Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?

From: Paul D. Robertson (
Date: 08/22/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"
    To: "Marcus J. Ranum" <>
    Date: Sun, 22 Aug 2004 09:58:28 -0400 (EDT)

    On Fri, 20 Aug 2004, Marcus J. Ranum wrote:

    > Transitive trust attacks could be gigantic, especially if you
    > figure that it's all being tunnelled over an encrypted black
    > core point-to-point network. How do you detect attacks and

    The royal "we" have transited classified data over unclassified networks
    for *decades*. The PTN is still an untrusted, unclassified network- as
    are most public/commercial satcom nets. The major trust point is the
    encryption boundary. As long as you have a strong encryption boundary,
    then only a breach of the crypto implementation (especially the keys,) or
    a back-end breach on either end is a risk, same as it's been for decades.
    Red/black networking hasn't changed, and isn't likely to change, the real
    risk is in compromising the encryption boundary- such as having an
    endpoint that isn't multi-level secure do DNS queries, or having endpoints
    on the trusted net with Internet access.

    People who don't understand encryption and doomed to implement it poorly.

    > track them if they are being done over Type-1 crypto?

    At the endpoints, just as it's always been done.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Remote Access via Checkpoint VPN"