[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A short letter about VPN security

To: "'Smith Geo'" <lpgone_2001@yahoo.com>
Subject: RE: A short letter about VPN security
From: "Aronson, David" <daronson@cryptek.com>
Date: Thu, 18 Oct 2001 12:11:16 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

(First my usual disclaimer: I'm very new to both security and VPNs, and
somewhat new to networking in general.  If I say anything wrong, feel free
to correct me -- it'll just help me learn.)

Smith Geo <lpgone_2001@yahoo.com> writes:

 > A problem troubles me, but I don't know wether it is worth
 > proposing.

We won't know 'til you ask....

 > How to solve overlay of security function in a layered protocol stack?

Keep them in order, and each one's output will simply be input for the next
one.  For instance, you can have an IPsec-based VPN running over modems that
scramble the data at that layer, serving an application that also uses
encryption at its layer.  None of these layers know, let alone care, about
the others, so long as lower ones can provide all the services needed by the
higher ones.

 > For example, in a security  VPN
 > implemention of "L2TP over IPSec", perhaps it has
 > carried out encryption in a private network, but when
 > a private packet is handled by IPSec, the second
 > encryption is applied.  However，if the edge VPN
 > device doesn't do encryption process to the incoming
 > private packet, the control information field or other
 > fields  that can't be encrypted in a private network
 > will be exposed to the public network.So attackers can
 > analyse the private traffic and so it will result in
 > many potential threats.
 > 
 > Is it not serious in a VPN?

Yes, assuming that the data in question is of such a nature that the
information typically exposed by traffic analysis attacks really matters.
So make sure that anything from your gateways to the public Internet is
encapsulated and encrypted.  Then, all an attacker knows is that there's
X-amount of traffic from gateway A to gateway B, and nothing about traffic
behind the gateways, including even what endpoints exist.  If the amount of
traffic between your gateways is still a concern for analysis purposes,
there are numerous other ways to deal with that, like creating dummy
traffic, tagging your traffic with priorities so as to make it seem like
less now and more later (by delaying the extremely low priority stuff),
making it seem to come from multiple points, making it seem to be bound for
multiple points, etc.

-- 
Dave Aronson, Software Engineer, +1-571-434-2039 V, +1-571-434-2001 F.
Cryptek Secure Communications, 1501 Moran Rd., Sterling, VA 20166 USA.
Opinions above are MINE, ALL MINE -- but for rent at reasonable rates.

Prev by Date: Re: DataStructure for Storing SPD,SA Entries
Next by Date: question about Nonce
Prev by thread: A short letter about VPN security
Next by thread: Re:
Index(es):
- Main
- Thread