In my original note, I wondered at the beginning whether one can choose
sides. Well, I'll have to admit that my gut feeling is more toward the
encryption side than inspection, and Jose's note here helps give words
to my feelings.
The typical complaint against encrypted communications -- whether IPSec
transport mode or tunnels of various kinds -- is that once a machine is
compromised, then the attacker has a direct invisible route into other
machines. This seems a reactionary stance.
If (as Jose mentions) we force strong machine-to-machine authentication,
then the previous concern is moot: how can an attacker compromise a
machine at all? Am I missing something basic here, or is it that simple?
(No flames, please. :))
___________________________________________________________
Steve Riley
Microsoft Telecommunications Consulting in Denver, Colorado
[EMAIL PROTECTED] +1 303 521-4129 (mobile)
[EMAIL PROTECTED] (MSN Messenger)
www.microsoft.com/ISN/tech_columnists.asp
Applying computer technology is simply finding the right wrench to pound
in the correct screw.
-----Original Message-----
From: Jose Nazario [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 6, 2001 10:30 AM
To: [EMAIL PROTECTED]
Subject: Re: Encryption vs. inspection.
i think i'll wade into this flaming pit ...
i'm a big fan of strong crypto. anyone who knows me know that. i love
tunnels, i think they have a place. i think that paul's piece in
infosecmag is spot on in some places, and completely misses the boat in
others.
crypto, and tunnels, dont just provide confidentiality, they can be used
to force authentication, *strong* authentication, not only of the server
but also of the client. forcing client authentication you can prevent,
in
some instances, a malicious client from shoving data down the pipe you
may
not want them to.
secondly, this was brought up here earlier, if all you think about when
you think 'intrusion detection' is a sniffer on the wire, you should sit
back and think more about it. move to agent based intrusion detection,
utilizing some central analysis station.
alternatively, and i haven't seen this done, include the NIDS in the
crypto negotiation via some secure key passing mechanism and (probably
utilizing hardware based accelerators on the NIDS boxes) have it analyze
the traffic as well. just a pipe dream right now.
anyhow, crypto has its place, but it's not counter to intrusion
detection.
keep that in mind.
____________________________
jose nazario
[EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07
80
PGP key ID 0xFD37F4E5
(pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
