Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Top Secret DOD Data over the Public Internet? Thoughts?

Re: Top Secret DOD Data over the Public Internet? Thoughts?

From: Kevin Sheldrake <kev_at_electriccat.co.uk>
Date: Fri, 20 Aug 2004 16:31:35 +0100

Personally, I would think their greatest threat would come from
availability attacks. I'm sure they would use appropriate cryptography to
protect the confidentiality and integrity but DOS attacks on such a
network could be quite easy:

1) classic flood attacks, including reflected and zombie attacks, could be
targetted at their points-of-presence. While the location of these could
be kept reasonably secure from the general public (using obfuscated domain
names and unlisted ip addresses, for example), I would expect spotting
their traffic would be a reasonably simple task for another intelligence
agency.

2) Bearing in mind they would essentially use cryptography to maintain
integrity, continuous packet modification by an intermediary could
effectively kill a connection (as could some malicious RST packets).

3) Points of attack could be where their packets utilise portions of the
Internet in aggressive countries, or at ISPs and core network services
should an employee be 'purchased' by an aggressive intelligence agency.

In terms of confidentiality, whereas the packets may be protected
in-transit, utilising the Internet would essentially mean they would need
a crypto-gateway between the Internet and their Top Secret networks. This
must be a major concern for them as compromise of these gateways could
cause all sorts of upset. I would expect them to only utilise in-house
products for this service.

And, for everyone else, you may wish to bear these risks in mind when
implementing VPNs across the Internet for your commerical customers. Yes,
the risk to commerical customers is lower (generally because the attackers
are less well equiped and commercial companies are literally one in a
million), but they should be considered nonetheless. Particularly
prominent companies could find their worldwide operations stiffled as fax
and phone replaces securish email between offices in the event of a decent
sized attack.

Just some thoughts...

Kev

>
> http://www.gcn.com/vol1_no1/daily-updates/26971-1.html
> 

-- 
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd
-- 
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.262 / Virus Database: 264.6.4 - Release Date: 19/08/2004
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 20 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos