[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: new to VPN

To: "Jayant Shukla" <jshukla@trlokom.com>
Subject: RE: new to VPN
From: Stephen Kent <kent@bbn.com>
Date: Fri, 31 Jan 2003 15:59:57 -0500
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <00f201c2c94e$b97f6080$5803a8c0@trlhpc1>
References: <00f201c2c94e$b97f6080$5803a8c0@trlhpc1>
Sender: owner-ipsec@lists.tislabs.com

At 9:32 AM -0800 1/31/03, Jayant Shukla wrote:
>If you shut off unnecessary services then one can overcome majority, if
>not all, vulnerabilities that you are talking about. I think you would
>agree that the hardware box too will be less secure if you run a lot of
>services on it?

The approach you describe is one that has been practiced for many 
years when vendors built firewalls on top of general purpose OS 
platforms. It has never been a way to create a very high assurance 
implementation, although I agree it improves the situation. Dedicated 
hardware devices usually do not have the OS services present to shut 
off, so they are better off.  I think we see more of this flavor in 
modern firewall products as well, so I think there is a parallel 
evolution path here.

>  > In contrast, an IPsec implementation operating in a
>>  constrained environment with a minimal OS, perhaps just a scheduler,
>>  is less vulnerable in general.
>
>Ok, no services and a limited OS! That's good, but what makes you think
>the limited OS will not have any vulnerabilities? Is there a size below
>which an OS ceases to have any vulnerability?

It is not just a matter of size, of course, but of purpose built vs. 
general purpose OS environments.

>This box with limited OS that you describe must be very difficult to
>use! How do you configure/update/manage these boxes in a VPN with say 50
>sites?

The management interface ought not be closely tied to the underlying OS.

>
>>  Also, if one uses hardware to generate
>>  keys and if one keeps the keys inside the hardware (consistent with
>>  FIPS 140-1/2 level 3 design criteria) the keys will be very well
>>  protected, something that we simply cannot do in software.
>>
>
>There is a lot more to practical security than FIPS level 3. Maybe your
>box is fine, but a Trojan can have a field day with the computers behind
>your box.

Yes, but it's not the fault of the box, which is the focus of this discussion.

>Another point about gateway based security is that your data is not
>secure over the local network, and is vulnerable to internal attacks.
>According to an FBI survey, over 80% of the attacks come from inside?

That survey is old, and had a different definition of "attack." But, 
if you want to do a good job inside an enterprise net, then the 
analogous approach is the "IPsec in the NIC" approach, which is far 
better than the "IPsec in the OS approach."

>The bottom line is that making a sweeping claim that hardware is more
>secure is misleading.

Since the comment applies to just the security of the IPsec device, 
not the computers behind it, I think it is fair to say that a 
dedicated, hardware implementation of IPsec has the potential to be 
considerably more secure than an implementation that runs on a 
general purpose computer with a general purpose OS, even if one 
attempts to harden the OS by turning off extraneous services.

Steve

Prev by Date: Re: Modefg considered harmful
Next by Date: RE: Modefg considered harmful
Prev by thread: Re: new to VPN
Next by thread: RE: new to VPN
Index(es):
- Date
- Thread