[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: new to VPN

To: John Lindal <jafl@trlokom.com>
Subject: RE: new to VPN
From: Stephen Kent <kent@bbn.com>
Date: Tue, 4 Feb 2003 21:01:34 -0500
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <200302032241.h13MfMn17917@localhost.localdomain>
References: <200302032241.h13MfMn17917@localhost.localdomain>
Sender: owner-ipsec@lists.tislabs.com

At 2:41 PM -0800 2/3/03, John Lindal wrote:
>  >>  > There's a very large difference between a general purpose OS like
>>>>   Windows or Unix, and an embedded system OS.  Large, as in several
>>>>   orders of magnitude.
>>>
>>>Unless I'm missing something fundamental, comparing the raw sizes of
>>>various operating systems is misleading.  Assuming that the VPN software is
>>>installed at the bottom of the network stack, just above the NIC driver,
>>>then it doesn't matter how big the rest of the OS is.  The only thing that
>>>matters is the tiny little bit of the OS that takes the packet off the NIC
>>>and hands it to the VPN driver.
>>>
>>>Of course, this small part of the OS must not have any holes, the VPN
>>>software must not have any holes, and the security policies must be set
>>>correctly to weed out malicious or unwanted packets!
>>
>>  I'm afraid you are missing something. Irrespectivbe of where the VPN
>>  software is installed in a general purpose platform/OS environment,
>>  that software can be subverted by a successful attack against any
>>  part of the rest of the OS.
>
>How can one attack the rest of the OS if the VPN component is located at
>the only entry point and doesn't allow malicious packets to pass?
>
>>  Your comment suggests that if the VPN access controls are working, then
>>  no evil packets can evade detection and thus be used to attack the higher
>>  layer software. We have lots of experience that indiactes otherwise.
>
>I think it's a matter of definitions.  In any situation where malicious
>packets get through the VPN filter, I would say that the access controls
>are not working correctly :)

John,

I've often joked that when I was on the IAB for over a decade I 
missed the opportunity to define the "evil" bit in the IP header, 
which would flag malicious packets and make security so much easier 
:-)

I know of no way to determine if a packet is malicious, in absolute 
terms.  We characterize packets (or, more typically, sequences of 
packets) as malicious only once we understand the bad things than can 
happen, usually as a result of being the victim of an attack. So, 
detection of malicious packets is, in that sense, a two pass 
algorithm, with a possibly long with a possibly long interval between 
the passes.

I didn't think that any firewall or IDS vendor really believed that 
it had filters or signatures or anomaly detection algorithms that 
were good enough to detect all malicious traffic. Thus, by your 
definition, ALL of these products have defective access controls.

On what basis do you believe that your technology is capable of 
detecting and rejecting all malicious packets and thus is immune to 
attacks that might traverse the VPN component?

Steve

P.S.  I think it would be better to not refer to functions like IDS 
as VPN components.  The generally accepted terminology for VPNs is 
broad, bit I don't think  most folks would claim that it encompasses 
Intrustion Detection. One may choose to provide IDS functions in the 
same box as IPsec, but the two are independent.

Follow-Ups:
- A basic question.
  - From: "Bepsy Paul" <bepsy@airBB.com>
- Re: new to VPN
  - From: ALAIN PATRICK AINA <aalain@trstech.net>

References:
- RE: new to VPN
  - From: John Lindal <jafl@trlokom.com>

Prev by Date: Re: Moving forward with IKE V2: A proposal for final edits to ikev2-04
Next by Date: Re: Modefg considered harmful
Prev by thread: RE: new to VPN
Next by thread: A basic question.
Index(es):
- Date
- Thread