Re: General security question

["daN." <dan () nesmail com>]

At 04:29 PM 11/12/00 -0500, George Capehart wrote:
<snip>
> The advantage of using the drop box is that it is a destination over
> which the sender has some control and confidence in the security of.
> The sender will only put data to it, so it never has to worry about the
> security of inbound connections.  The receiver is only allowed to pull
> data from it, so theoretically, the sender is the only source of data
> for it.  If the sender encrypts and signs the data it puts there, the
> receiver can verify the integrity and confidentiality of the data as
> well as the identity of the source.  If the signature can't be verified
> or the payload cannot be decrypted, the data can be discarded and a
> retransmission requested.
<snip>

The only issue I have with drop boxes is now you have 3 components instead 
of 2, the more components you add to your security system, the more 
difficult it is to ensure that all components are equally secure.  the 
weakest link in the chain thing...In some very specially cases where alot 
of dollars are involved a drop box is ideal because you are almost 
completely isolating the two networks from each other, however if the 
receiver finds scp an acceptable security risk into their network. You as 
the sender are not making your system much more vulnerable by sending to a 
host inside their network, then by sending to a host in your own DMZ. Both 
other networks could potentially be rooted and/or malicious but the 
solution is much simpler and therefore less likely to break if not 
constantly monitored.  Its really a risk management decision, and like 
House Insurance should be based on how much value you are trying to 
protect, and how much would it cost you to loose it.


daN.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards