RE: [fw-wiz] VPN endpoints
To: firstname.lastname@example.org, email@example.com Date: Mon, 30 Aug 2004 14:20:50 -0400
"I don't know of any insurance company that has formulae to estimate such
Actually, most large insurance underwriters have various techniques for
measuring risk. Some risk is measured by statistical methods, eg: out of X
number of homes, Y will burn down in N time duration at total payout of D
Other risks are more difficult to measure and are therefore assessed using
arbitrary ratings methods.
The events that are more difficult to measure are almost always those that
are exceedingly rare. For example, thousands of skydivers make hundreds of
thousands of jumps every year and yet only 20 or less people die skydiving
(thus, on life insurance policies they don't ask you how many times you
intend to jump each but rather, yes no, do you jump?).
Applying the same techniques to information security risk measurement has,
in my experience, led to some very interesting results. For example, I
contend that 90% of the money spent on information security is wasted on
comparitively low risk areas.
I came to this conclusion by, for example, applying the possible "cost" of
having an average company website hacked vs. the "cost" of having a
disgruntled employee steal valuable information or damage business systems.
The likelihood of the former is far lower than the latter. And the "cost" of
the former is -usually- less than cost of the latter and yet so much money
is spend on IDS, -super- firewalls, etc etc. But the most cost and most
likely event is a disgruntled employee damaging systems or stealing valuable
[mailto:firstname.lastname@example.org]On Behalf Of Devdas
Sent: Monday, August 30, 2004 12:34 PM
Subject: Re: [fw-wiz] VPN endpoints
On 30/08/04 14:48 +0100, Kevin Sheldrake wrote:
> I thought OSI was Open System Interconnection, as in 7 Layer OSI Model.
> VPNs are not secure by default for two differently abstracted reasons:
> 1) Some VPN products default to allowing the Null encryption algorithm.
That is seriously broken. Have a list you can share?
> So, unless you like no encryption, VPNs are not secure (although some
> specific examples may be 'secure' (see 2)). Also, bear in mind the
> implementation of the VPN encryption algorithms might not be textbook -
> how will you know?
> 2) 'Secure' is an undefined term. What's secure for me might not be
"Secure" is a very well defined term.
A system is secure when the cost of an unauthorised entity accessing the
data on the system or the loss of the data itself is higher than the value
of the data itself.
However, this definition of security involves terms like cost, the
calculation of which which is not very well understood by the general
> secure for you - it all depends upon the sensitivity of the information
> and the impact on the business in cases of compromise, whether that be
> confidentiality, integrity or availability.
The cost of compromise is a function of the risk that the data may be
compromised. The hard part of doing any type of security work is in
calculating this risk. I don't know of any insurance company that has
formulae to estimate such risks.
> SSL VPNs are IMHO generally a bad idea. In a nutshell, this is because
> most of the benefits are in the fact that practically any client can be
> used, and that the authentication mechanisms are not particularly
> intrusive (and often are fault-tolerant). By allowing uncontrolled
> clients you introduce potentially major risks; controlling the clients
Is a Microsoft Windows (tm) system that has been connected to a non trusted
network a controlled client?
Replace MS Windows by any other OS of choice, as needed. The only reason
I use that example is because it is the most common one around.
> would point back towards a traditional IPSec solution. The authentication
> mechanisms may be compromised by a little technology and average user
> ignorance (fake certificates, for instance); restricting the
> authentication mechanisms would again point back towards traditional IPSec
The problem as I see it is not the technology itself, it is the fact
that the technology puts a great deal of responsibility for policy
enforcement on the end user who is non technical that is the problem.
> > Actually, I coined OSI ;-) as an implementation of distinct security
> > techniques and several processes particularly in protecting the inter-
> > network. Meaning adept in the disposal of security components such us
> > encryption, PKI, openPGP, software/hardware firewall, antivirus software
> > that will make sure it will guarantee the protection of your data
> > wherever
> > it goes. ;-)
> "adept in the disposal of security components"? "make sure"?
> Wow, it sounds like there's no need for risk assessments or systems
> analysis anymore; I better retrain as a plumber.
Actually a good idea if you are in a place where jobs are being
outsourced, plumbers are appaently rarer than unemployed IT personnel
and earn about the same.
PS: For the humour impaired, that last is a joke.
firewall-wizards mailing list
firewall-wizards mailing list