weaker trust boundaries.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
