Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

[Merike Kaeo <merike () doubleshotsecurity com>]

On Dec 6, 2013, at 11:55 AM, Eugeniu Patrascu <eugen () imacandi net> wrote:

> On Fri, Dec 6, 2013 at 9:48 PM, Jared Mauch <jared () puck nether net> wrote:
>
> > On Dec 6, 2013, at 1:39 PM, Brandon Galbraith <brandon.galbraith () gmail com>
> > wrote:
> >
> > > If your flows are a target, or your data is of an extremely sensitive
> > > nature (diplomatic, etc), why aren't you moving those bits over
> > > something more private than IP (point to point L2, MPLS)? This doesn't
> > > work for the VoIP target mentioned, but foreign ministries should most
> > > definitely not be trusting encryption alone.
> >
> > I will ruin someones weekend here, but:
> >
> > MPLS != Encryption.  MPLS VPN = "Stick a label before the still
> > unencrypted IP packet".
> > MPLS doesn't secure your data, you are responsible for keeping it secure
> > on the wire.
> It's always interesting to watch someone's expression when they hear that
> MPLS VPN, even if it says VPN in the name is not encrypted. Priceless every
> time :)

So, just to raise the bar…I had someone once tell me they encrypted everything since they
were using IPsec.  Since I only trust configurations, lo and behold the configuration was
IPsec AH.  As exercise to reader….determine why using IPsec does not automagically equate to
encrypted traffic.  

This was only 2 years ago while doing a security assessment for someone.

I greatly dislike the term 'VPN'…..always have and always will.   Marketechture is awesome!

- merike

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail