RE: [fw-wiz] VPN endpoints

Date: 08/30/04

  • Next message: Servie Platon: "Re: [fw-wiz] About Port Forwarding, Apache and Firewall Rules"
    Date: Mon, 30 Aug 2004 14:20:50 -0400

    "I don't know of any insurance company that has formulae to estimate such

    Actually, most large insurance underwriters have various techniques for
    measuring risk. Some risk is measured by statistical methods, eg: out of X
    number of homes, Y will burn down in N time duration at total payout of D

    Other risks are more difficult to measure and are therefore assessed using
    arbitrary ratings methods.

    The events that are more difficult to measure are almost always those that
    are exceedingly rare. For example, thousands of skydivers make hundreds of
    thousands of jumps every year and yet only 20 or less people die skydiving
    (thus, on life insurance policies they don't ask you how many times you
    intend to jump each but rather, yes no, do you jump?).

    Applying the same techniques to information security risk measurement has,
    in my experience, led to some very interesting results. For example, I
    contend that 90% of the money spent on information security is wasted on
    comparitively low risk areas.

    I came to this conclusion by, for example, applying the possible "cost" of
    having an average company website hacked vs. the "cost" of having a
    disgruntled employee steal valuable information or damage business systems.
    The likelihood of the former is far lower than the latter. And the "cost" of
    the former is -usually- less than cost of the latter and yet so much money
    is spend on IDS, -super- firewalls, etc etc. But the most cost and most
    likely event is a disgruntled employee damaging systems or stealing valuable

    Go figure.

    Mike Hawkins

    -----Original Message-----
    []On Behalf Of Devdas
    Sent: Monday, August 30, 2004 12:34 PM
    Subject: Re: [fw-wiz] VPN endpoints

    On 30/08/04 14:48 +0100, Kevin Sheldrake wrote:
    > Hmm
    > I thought OSI was Open System Interconnection, as in 7 Layer OSI Model.
    > VPNs are not secure by default for two differently abstracted reasons:
    > 1) Some VPN products default to allowing the Null encryption algorithm.

    That is seriously broken. Have a list you can share?

    > So, unless you like no encryption, VPNs are not secure (although some
    > specific examples may be 'secure' (see 2)). Also, bear in mind the
    > implementation of the VPN encryption algorithms might not be textbook -
    > how will you know?
    > 2) 'Secure' is an undefined term. What's secure for me might not be

    "Secure" is a very well defined term.

    A system is secure when the cost of an unauthorised entity accessing the
    data on the system or the loss of the data itself is higher than the value
    of the data itself.

    However, this definition of security involves terms like cost, the
    calculation of which which is not very well understood by the general

    > secure for you - it all depends upon the sensitivity of the information
    > and the impact on the business in cases of compromise, whether that be
    > confidentiality, integrity or availability.

    The cost of compromise is a function of the risk that the data may be
    compromised. The hard part of doing any type of security work is in
    calculating this risk. I don't know of any insurance company that has
    formulae to estimate such risks.

    > SSL VPNs are IMHO generally a bad idea. In a nutshell, this is because
    > most of the benefits are in the fact that practically any client can be
    > used, and that the authentication mechanisms are not particularly
    > intrusive (and often are fault-tolerant). By allowing uncontrolled
    > clients you introduce potentially major risks; controlling the clients

    Is a Microsoft Windows (tm) system that has been connected to a non trusted
    network a controlled client?

    Replace MS Windows by any other OS of choice, as needed. The only reason
    I use that example is because it is the most common one around.

    > would point back towards a traditional IPSec solution. The authentication

    > mechanisms may be compromised by a little technology and average user
    > ignorance (fake certificates, for instance); restricting the
    > authentication mechanisms would again point back towards traditional IPSec

    > solutions.

    The problem as I see it is not the technology itself, it is the fact
    that the technology puts a great deal of responsibility for policy
    enforcement on the end user who is non technical that is the problem.

    > Quote:
    > > Actually, I coined OSI ;-) as an implementation of distinct security
    > > techniques and several processes particularly in protecting the inter-
    > >
    > > network. Meaning adept in the disposal of security components such us
    > > encryption, PKI, openPGP, software/hardware firewall, antivirus software
    > > that will make sure it will guarantee the protection of your data
    > > wherever
    > > it goes. ;-)
    > "adept in the disposal of security components"? "make sure"?
    > Wow, it sounds like there's no need for risk assessments or systems
    > analysis anymore; I better retrain as a plumber.

    Actually a good idea if you are in a place where jobs are being
    outsourced, plumbers are appaently rarer than unemployed IT personnel
    and earn about the same.


    Devdas Bhagat
    PS: For the humour impaired, that last is a joke.
    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Servie Platon: "Re: [fw-wiz] About Port Forwarding, Apache and Firewall Rules"