In my original note, I wondered at the beginning whether one can choose sides. Well, I'll have to admit that my gut feeling is more toward the encryption side than inspection, and Jose's note here helps give words to my feelings. The typical complaint against encrypted communications -- whether IPSec transport mode or tunnels of various kinds -- is that once a machine is compromised, then the attacker has a direct invisible route into other machines. This seems a reactionary stance. If (as Jose mentions) we force strong machine-to-machine authentication, then the previous concern is moot: how can an attacker compromise a machine at all? Am I missing something basic here, or is it that simple? (No flames, please. :)) ___________________________________________________________ Steve Riley Microsoft Telecommunications Consulting in Denver, Colorado steriley@microsoft.com +1 303 521-4129 (mobile) steriley@hotmail.com (MSN Messenger) www.microsoft.com/ISN/tech_columnists.asp Applying computer technology is simply finding the right wrench to pound in the correct screw. -----Original Message----- From: Jose Nazario [mailto:jose@biocserver.BIOC.cwru.edu] Sent: Wednesday, June 6, 2001 10:30 AM To: firewalls@Lists.GNAC.NET Subject: Re: Encryption vs. inspection. i think i'll wade into this flaming pit ... i'm a big fan of strong crypto. anyone who knows me know that. i love tunnels, i think they have a place. i think that paul's piece in infosecmag is spot on in some places, and completely misses the boat in others. crypto, and tunnels, dont just provide confidentiality, they can be used to force authentication, *strong* authentication, not only of the server but also of the client. forcing client authentication you can prevent, in some instances, a malicious client from shoving data down the pipe you may not want them to. secondly, this was brought up here earlier, if all you think about when you think 'intrusion detection' is a sniffer on the wire, you should sit back and think more about it. move to agent based intrusion detection, utilizing some central analysis station. alternatively, and i haven't seen this done, include the NIDS in the crypto negotiation via some secure key passing mechanism and (probably utilizing hardware based accelerators on the NIDS boxes) have it analyze the traffic as well. just a pipe dream right now. anyhow, crypto has its place, but it's not counter to intrusion detection. keep that in mind. ____________________________ jose nazario jose@cwru.edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]