On Wed, 6 Jun 2001, Steve Riley (MCS) wrote: > The typical complaint against encrypted communications -- whether IPSec > transport mode or tunnels of various kinds -- is that once a machine is > compromised, then the attacker has a direct invisible route into other > machines. This seems a reactionary stance. I think it's more than routes in, it's really about defense in depth and ease of defense. Proper host security obiously is a lot more effective than perimeter network security, yet we all employ various levels of firewalls because we understand the implications and failure modes of complete host security in a common network environment. > If (as Jose mentions) we force strong machine-to-machine authentication, > then the previous concern is moot: how can an attacker compromise a > machine at all? Am I missing something basic here, or is it that simple? You're missing the fact that in modern systems the encryption boundary is *weak*. If you had the old "Red Book" model of a strong encryption boundary, then authentication would win. You don't- you have an untrusted desktop OS that in Microsoft's ideal world downloads pseudo-trusted object code from Web sites administered by folks who hit the enter key long enough to get IIS up and running. Anytime you break the boundary by allowing connectivity vectors that aren't at the same trust level and you don't have multiple layers of information management so that an untrusted layer can touch a trusted layer you tend to lose the value of the model as soon as an exploit becomes easy. Exploits on common desktop OS' are easy these days and you've got zero trust boundaries for code in most organizations. Change that model and you'll spend a *lot* of money on administrative issues and you'll end up with a management nightmare. You'd be surprised what breaks when you make things stick to the model's protection mechanism if you can even enforce it in most hetrogeneous network environments. If every connection a machine made was at a significant trust level and included strong authentication, the model would be intact. DNSSEC isn't deployed yet, there goes one encryption boundary- and it's one that's hung off of winsock, where we know there's sufficient malicious code already deployed that takes advantage of that vector on Win9x machines to provide a good basis for new trojans moving forward. Hey, you got this mail, there goes another boundary- one that's a known vector for distribution of malcode (and no, all those problems are *not* solved yet.) How do you do comprehensive Anti-Virus if all the e-mail is encrypted and there's no inspection? Anna Kournikova pictures anyone? And so it goes, usefull connectivity piece by piece creates doors in the wall that would be the encryption/authentication boundary, and sooner or later something goes through the door... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]