[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "user" and "network layer" security.

To: Phil Karn <karn@qualcomm.com>
Subject: Re: "user" and "network layer" security.
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 27 Aug 1996 12:36:07 -0400
Cc: rgm3@chrysler.com, netsec@panix.com, ipsec@TIS.COM
In-Reply-To: karn's message of Tue, 27 Aug 1996 01:50:37 -0700. <199608270850.BAA18913@servo.qualcomm.com>
Sender: ipsec-approval@neptune.tis.com
i'd actually argue that there are a bunch of different niches..

Inter-business vs intra-business oversimplifies the situation.

The "intrabusiness" niche covers a quite broad spectrum, from small
workgroups to large enterprises.

The "interbusiness" niche also covers a broad spectrum, depending on
the nature of the business relationship -- is it a casual one-shot
deal (a quantity-one catalog order of a commodity from the low bidder
of the day), or a committed multi-year multi-megabuck relationship?

In the latter case, you organization may well have a closer working
relationship with its opposite number in the other company than with
other organizations from your same company...  so your computers may
well need to have a similarly "close" relationship...

					- Bill

To: Phil Karn <karn@qualcomm.com>
Cc: rgm3@chrysler.com, ipsec@TIS.COM
Subject: Re: "user" and "network layer" security. 
In-Reply-To: Your message of "Tue, 27 Aug 1996 01:50:37 PDT."
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Tue, 27 Aug 1996 11:05:06 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9608271235.aa25853@neptune.TIS.COM>


Phil Karn writes:
> For example, Bank of America and Wells Fargo both support home banking
> via secure Netscape.

40 bit RC4 based SSL...

> I can't think of any non-governmental entity more conservative on
> security than a bank, so it seems they must have conducted at least
> *some* level of in-house security review. Especially since under the
> current banking laws, the banks assume most of the risk of a
> security breach just as they do with credit cards.

I hate to slander clients, but...

I make a considerable fraction of my money telling banks how to keep
themselves secure. You would be surprised at how bad some of what they
do is. They mean much better, of course, and they are willing to spend
the money when they know what they want, but they often don't know
good security from bad security -- they are still in many cases
building up the expertise, and its hard to get with things moving as
fast as they do now. The world of networks is as new to them as it is
to most businesses. Some banks are much better than others, of course.

IPSec has several advantages over application layer protocols, by the
way, not the least of which is that the signaling can be
protected. Try defending your BGP-4 TCP connections from spurious RSTs
with application layer defenses, for example...

Its also nice to build the security system once and have it there
always when you want it.

I know all this goes beyond what you and others originally envisioned
for swIPe and such, but it isn't an unreasonable use of the technology.

Perry



Date: Tue, 27 Aug 1996 14:56:25 -0400
To: Phil Karn <karn@qualcomm.com>, rgm3@chrysler.com
From: Robert Moskowitz <rgm3@chrysler.com>
Subject: Re: "user" and "network layer" security.
Cc: netsec@panix.com, ipsec@TIS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9608271457.aa28918@neptune.TIS.COM>

At 01:50 AM 8/27/96 -0700, Phil Karn wrote:
>
>I think the intER-business problem is better left to the application
>layer security guys. There certainly are many more of them on the job
>now than a few years ago, and some knowledgeable customers do seem to
>like what they're doing.

Won't ever happen too many of them and not enough security smarts.  Other
complexities too.  I've been studing this area for a few years now and
dealing with vendors.  I can no longer wait for them to move security from
page 8 of enhancements to the top.  Where you have seen security added is
the easy stuff, the top of the iceburg.

>For example, Bank of America and Wells Fargo both support home banking
>via secure Netscape. 

No comparison to business to business issues.  The trust model is much more
complex.

>I can't think of any non-governmental entity more
>conservative on security than a bank, so it seems they must have
>conducted at least *some* level of in-house security
>review. Especially since under the current banking laws, the banks
>assume most of the risk of a security breach just as they do with
>credit cards.

Simple, the banks extend their security model to their clientel.  Can't do
than in a business to business anymore.  I am deploying 3 applications like
that right now for up to 4,000 separate business and there are major
concerns if we will ever get it past a few hundred.

Robert Moskowitz
Chrysler Corporation
(810) 758-8212




Date: Tue, 27 Aug 1996 14:56:29 -0400
To: Bill Sommerfeld <sommerfeld@apollo.hp.com>, 
    Phil Karn <karn@qualcomm.com>
From: Robert Moskowitz <rgm3@chrysler.com>
Subject: Re: "user" and "network layer" security. 
Cc: rgm3@chrysler.com, netsec@panix.com, ipsec@TIS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9608271459.aa28948@neptune.TIS.COM>

At 12:36 PM 8/27/96 -0400, Bill Sommerfeld wrote:
>
>Inter-business vs intra-business oversimplifies the situation.

Oh course, any handle oversimplifies.

>The "intrabusiness" niche covers a quite broad spectrum, from small
>workgroups to large enterprises.

The major difference is one of trust.  Even in Chrysler, there is an assumed
trust level (except between corporate and engineering ;).

>The "interbusiness" niche also covers a broad spectrum, depending on
>the nature of the business relationship -- is it a casual one-shot
>deal (a quantity-one catalog order of a commodity from the low bidder
>of the day), or a committed multi-year multi-megabuck relationship?

We have them both.

>In the latter case, you organization may well have a closer working
>relationship with its opposite number in the other company than with
>other organizations from your same company...  so your computers may
>well need to have a similarly "close" relationship...

Ain't it the truth!  But there is trust.  We do not run/configure the
systems over at GE Plastics.  Definitely not the networks. So what do we do
today?  Put to systems on the poor guy's desk and two networks in GE
(actually more as there is a Ford and GM network presense too).

Robert Moskowitz
Chrysler Corporation
(810) 758-8212




Date: Tue, 27 Aug 1996 14:56:27 -0400
To: perry@piermont.com, Phil Karn <karn@qualcomm.com>
From: Robert Moskowitz <rgm3@chrysler.com>
Subject: Re: "user" and "network layer" security. 
Cc: rgm3@chrysler.com, ipsec@TIS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9608271515.aa29325@neptune.TIS.COM>

At 11:05 AM 8/27/96 -0400, Perry E. Metzger wrote:
>
>I make a considerable fraction of my money telling banks how to keep
>themselves secure. You would be surprised at how bad some of what they
>do is. They mean much better, of course, and they are willing to spend
>the money when they know what they want, but they often don't know
>good security from bad security -- they are still in many cases
>building up the expertise, and its hard to get with things moving as
>fast as they do now. The world of networks is as new to them as it is
>to most businesses. Some banks are much better than others, of course.

Now take that to the CAD people, the MRP, the ERP, etc that have no
comprehension of this stuff.  In San Jose, ask me about one experience with
an MRP company....

Robert Moskowitz
Chrysler Corporation
(810) 758-8212




To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Cc: ipsec@TIS.COM
Subject: Re: "user" and "network layer" security. 
In-Reply-To: Your message of "Tue, 27 Aug 1996 12:36:07 EDT."
             <199608271637.MAA01312@thunk.orchard.medford.ma.us> 
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Tue, 27 Aug 1996 15:21:55 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9608271525.aa29584@neptune.TIS.COM>


Bill Sommerfeld writes:
> i'd actually argue that there are a bunch of different niches..
> 
> Inter-business vs intra-business oversimplifies the situation.

Strongly agreed.

BTW, IPSec is cool in many ways because it is flexible. It can be used
to build virtual private networks, or it can be used to secure an
individual TCP connection, or for other things. As such, I think its a
good mechanism in general...

Perry
References:
Re: "user" and "network layer" security.
From: Phil Karn <karn@qualcomm.com>
Prev by Date: Re: "user" and "network layer" security.
Next by Date: Re: A renewed IPSEC
Prev by thread: Re: "user" and "network layer" security.
Next by thread: Re: "user" and "network layer" security.
Index(es):
- Main
- Thread