Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

[Eugeniu Patrascu <eugen () imacandi net>]

On Sun, Dec 8, 2013 at 11:46 PM, Merike Kaeo
<merike () doubleshotsecurity com>wrote:

> On Dec 6, 2013, at 11:55 AM, Eugeniu Patrascu <eugen () imacandi net> wrote:
>
> > On Fri, Dec 6, 2013 at 9:48 PM, Jared Mauch <jared () puck nether net>
> wrote:
> > > On Dec 6, 2013, at 1:39 PM, Brandon Galbraith <
> brandon.galbraith () gmail com>
> > > wrote:
> > >
> > > > If your flows are a target, or your data is of an extremely sensitive
> > > > nature (diplomatic, etc), why aren't you moving those bits over
> > > > something more private than IP (point to point L2, MPLS)? This doesn't
> > > > work for the VoIP target mentioned, but foreign ministries should most
> > > > definitely not be trusting encryption alone.
> > >
> > > I will ruin someones weekend here, but:
> > >
> > > MPLS != Encryption.  MPLS VPN = "Stick a label before the still
> > > unencrypted IP packet".
> > > MPLS doesn't secure your data, you are responsible for keeping it secure
> > > on the wire.
> > It's always interesting to watch someone's expression when they hear that
> > MPLS VPN, even if it says VPN in the name is not encrypted. Priceless
> every
> > time :)
>
> So, just to raise the bar…I had someone once tell me they encrypted
> everything since they
> were using IPsec.  Since I only trust configurations, lo and behold the
> configuration was
> IPsec AH.  As exercise to reader….determine why using IPsec does not
> automagically equate to
> encrypted traffic.
Interesting, as it's particularly hard to enable only AH instead of ESP.


> This was only 2 years ago while doing a security assessment for someone.
>
> I greatly dislike the term 'VPN'…..always have and always will.
> Marketechture is awesome!
I think you probably dislike all the people that grossly misunderstand what
a VPN is and what are its use cases :)