Firewall Wizards mailing list archives
Re: General security question
From: George Capehart <capegeo () opengroup org>
Date: Sun, 12 Nov 2000 16:29:58 -0500
Interesting topic. Not as simple as it seems. FWIW, $0.02 more into the kitty: A solution that I've seen employed a couple of times in the past that seemed to provide a reasonable amount of risk management is a variation on a couple of the other suggestions. If it is acceptable to do asynchronous, bulk data transfers, some kind of batch transfer mechanism is a Good Thing (tm). However, if the security of the sending or receiving end is questionable, doing a two-stage transfer via a protected drop box can help mitigate some of the risk. The drop box sits outside the DMZs of both the sender and receiver. It may be in its own mini-bubble that provides as much protection as is reasonable and is reasonably hardened. The firewalls and the machine are set up such that they only accept input from the sender and only allow the receiver to pull data. All other requests from all other sources are discarded. The data themselves are encrypted *and* *signed* before being sent out to the drop box. When the receiver pulls the data in, the signature is verified and then the data decrypted. The transfer mechanisms between the sender and the drop box and the receiver and the drop box can be chosen to provide the desired amount of protection during the transmission. If the bubble is set up reasonably well and the data are encrypted with keys that are large enough to protect the data for its useful lifetime, ftp is frequently as good a transport mechanism as any. Since the data are signed by the sender, the receiver can have reasonable confidence that it knows who originated the data and can also tell whether the data have been tampered with or not. Usually, one or the other party's ISP can be persuaded to operate the drop box . . . The advantage of using the drop box is that it is a destination over which the sender has some control and confidence in the security of. The sender will only put data to it, so it never has to worry about the security of inbound connections. The receiver is only allowed to pull data from it, so theoretically, the sender is the only source of data for it. If the sender encrypts and signs the data it puts there, the receiver can verify the integrity and confidentiality of the data as well as the identity of the source. If the signature can't be verified or the payload cannot be decrypted, the data can be discarded and a retransmission requested. Anyway, FWIW . . . "Jensen, Greg" wrote:
Don't exclude PGP E-business Server. This allows you to utilize the encryption strength of PGP with FTP. You can schedule batch transactions that will automaticly encrypt to individual's private keys, or based on SDA (Self Decrypting Archives) using shared secrets. This is one of the hotest encryption products on the market for encrypting and securely transmitting data from point A to point B. Unlike SSL or VPN, sure, the data is encrypted in route, but PGP will also keep the data encrypted AFTER it has arrived at it's destination and will only be decrypted when the recipiant wants it to be decrypted. www.pgp.com -----Original Message----- From: Marcus J. Ranum To: TDyson () sybex com; firewall-wizards () nfr com Sent: 11/11/00 9:29 AM Subject: Re: [fw-wiz] General security question TDyson () sybex com wrote:We are debating communication protocols: sockets connection or ftp.I'd strongly recommend you look at using SSH and SCP (Secure Copy) It doesn't have FTP's horrible security properties and it provides link level encryption and public keys as an option. There are free versions available for download, so it's hard to beat the price. See www.openssh.org for details. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Play: http://pubweb.nfr.net/~mjr _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- George W. Capehart phone: +1 (704) 277-4561 fax: +1 (704) 853-2624 "I'd rather have a bottle in front of me than a frontal lobotomy." Anonymous _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: General security question, (continued)
- Re: General security question Marcus J. Ranum (Nov 12)
- Re: General security question Carson Gaspar (Nov 13)
- Re: General security question Marcus J. Ranum (Nov 13)
- Re: General security question Carson Gaspar (Nov 13)
- Re: General security question Marcus J. Ranum (Nov 12)
- Re: General security question Jonas Eriksson (Nov 13)
- Re: General security question Todd Joseph (Nov 13)
- Re: General security question Frederick M Avolio (Nov 13)
- Re: General security question Stephen P. Berry (Nov 13)
- RE: General security question Loomis, Rip (Nov 13)
- RE: General security question Jensen, Greg (Nov 13)
- Re: General security question George Capehart (Nov 13)
- Re: General security question daN. (Nov 15)
- Re: General security question Magosányi Árpád (Nov 15)
- Re: General security question daN. (Nov 15)
- Re: General security question George Capehart (Nov 13)
- Re: General security question Marcus J. Ranum (Nov 12)
- Re: General security question istong (Nov 13)
- Re: General security question H. Morrow Long (Nov 14)