[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: your mail

To: jerome@psti.com
Subject: Re: your mail
From: Dennis Glatting <dennis.glatting@software-munitions.com>
Date: Thu, 15 Jul 1999 12:08:48 -0700 (PDT)
cc: ipsec@lists.tislabs.com, Bruce Schneier <schneier@counterpane.com>
In-Reply-To: <19990715120554.A3699@jerome.psti.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 15 Jul 1999 jerome@psti.com wrote:

> On Thu, Jul 15, 1999 at 10:04:12AM -0400, Bruce Schneier wrote:
> [snip]
> 
> > I think giving users a choice is a bad idea, and
> > that one strong cipher is better than two strong ciphers.
> 
> if ipsec is deployed with 2 ciphers A and B, and a major weakness
> is found out in A, you still have the choice to use B. if A was
> the only cypher, you have to upgrade all the software/hardware.
> 

>From an enterprise management perspective upgrading is a non-trivial
process, a costly process, and cannot happen in a timely manner
thereby leaving the enterprise vulnerable. 

In my cases, I have to first determine if the exploit has significant
impact for my users. I have to convince management teams it is
significant issue. I have to come up with a plan and budget to upgrade
devices. I have to locate and allocate sufficient expertise across my
distributed enterprises and coordinate their efforts. I have to wait
until my vendors revise their products. I have to cycle through my
remote users' equipment. And, if previous experience is an indication
of future events, upgrade devices themselves, such as revving the OS,
adding memory, and increase processor power.

It would be much easier and cost effective simply to change my policy
engine (i.e., switch to cipher b).

References:

Re: your mail

From: jerome@psti.com

Prev by Date: RE: XAUTH?
Next by Date: IPsec SA proposal of IKE
Prev by thread: Re: your mail
Next by thread: Re: your mail
Index(es):
- Main
- Thread