Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: General security question
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Sun, 12 Nov 2000 12:58:28 -0500

Carson Gaspar wrote:
By the way, as a general rule, a VPN is useless if you don't know
anything about the security at the other end. Indeed, the whole notion
of doing a secure transaction/data transfer to a site where you don't
know anything about the security is kind of dubious.

A _minor_ disagreement. A VPN provides privacy up to the partner's demarc. At that point liability for any breach of privacy is the partner's (either on their net, or because they exposed the keying material).

That makes sense if you're interested in butt-covering. If you're
actually interested in security, then you've got to take into account
the state of the partner's network.

Butt-covering's a tactic we have to resort to all too often, at the
expense of really doing the right thing, because it's much harder
to do the right thing than to almost do the right thing. :) Actually,
you can almost break it down into a game-theory style prisoner's
dilemma: if you want to do the right thing but any of the other
entities involved is just interested in butt-covering, it's provably
impossible to do the right thing thereafter.

Marcus J. Ranum     Chief Technology Officer, NFR Security, Inc.
Work: http://www.nfr.com
Play: http://pubweb.nfr.net/~mjr

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]