Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 08/22/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Sun, 22 Aug 2004 09:58:28 -0400 (EDT)
    
    

    On Fri, 20 Aug 2004, Marcus J. Ranum wrote:

    > Transitive trust attacks could be gigantic, especially if you
    > figure that it's all being tunnelled over an encrypted black
    > core point-to-point network. How do you detect attacks and

    The royal "we" have transited classified data over unclassified networks
    for *decades*. The PTN is still an untrusted, unclassified network- as
    are most public/commercial satcom nets. The major trust point is the
    encryption boundary. As long as you have a strong encryption boundary,
    then only a breach of the crypto implementation (especially the keys,) or
    a back-end breach on either end is a risk, same as it's been for decades.
    Red/black networking hasn't changed, and isn't likely to change, the real
    risk is in compromising the encryption boundary- such as having an
    endpoint that isn't multi-level secure do DNS queries, or having endpoints
    on the trusted net with Internet access.

    People who don't understand encryption and doomed to implement it poorly.

    > track them if they are being done over Type-1 crypto?
    >

    At the endpoints, just as it's always been done.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"