Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: General security question
From: "daN." <dan () nesmail com>
Date: Tue, 14 Nov 2000 05:54:34 -0800

At 04:29 PM 11/12/00 -0500, George Capehart wrote:
<snip>
The advantage of using the drop box is that it is a destination over
which the sender has some control and confidence in the security of.
The sender will only put data to it, so it never has to worry about the
security of inbound connections.  The receiver is only allowed to pull
data from it, so theoretically, the sender is the only source of data
for it.  If the sender encrypts and signs the data it puts there, the
receiver can verify the integrity and confidentiality of the data as
well as the identity of the source.  If the signature can't be verified
or the payload cannot be decrypted, the data can be discarded and a
retransmission requested.
<snip>

The only issue I have with drop boxes is now you have 3 components instead of 2, the more components you add to your security system, the more difficult it is to ensure that all components are equally secure. the weakest link in the chain thing...In some very specially cases where alot of dollars are involved a drop box is ideal because you are almost completely isolating the two networks from each other, however if the receiver finds scp an acceptable security risk into their network. You as the sender are not making your system much more vulnerable by sending to a host inside their network, then by sending to a host in your own DMZ. Both other networks could potentially be rooted and/or malicious but the solution is much simpler and therefore less likely to break if not constantly monitored. Its really a risk management decision, and like House Insurance should be based on how much value you are trying to protect, and how much would it cost you to loose it.


daN.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]