Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: General security question
From: Carson Gaspar <carson () taltos org>
Date: Sat, 11 Nov 2000 18:32:05 -0800

--On Saturday, November 11, 2000 12:31 PM -0500 "Marcus J. Ranum" <mjr () nfr com> wrote:

By the way, as a general rule, a VPN is useless if you don't know
anything about the security at the other end. Indeed, the whole notion
of doing a secure transaction/data transfer to a site where you don't
know anything about the security is kind of dubious.

A _minor_ disagreement. A VPN provides privacy up to the partner's demarc. At that point liability for any breach of privacy is the partner's (either on their net, or because they exposed the keying material). Unauthorized access is also the fault of the partner. This may be sufficient for some applications. It certainly was for certain financial apps at a past employer, as the VPN was to protect the customer's data, not ours. So bad security on their part could only hurt them, and we had cover on the PR and legal fronts. By so doing, we _enabled_ secure transactions, but did not _guarantee_ them.

Of course, in such cases you should never re-use keying material between VPNs, and should create your authentication and authorization limits knowing that the remote end may be compromised.

Carson Gaspar -- carson () taltos org
Queen Trapped in a Butch Body

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]