Firewall Wizards mailing list archives
Re: General security question
From: "daN." <dan () nesmail com>
Date: Tue, 14 Nov 2000 08:00:02 -0800
You are also introducing another point of failure into the equation and spending more money in the process. I'm no saying Drop boxes are a bad thing, in fact configured correctly I agree with you 100% that a drop box could afford better protection, however I am saying the there are a lot of places they are not necessary, and what I was trying to point out was the importance of really looking at your network and what you are protecting, placing a value on it, and using that as a bases of deciding your means of defence, your costs of protecting your network should not out way the benefit it provides.The nice thing about drop boxen is that they are not part of the security infrastructure. Even if the drop box has world access, only the availability of the data can be an issue (and the volume of exchanged data also disclosed but this covert channel can be easily minimised if necessary). The security element is the crypto, which is done inside the end systems.
daN.
The complication comes from the fact that the communication should be done according to the drop box requirement, and in real life synchronisation issues come to the picture. But if the design of the communication is made after the decision of the drop box approach (and there are no extra boundary conditions are involved), it might even be easier than another solution. And you shall not be concerned with primer integrity problems (e.g. someone cracking your system by attacking the transport endpoint actively, because it is a low-risk system), but only secondary ones (e.g. someone cracking your transfer client using malicious server replacement [the latest openssh bug comes to mind, but having ssh agent or X display for an automated data transfer is at least a misconfiguration], or inserting data which becomes active while processing it [and third party can insert data which activates only until the decrypting is done]). -- GNU GPL: csak tiszta forrásból
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: General security question, (continued)
- Re: General security question Marcus J. Ranum (Nov 12)
- Re: General security question Jonas Eriksson (Nov 13)
- Re: General security question Todd Joseph (Nov 13)
- Re: General security question Frederick M Avolio (Nov 13)
- Re: General security question Stephen P. Berry (Nov 13)
- RE: General security question Loomis, Rip (Nov 13)
- RE: General security question Jensen, Greg (Nov 13)
- Re: General security question George Capehart (Nov 13)
- Re: General security question daN. (Nov 15)
- Re: General security question Magosányi Árpád (Nov 15)
- Re: General security question daN. (Nov 15)
- Re: General security question George Capehart (Nov 13)
- Re: General security question Marcus J. Ranum (Nov 12)
- Re: General security question istong (Nov 13)
- Re: General security question H. Morrow Long (Nov 14)