Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 08/22/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Sun, 22 Aug 2004 09:58:28 -0400 (EDT)
    
    

    On Fri, 20 Aug 2004, Marcus J. Ranum wrote:

    > Transitive trust attacks could be gigantic, especially if you
    > figure that it's all being tunnelled over an encrypted black
    > core point-to-point network. How do you detect attacks and

    The royal "we" have transited classified data over unclassified networks
    for *decades*. The PTN is still an untrusted, unclassified network- as
    are most public/commercial satcom nets. The major trust point is the
    encryption boundary. As long as you have a strong encryption boundary,
    then only a breach of the crypto implementation (especially the keys,) or
    a back-end breach on either end is a risk, same as it's been for decades.
    Red/black networking hasn't changed, and isn't likely to change, the real
    risk is in compromising the encryption boundary- such as having an
    endpoint that isn't multi-level secure do DNS queries, or having endpoints
    on the trusted net with Internet access.

    People who don't understand encryption and doomed to implement it poorly.

    > track them if they are being done over Type-1 crypto?
    >

    At the endpoints, just as it's always been done.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"

    Relevant Pages

    • Re: Disk Encryption for remote XP machines.
      ... the hard disk to the device WITHOUT any extra hardware. ... reputational risk should the disk end up on ebay and it has BANK OF ... And now all you say you need is disk encryption. ... "solved" the problem of data security. ...
      (alt.computer.security)
    • Re: FOAK. Data recovery firms: Recommendations?
      ... Once a copy is in the cloud, it's there forever, and the ... encryption cracking techniques of tomorrow can't be foretold. ... Well, if you're going to put a serious hat on, then you do a risk ... - Prolonged and severe distress for a significant number of citizens, ...
      (uk.rec.motorcycles)
    • Re: Are computer forensics people as stupid as they seem?
      ... that overwrites an entire drive with statistically random data (and no ... where the data of each type resides, or your data is at risk. ... available on modern drives. ... consensus is that "stenographic" drive or volume encryption is mostly ...
      (alt.privacy)
    • Re: FOAK. Data recovery firms: Recommendations?
      ... Once a copy is in the cloud, it's there forever, and the ... encryption cracking techniques of tomorrow can't be foretold. ... Well, if you're going to put a serious hat on, then you do a risk ... intelligence operations in support of requirements at Priority Two. ...
      (uk.rec.motorcycles)
    • Re: Encrypting offsite data ...
      ... I just don't see an encryption solution that does not carry a significant risk of data loss. ... Indeed, I saw a situation once where the keys were in hand, but a software flaw prevented them from being entered correctly. ...
      (bit.listserv.ibm-main)