RE: saag whyenc draft (was RE: Security Gateways)

To: "'Theodore Tso'" <tytso@mit.edu>
Subject: RE: saag whyenc draft (was RE: Security Gateways)
From: Joshua Tseng <jtseng@NishanSystems.com>
Date: Thu, 16 Aug 2001 12:02:06 -0700
Cc: "'Williams, Jim'" <Jim.Williams@emulex.com>, "'Black_David@emc.com'" <Black_David@emc.com>, ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Ted,

> ... and when someone takes their infected Windows 2000 laptop back
> behind the corporate firewall, viruses such as Code Red generally
> rampage completely out of control, since people behind the firewall
> get careless and assume that they don't need to worry about security
> or applying the latest security patches or service packs behind the
> firewall.

Protection against viruses and hackers comes from firewalls and
virus-detection software, not IPSec.  An IPSec-equipped host can
be just as vulnerable to Code Red as one without IPSec.

Maintaining adequate defensive measures to protect against viruses
and hackers is an extremely administratively intensive process.  It
involves buttoning down your host to make sure there are no open
unused TCP ports, and that each new application you install doesn't
open up new weaknesses.  Any security administrator knows this isn't
easy to maintain for even a single host.  That is why the bastion
host/security gateway architecture is practical for a large enterprise.
You only have to do it for your 3-4 security gateways, not your 1000+
hosts.

> 
> This has happened to at least three companies, according to reports
> from IETF'ers.  One of them at last count hadn't been able to read
> e-mail for the last 48+ hours because Code Red was disrupting the
> internal network so badly that he wasn't able to get to his corporate
> mail servers.

What they need is not necessarily IPSec, but a personal firewall with
virus detection capability for their notebook.  There are many of
these commercially available.

> 
> If you think that administrators only need to monitor the few security
> gateways, in order to assure the security of the enterprise, you're
> beeing hopelessly optimistic.

The first axiom of security is that NOTHING is 100% secure.  What I
said is that we know the strengths and weaknesses of the security
gateway architecture, and while I agree that it is not invulnerable,
I would rather go with that than trade the known for the unknown.

> 
> That being said, no one is saying that security firewalls should be
> thrown out; first of all, by saying that security should be mandatory
> to implement, it gives the choice of whether or not the encryption
> should be turned on to the user.  Mantory to implement != manadatory
> to use.  Secondly, defense in depth is important.  

Agreed.  End-to-end IPSec is good to have, but in many cases I
would turn it off, especially if I wanted to leverage the firewall
services of a security gateway.  If end-to-end IPSec is turned
on, then I would need to ensure each host has a personal firewall
and up-to-date virus detection capability.

> 
> Even behind my corporate firewall of my company, I maintain my
> personal machines as if there were no firewall, and use encrypted
> connections for everything.  This meant that after we got badly
> attacked by hackers who were able to pierce the corporate firewalls, I
> wasn't affected.  However the naive folks who assumed they didn't need
> to worry about security because the firewall would protect them were
> very badly affected indeed.

I didn't necessarily mean rely on the corporate firewall.  I believe
an internal isolated subnet within a corporate network, accessed
only through a dedicated iSCSI security gateway, would provide
equivalent if not superior security in many cases.  For sure, it would
be far easier to administer and monitor than end-to-end encryption,
virus-detection software, and host-based firewalls on every individual
iSCSI host.

The point I'm trying to make is that end-to-end IPSec doesn't solve
all the security issues.  There have been statements made about how
end-to-end IPSec provides security so that the end user doesn't have
to worry about it.  I believe this is not only false, but that there
are situations where end-to-end encryption will actually increase your
overall security exposure, because it prevents you from leveraging
firewall available from a generic security gateway.  We need to make
sure expectations are set correctly.  I don't think there is anything
that this working group can do to address every possible security
threat ever known to mankind, and I certainly hope we don't try to.

Josh

> 
> 							- Ted
>

Prev by Date: Re: [Fwd: Crc-32c example in iSCSI spec]
Next by Date: RE: iSCSI Change - New NOP-Out/In text
Prev by thread: RE: saag whyenc draft (was RE: Security Gateways)
Next by thread: RE: saag whyenc draft (was RE: Security Gateways)
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:00 2001
6315 messages in chronological order