Re: General security question

[George Capehart <capegeo () opengroup org>]

Interesting topic.  Not as simple as it seems.  FWIW, $0.02 more into
the kitty:

A solution that I've seen employed a couple of times in the past that
seemed to provide a reasonable amount of risk management is a variation
on a couple of the other suggestions.  If it is acceptable to do
asynchronous, bulk data transfers, some kind of batch transfer mechanism
is a Good Thing (tm).  However, if the security of the sending or
receiving end is questionable, doing a two-stage transfer via a
protected drop box can help mitigate some of the risk.  The drop box
sits outside the DMZs of both the sender and receiver.  It may be in its
own mini-bubble that provides as much protection as is reasonable and is
reasonably hardened.  The firewalls and the machine are set up such that
they only accept input from the sender and only allow the receiver to
pull data.  All other requests from all other sources are discarded. 
The data themselves are encrypted *and* *signed* before being sent out
to the drop box.  When the receiver pulls the data in, the signature is
verified and then the data decrypted.  The transfer mechanisms between
the sender and the drop box and the receiver and the drop box can be
chosen to provide the desired amount of protection during the
transmission.  If the bubble is set up reasonably well and the data are
encrypted with keys that are large enough to protect the data for its
useful lifetime, ftp is frequently as good a transport mechanism as
any.  Since the data are signed by the sender, the receiver can have
reasonable confidence that it knows who originated the data and can also
tell whether the data have been tampered with or not.  Usually, one or
the other party's ISP can be persuaded to operate the drop box . . .

The advantage of using the drop box is that it is a destination over
which the sender has some control and confidence in the security of. 
The sender will only put data to it, so it never has to worry about the
security of inbound connections.  The receiver is only allowed to pull
data from it, so theoretically, the sender is the only source of data
for it.  If the sender encrypts and signs the data it puts there, the
receiver can verify the integrity and confidentiality of the data as
well as the identity of the source.  If the signature can't be verified
or the payload cannot be decrypted, the data can be discarded and a
retransmission requested.

Anyway, FWIW . . .

"Jensen, Greg" wrote:
> Don't exclude PGP E-business Server. This allows you to utilize the
> encryption strength of PGP with FTP.  You can schedule batch transactions
> that will automaticly encrypt to individual's private keys, or based on SDA
> (Self Decrypting Archives) using shared secrets.
>
> This is one of the hotest encryption products on the market for encrypting
> and securely transmitting data from point A to point B.  Unlike SSL or VPN,
> sure, the data is encrypted in route, but PGP will also keep the data
> encrypted AFTER it has arrived at it's destination and will only be
> decrypted when the recipiant wants it to be decrypted.
>
> www.pgp.com
>
> -----Original Message-----
> From: Marcus J. Ranum
> To: TDyson () sybex com; firewall-wizards () nfr com
> Sent: 11/11/00 9:29 AM
> Subject: Re: [fw-wiz] General security question
>
> TDyson () sybex com wrote:
> > We are debating communication protocols: sockets connection or ftp.
>
> I'd strongly recommend you look at using SSH and SCP (Secure Copy)
> It doesn't have FTP's horrible security properties and it provides link
> level encryption and public keys as an option. There are free versions
> available for download, so it's hard to beat the price. See
> www.openssh.org
> for details.
>
> mjr.
>
> ---
> Marcus J. Ranum     Chief Technology Officer, NFR Security, Inc.
> Work: http://www.nfr.com
> Play: http://pubweb.nfr.net/~mjr
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

--
George W. Capehart                            phone:  +1 (704) 277-4561
                                              fax:    +1 (704) 853-2624

"I'd rather have a bottle in front of me than a frontal lobotomy."
Anonymous

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards