opportunistic routers?
Steven Brown
sbrown at cw.net
Mon Jul 12 19:15:35 EDT 1999
Eric,
This is an interesting discussion about Cisco routers, and
I guess any routers in general, but I was wondering about the
following and hope you can answer them.
1 - One reason for the firewalls was the lack of protection that
routers offered. At one point, routers were easily hacked, even
today I don't think routers are designed as firewalls. What then
concerns me is the private key, if it is on the router, how secure
can it be. At least on a firewall or other VPN device, it sits
behind an external router, which may offer some form of protection.
2 - Selected encryption, if used dynamically and I assume between
two cisco routers, then does all traffic get encrypted. How do you
decide between email, smtp or http that gets encrypted. It can easily
be down with firewalls, but not dynamically.
Thank You
Steven A. Brown, MBA., CCSA, CCSE,
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
Research Triangle Park, NC, 27513
Author:Implementing Virtual Private Networks, McGraw-Hill
CoAuthor:CheckPoint Firewall-1, McGraw-Hill
sbrown at cw.net, Steven.Brown at cwusa.com
On Mon, 12 Jul 1999, Eric Vyncke wrote:
> Joe,
>
> The CA is mostly used when a router gets its certificate then
> it can be offline (only the CRL must be reachable at all time).
> Hence, the problem is not so big.
>
> Anyway, the conversation with the CA (or the CRL server) does
> not need to be protected for confidentiality (in most configurations)
> as the exchanged information is about public keys and certificates
> which are public. Obviously, this conversation must be protected
> for integrity and authentication :-) Please note that the private
> key of the router NEVER leaves the router.
>
> The protocol used by Cisco routers is using PKCS#7 and PKCS#10 to
> ensure secure channel.
>
> The 'weak' point is that if you want to allow remote routers to
> get certificates accross an unsecure channel (e.g. the Internet)
> you must open a hole in your firewall for this protocol and then
> 1) cross your finger
> 2) rely on the CA vendor to ensure they have no bug which could
> lead to an attack on the CA machine via this protocol (like buffer
> overflow, ...)
>
> The whole process is very easy from management point if view.
>
> Hopefully, CA vendors are probably very security aware!
>
> Hope this helps
>
> -eric
>
> At 12:56 09/07/1999 -0400, Joseph S D Yao wrote:
> >> >If so, what CA's will Ciso support?
> >>
> >> Currently, Verisign and Entrust, in the next few weeks (currently in Beta)
> >> Baltimore Technologies and Netscape.
> >>
> >> -eric
> >
> >If one's routers are firewalled away from the public Internet, would
> >one be able to direct the router to use one's own internal CA?
> >
> >Tnx mly.
> >
> >--
> >Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
> >COSPO/OSIS Computer Support EMT-B
> >-----------------------------------------------------------------------
> >This message is not an official statement of COSPO policies.
>
> Eric Vyncke
> Consulting Engineer Cisco Systems EMEA
> Phone: +32-2-778.4677 Fax: +32-2-778.4300
> E-mail: evyncke at cisco.com Mobile: +32-75-312.458
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties. If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>
Steven A. Brown, MBA., CCSA, CCSE,
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
Research Triangle Park, NC, 27513
Author:Implementing Virtual Private Networks, McGraw-Hill
CoAuthor:CheckPoint Firewall-1, McGraw-Hill
sbrown at cw.net, Steven.Brown at cwusa.com
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list