Re: General security question

[Carson Gaspar <carson () taltos org>]

--On Saturday, November 11, 2000 12:31 PM -0500 "Marcus J. Ranum" 
<mjr () nfr com> wrote:

> By the way, as a general rule, a VPN is useless if you don't know
> anything about the security at the other end. Indeed, the whole notion
> of doing a secure transaction/data transfer to a site where you don't
> know anything about the security is kind of dubious.

A _minor_ disagreement. A VPN provides privacy up to the partner's demarc. 
At that point liability for any breach of privacy is the partner's (either 
on their net, or because they exposed the keying material). Unauthorized 
access is also the fault of the partner. This may be sufficient for some 
applications. It certainly was for certain financial apps at a past 
employer, as the VPN was to protect the customer's data, not ours. So bad 
security on their part could only hurt them, and we had cover on the PR and 
legal fronts. By so doing, we _enabled_ secure transactions, but did not 
_guarantee_ them.

Of course, in such cases you should never re-use keying material between 
VPNs, and should create your authentication and authorization limits 
knowing that the remote end may be compromised.

--
Carson Gaspar -- carson () taltos org
Queen Trapped in a Butch Body


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards