Firewall Wizards mailing list archives

Re: VPN endpoints

From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 30 Aug 2004 18:42:16 -0400 (EDT)

On Tue, 31 Aug 2004, Devdas Bhagat wrote:

Note that "default to allowing" is different than "default to using."  One
of my few gripes with ICSA Labs SSL VPN criteria was in even allowing a
null cipher to be specified.

However, in a large number of cases, the defaults get used. This is
broken. But that just means that the defaults need to be changed.
After all, isn't one of the main gripes with Microsoft that they put
extremely bad defaults on their OS?


Again, "default to using" is very different than "default to allowing."
One says "don't use encryption by default," and the other says "If you
want to negotiate a null cipher, I'll let you."

Also, again, my criteria issue is that I think that needs a big "off by
default, admin must shoot own foot" criteria flag.

However, this definition of security involves terms like cost, the
calculation of which which is not very well understood by the general
population.


Nor the general security practicioner ;)


Hopefully, the general practitioner knows this and can pass
responsibility on to someone with better data with which to make
judgement calls (aka the finance department).

The security practitioner can say:
"You have possible holes at point a, b and c. The risk of one of
these points getting hit is x, y and z respectively. An intrusion would
lead to compromise of data on networks l, m and n respectively."

The first and third statements are easy to judge, the risk analysis is
not so easy without access to a lot of data.


Which is why I don't think most practicioners have it. [skillfully avoids
marketing-alike conversation on recent projects.]

And the fault of the technology is? If you try to fit a square peg into
a round hole, and it doesn't fit, don't blame the peg.


The technology could take care of these issues, or we can blame it on the
marketing weenies.  I know which I'd bet on getting fixed first.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

VPN endpoints, (continued)
- VPN endpoints Adam Graham (Aug 26)
- RE: VPN endpoints Fetch, Brandon (Aug 26)
- RE: VPN endpoints Smith, Aaron (Aug 26)
- RE: VPN endpoints Melson, Paul (Aug 26)
- Re: VPN endpoints Rodel Collado Urani (Aug 30)
  - Re: VPN endpoints Paul D. Robertson (Aug 30)
  - Re: VPN endpoints Kevin Sheldrake (Aug 30)
    - Re: VPN endpoints Devdas Bhagat (Aug 30)
    - Re: VPN endpoints Paul D. Robertson (Aug 30)
    - Re: VPN endpoints Devdas Bhagat (Aug 30)
    - Re: VPN endpoints Paul D. Robertson (Aug 31)
- RE: VPN endpoints MHawkins (Aug 30)
  - Re: VPN endpoints Devdas Bhagat (Aug 30)
    - Re: VPN endpoints Marcus J. Ranum (Aug 31)