Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on inside cisco's eavesdropping apparatus

From: Dave Farber <dave () farber net>
Date: Wed, 23 Apr 2003 13:49:00 -0700

------ Forwarded Message
From: "Louis A. Mamakos" <louie () TransSys COM>
Date: Wed, 23 Apr 2003 11:07:45 -0400
To: dave () farber net
Subject: Re: [IP] inside cisco's eavesdropping apparatus


As Fred was quoted in the article, this really isn't anything new.  Internet
Service Providers have had to respond to legitimate requests from law
enforcement agencies to intercept communications for years, regardless of
how distasteful they may believe that it is.   What Cisco and other
vendors are doing is reducing the cost of responding to these requests
(demands?) and hopefully do so in a way where only the specific traffic
subject to the request is intercepted.

Previously, other methods had to be used (e.g., interception at the
TDM transport or layer-2 access fabric).  Worse is trying to sniff
at the firehose that are the trunks between backbone routers where
many thousands of user's traffic transit at any instant.

What does this mean for users and customers of these ISPs?  Think twice
before buying a network-based VPN or security service from your ISP,
rather than one that's implemented and operated yourself.  That is,
a site-to-site VPN service where  the crypto (and the keys) are your
responsibility, and not outsourced to someone who will fork them over
without your knowledge.  Security, like transport protocols, ought to
be end-to-end.  Think about it:  why on earth would you trust a
phone company with the security of your data?

What's silly with some of these network-based VPN services is that they
are horribly deficient against some attack scenarios.  "Protecting" your
data on the backbone doesn't really defend you against some types of
attacks, such as tapping the T-1 access link in the basement of your
building, which is trivial to do.  If you're worried about industrial
espionage, worry about this kind of attack.  "But, it's just as secure
as a frame relay VPN!" the carrier might tell you.  But we can do
better today with end-to-end assurances on the privacy and integrity
of your data using things like IPSEC, without handing over the keys
to a third party.

Louis Mamakos


Louis Mamakos


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: