Re: [fw-wiz] VPN endpoints

From: Paul D. Robertson (
Date: 08/31/04

  • Next message: Michael H. Warfield: "Re: [fw-wiz] IPv6 and IPSec"
    To: Devdas Bhagat <>
    Date: Mon, 30 Aug 2004 18:42:16 -0400 (EDT)

    On Tue, 31 Aug 2004, Devdas Bhagat wrote:

    > > Note that "default to allowing" is different than "default to using." One
    > > of my few gripes with ICSA Labs SSL VPN criteria was in even allowing a
    > > null cipher to be specified.
    > >
    > However, in a large number of cases, the defaults get used. This is
    > broken. But that just means that the defaults need to be changed.
    > After all, isn't one of the main gripes with Microsoft that they put
    > extremely bad defaults on their OS?

    Again, "default to using" is very different than "default to allowing."
    One says "don't use encryption by default," and the other says "If you
    want to negotiate a null cipher, I'll let you."

    Also, again, my criteria issue is that I think that needs a big "off by
    default, admin must shoot own foot" criteria flag.

    > > > However, this definition of security involves terms like cost, the
    > > > calculation of which which is not very well understood by the general
    > > > population.
    > >
    > > Nor the general security practicioner ;)
    > Hopefully, the general practitioner knows this and can pass
    > responsibility on to someone with better data with which to make
    > judgement calls (aka the finance department).
    > The security practitioner can say:
    > "You have possible holes at point a, b and c. The risk of one of
    > these points getting hit is x, y and z respectively. An intrusion would
    > lead to compromise of data on networks l, m and n respectively."
    > The first and third statements are easy to judge, the risk analysis is
    > not so easy without access to a lot of data.

    Which is why I don't think most practicioners have it. [skillfully avoids
    marketing-alike conversation on recent projects.]

    > And the fault of the technology is? If you try to fit a square peg into
    > a round hole, and it doesn't fit, don't blame the peg.

    The technology could take care of these issues, or we can blame it on the
    marketing weenies. I know which I'd bet on getting fixed first.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Michael H. Warfield: "Re: [fw-wiz] IPv6 and IPSec"