Firewall Wizards mailing list archives
RE: VPN endpoints
From: MHawkins () TULLIB COM
Date: Mon, 30 Aug 2004 14:20:50 -0400
"I don't know of any insurance company that has formulae to estimate such risks." Actually, most large insurance underwriters have various techniques for measuring risk. Some risk is measured by statistical methods, eg: out of X number of homes, Y will burn down in N time duration at total payout of D dollars. Other risks are more difficult to measure and are therefore assessed using arbitrary ratings methods. The events that are more difficult to measure are almost always those that are exceedingly rare. For example, thousands of skydivers make hundreds of thousands of jumps every year and yet only 20 or less people die skydiving (thus, on life insurance policies they don't ask you how many times you intend to jump each but rather, yes no, do you jump?). Applying the same techniques to information security risk measurement has, in my experience, led to some very interesting results. For example, I contend that 90% of the money spent on information security is wasted on comparitively low risk areas. I came to this conclusion by, for example, applying the possible "cost" of having an average company website hacked vs. the "cost" of having a disgruntled employee steal valuable information or damage business systems. The likelihood of the former is far lower than the latter. And the "cost" of the former is -usually- less than cost of the latter and yet so much money is spend on IDS, -super- firewalls, etc etc. But the most cost and most likely event is a disgruntled employee damaging systems or stealing valuable information. Go figure. Mike Hawkins -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Devdas Bhagat Sent: Monday, August 30, 2004 12:34 PM To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] VPN endpoints On 30/08/04 14:48 +0100, Kevin Sheldrake wrote:
Hmm I thought OSI was Open System Interconnection, as in 7 Layer OSI Model. VPNs are not secure by default for two differently abstracted reasons: 1) Some VPN products default to allowing the Null encryption algorithm.
That is seriously broken. Have a list you can share?
So, unless you like no encryption, VPNs are not secure (although some specific examples may be 'secure' (see 2)). Also, bear in mind the implementation of the VPN encryption algorithms might not be textbook - how will you know? 2) 'Secure' is an undefined term. What's secure for me might not be
"Secure" is a very well defined term. A system is secure when the cost of an unauthorised entity accessing the data on the system or the loss of the data itself is higher than the value of the data itself. However, this definition of security involves terms like cost, the calculation of which which is not very well understood by the general population.
secure for you - it all depends upon the sensitivity of the information and the impact on the business in cases of compromise, whether that be confidentiality, integrity or availability.
The cost of compromise is a function of the risk that the data may be compromised. The hard part of doing any type of security work is in calculating this risk. I don't know of any insurance company that has formulae to estimate such risks.
SSL VPNs are IMHO generally a bad idea. In a nutshell, this is because most of the benefits are in the fact that practically any client can be used, and that the authentication mechanisms are not particularly intrusive (and often are fault-tolerant). By allowing uncontrolled clients you introduce potentially major risks; controlling the clients
<not_a_troll> Is a Microsoft Windows (tm) system that has been connected to a non trusted network a controlled client? </not_a_troll> Replace MS Windows by any other OS of choice, as needed. The only reason I use that example is because it is the most common one around.
would point back towards a traditional IPSec solution. The authentication
mechanisms may be compromised by a little technology and average user ignorance (fake certificates, for instance); restricting the authentication mechanisms would again point back towards traditional IPSec
solutions.
The problem as I see it is not the technology itself, it is the fact that the technology puts a great deal of responsibility for policy enforcement on the end user who is non technical that is the problem.
Quote:Actually, I coined OSI ;-) as an implementation of distinct security techniques and several processes particularly in protecting the inter- network. Meaning adept in the disposal of security components such us encryption, PKI, openPGP, software/hardware firewall, antivirus software that will make sure it will guarantee the protection of your data wherever it goes. ;-)"adept in the disposal of security components"? "make sure"?
"guarantee"?
Wow, it sounds like there's no need for risk assessments or systems analysis anymore; I better retrain as a plumber.
Actually a good idea if you are in a place where jobs are being outsourced, plumbers are appaently rarer than unemployed IT personnel and earn about the same. g,d&r Devdas Bhagat PS: For the humour impaired, that last is a joke. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN endpoints, (continued)
- RE: VPN endpoints Fetch, Brandon (Aug 26)
- RE: VPN endpoints Smith, Aaron (Aug 26)
- RE: VPN endpoints Melson, Paul (Aug 26)
- Re: VPN endpoints Rodel Collado Urani (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 30)
- Re: VPN endpoints Kevin Sheldrake (Aug 30)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 30)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 31)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Marcus J. Ranum (Aug 31)