Interesting People mailing list archives
more on inside cisco's eavesdropping apparatus
From: Dave Farber <dave () farber net>
Date: Wed, 23 Apr 2003 13:49:00 -0700
------ Forwarded Message From: "Louis A. Mamakos" <louie () TransSys COM> Date: Wed, 23 Apr 2003 11:07:45 -0400 To: dave () farber net Subject: Re: [IP] inside cisco's eavesdropping apparatus As Fred was quoted in the article, this really isn't anything new. Internet Service Providers have had to respond to legitimate requests from law enforcement agencies to intercept communications for years, regardless of how distasteful they may believe that it is. What Cisco and other vendors are doing is reducing the cost of responding to these requests (demands?) and hopefully do so in a way where only the specific traffic subject to the request is intercepted. Previously, other methods had to be used (e.g., interception at the TDM transport or layer-2 access fabric). Worse is trying to sniff at the firehose that are the trunks between backbone routers where many thousands of user's traffic transit at any instant. What does this mean for users and customers of these ISPs? Think twice before buying a network-based VPN or security service from your ISP, rather than one that's implemented and operated yourself. That is, a site-to-site VPN service where the crypto (and the keys) are your responsibility, and not outsourced to someone who will fork them over without your knowledge. Security, like transport protocols, ought to be end-to-end. Think about it: why on earth would you trust a phone company with the security of your data? What's silly with some of these network-based VPN services is that they are horribly deficient against some attack scenarios. "Protecting" your data on the backbone doesn't really defend you against some types of attacks, such as tapping the T-1 access link in the basement of your building, which is trivial to do. If you're worried about industrial espionage, worry about this kind of attack. "But, it's just as secure as a frame relay VPN!" the carrier might tell you. But we can do better today with end-to-end assurances on the privacy and integrity of your data using things like IPSEC, without handing over the keys to a third party. Louis Mamakos Louis Mamakos ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on inside cisco's eavesdropping apparatus Dave Farber (Apr 23)