Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: General security question
From: "daN." <dan () nesmail com>
Date: Tue, 14 Nov 2000 08:00:02 -0800


The nice thing about drop boxen is that they are not part of the security
infrastructure. Even if the drop box has world access, only the
availability of the data can be an issue (and the volume of exchanged data
also disclosed but this covert channel can be easily minimised if
necessary). The security element is the crypto, which is done inside the
end systems.
You are also introducing another point of failure into the equation and spending more money in the process. I'm no saying Drop boxes are a bad thing, in fact configured correctly I agree with you 100% that a drop box could afford better protection, however I am saying the there are a lot of places they are not necessary, and what I was trying to point out was the importance of really looking at your network and what you are protecting, placing a value on it, and using that as a bases of deciding your means of defence, your costs of protecting your network should not out way the benefit it provides.

daN.


The complication comes from the fact that the communication should be done
according to the drop box requirement, and in real life synchronisation
issues come to the picture. But if the design of the communication is made
after the decision of the drop box approach (and there are no extra
boundary conditions are involved), it might even be easier than another
solution. And you shall not be concerned with primer integrity problems
(e.g. someone cracking your system by attacking the transport endpoint
actively, because it is a low-risk system), but only secondary ones (e.g.
someone cracking your transfer client using malicious server replacement
[the latest openssh bug comes to mind, but having ssh agent or X display
for an automated data transfer is at least a misconfiguration], or
inserting data which becomes active while processing it [and third party
can insert data which activates only until the decrypting is done]).

--
GNU GPL: csak tiszta forrásból




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault