Re: Q on external router

["Paul D. Robertson" <proberts () clark net>]

On Thu, 23 Apr 1998 tqbf () secnet com wrote:

> > >   Do not rely on switches because switches are not designed for
> > > security.
> >
> >     Based on that logic, there's just about nothing you CAN
> > rely on, except death, taxes, and sendmail bugs.
>
> I don't think that's very fair. It seems obvious to me that some systems
> have more attention paid to them for security (VMailer, for instance) than
> others (like Sendmail). My confidence in VMailer is much greater than my
> confidence in Sendmail, to the point where I'd be willing to consider
> deploying VMailer in circumstances where Sendmail's lack of reliability is
> prohibitive.

Erm, or qmail it would seem ;)

> Same goes for switches and link-layer security.

I think the comparison is a very good one.  In the case of Sendmail, and 
most network equipment, security is an "add-on" which wasn't central to 
the original engineering plan.  That means that there may be design 
problems which limit the ammount of security you can really get from the 
system in question, or things that may have been overlooked while 
backfilling security.  

Things like VMailer, which have security as a design point make a very 
good case for themselves if the implementation is right.  I have an 
obviously high degree of trust in Wietse's ability to do a correct 
implementation.  I use the same type of evaluation criteria for all the 
products that I have to extend a high degree of trust to.  Swich vendors, 
OS vendors or providers, firewall products, etc.  While I can do a fair 
ammount of verification of some things, I can't check everything.  

Knowing where you're extending your trust boundries, and to whom is 
always important.  Track record has always been an important metric, and 
you have to extend trust somewhere, so that combined with due dilligence 
is the most that a lot of us can hope for.

Switch DoS attacks due to spanning-tree implementations and designs which 
don't take into account the possibility of an attack are out there.  While 
you can gain some measure of protection from some attacks with switches, you 
open yourself up to others.  

Not realizing that key pieces of infrastructure weren't necessarily 
designed correctly could be a farily costly mistake.  It doesn't take an 
attack either, just ask AT&T (Though they have _far_ more to lose from voice 
over frame, so that may have been a strategicly profitable outage).

Paul  
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280