Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Leased Lines

From: Wim Remes <wremes () gmail com>
Date: Wed, 14 Oct 2009 10:42:37 +0200
Sebastiaan,
for me it always boils down to a question of trust. As this is a leased line you will procure from a third party, the question 
is : "can and do you want to trust that third party ?"
What if this third party on its turn is using infrastructure from a larger carrier ? (Happens very often) The reality is that you will be sending information, that is critical enough to shell out the cash for a leased line, over an untrusted network. In my book this always requires encryption, either of the data itself or of 
the communication.

This story might help out.
A few years ago, I was responsible to assist a customer in the financial sector in migrating his infrastructure from leased lines to an MPLS infrastructure. The big carriers touted MPLS as in-promptu VPN, thus lowering the cost for my customer as he would not have to encrypt his comms. I saw this network as untrusted and pushed hard to get encryption, no matter what the carrier was saying. And we did encrypt in the end. Now, I'm sure you'll remember that earlier this year there was a lot of fuss about the lack of security in MPLS (and BGP). If we hadn't encrypted the comms back then, this customer would now be facing a totally unsuspected cost that would be way higher than the cost we added to the project by implementing encryption from the get- go. I didn't have any proof that backed my claim that the additional cost would pay off, but I was able to convince the customer (don't ask me how).
The threats you are protecting yourself from may not exist today, but that doesn't mean you can't already start 
to protect against them.

Cheers,

W

On 12 Oct 2009, at 11:43, Sebastiaan wrote:


Hi,

I'm looking for any information related to the security of leased
lines, specifically if it is feasible to eavesdrop on them outside a
companies building. What would it take to do it?

I'm having  a debate about the use fullness of encryption on leased
lines and the use of strong authentication for the PPP session and
such.

I understand there are always risk assessment/costs aspects to
security issues, but I'm currently focused on the technical side of
things :)

Reg.

Seb

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 
http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: