Firewall Wizards mailing list archives
Re: VPN endpoints
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 30 Aug 2004 18:42:16 -0400 (EDT)
On Tue, 31 Aug 2004, Devdas Bhagat wrote:
Note that "default to allowing" is different than "default to using." One of my few gripes with ICSA Labs SSL VPN criteria was in even allowing a null cipher to be specified.However, in a large number of cases, the defaults get used. This is broken. But that just means that the defaults need to be changed. After all, isn't one of the main gripes with Microsoft that they put extremely bad defaults on their OS?
Again, "default to using" is very different than "default to allowing." One says "don't use encryption by default," and the other says "If you want to negotiate a null cipher, I'll let you." Also, again, my criteria issue is that I think that needs a big "off by default, admin must shoot own foot" criteria flag.
However, this definition of security involves terms like cost, the calculation of which which is not very well understood by the general population.Nor the general security practicioner ;)Hopefully, the general practitioner knows this and can pass responsibility on to someone with better data with which to make judgement calls (aka the finance department). The security practitioner can say: "You have possible holes at point a, b and c. The risk of one of these points getting hit is x, y and z respectively. An intrusion would lead to compromise of data on networks l, m and n respectively." The first and third statements are easy to judge, the risk analysis is not so easy without access to a lot of data.
Which is why I don't think most practicioners have it. [skillfully avoids marketing-alike conversation on recent projects.]
And the fault of the technology is? If you try to fit a square peg into a round hole, and it doesn't fit, don't blame the peg.
The technology could take care of these issues, or we can blame it on the marketing weenies. I know which I'd bet on getting fixed first. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN endpoints, (continued)
- VPN endpoints Adam Graham (Aug 26)
- RE: VPN endpoints Fetch, Brandon (Aug 26)
- RE: VPN endpoints Smith, Aaron (Aug 26)
- RE: VPN endpoints Melson, Paul (Aug 26)
- Re: VPN endpoints Rodel Collado Urani (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 30)
- Re: VPN endpoints Kevin Sheldrake (Aug 30)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 30)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 31)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Marcus J. Ranum (Aug 31)