opportunistic routers?

Steven Brown sbrown at cw.net
Mon Jul 12 19:15:35 EDT 1999


 Eric,

 This is an interesting discussion about Cisco routers, and
 I guess any routers in general, but I was wondering about the
 following and hope you can answer them.

 1 - One reason for the firewalls was the lack of protection that
 routers offered. At one point, routers were easily hacked, even
 today I don't think routers are designed as firewalls. What then
 concerns me is the private key, if it is on the router, how secure
 can it be. At least on a firewall or other VPN device, it sits 
 behind an external router, which may offer some form of protection.

 2 - Selected encryption, if used dynamically and I assume between
 two cisco routers, then does all traffic get encrypted. How do you
 decide between email, smtp or http that gets encrypted. It can easily
 be down with firewalls, but not dynamically.

 

Thank You
Steven A. Brown, MBA., CCSA, CCSE,
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
Research Triangle Park, NC, 27513
Author:Implementing Virtual Private Networks, McGraw-Hill
CoAuthor:CheckPoint Firewall-1, McGraw-Hill
sbrown at cw.net, Steven.Brown at cwusa.com 




On Mon, 12 Jul 1999, Eric Vyncke wrote:

> Joe,
> 
> The CA is mostly used when a router gets its certificate then
> it can be offline (only the CRL must be reachable at all time).
> Hence, the problem is not so big.
> 
> Anyway, the conversation with the CA (or the CRL server) does
> not need to be protected for confidentiality (in most configurations)
> as the exchanged information is about public keys and certificates
> which are public. Obviously, this conversation must be protected
> for integrity and authentication :-) Please note that the private
> key of the router NEVER leaves the router.
> 
> The protocol used by Cisco routers is using PKCS#7 and PKCS#10 to
> ensure secure channel.
> 
> The 'weak' point is that if you want to allow remote routers to
> get certificates accross an unsecure channel (e.g. the Internet)
> you must open a hole in your firewall for this protocol and then
> 1) cross your finger
> 2) rely on the CA vendor to ensure they have no bug which could
>    lead to an attack on the CA machine via this protocol (like buffer
>    overflow, ...)
> 
> The whole process is very easy from management point if view.
> 
> Hopefully, CA vendors are probably very security aware!
> 
> Hope this helps
> 
> -eric
> 
> At 12:56 09/07/1999 -0400, Joseph S D Yao wrote:
> >> >If so, what CA's will Ciso support?
> >> 
> >> Currently, Verisign and Entrust, in the next few weeks (currently in Beta)
> >> Baltimore Technologies and Netscape.
> >> 
> >> -eric
> >
> >If one's routers are firewalled away from the public Internet, would
> >one be able to direct the router to use one's own internal CA?
> >
> >Tnx mly.
> >
> >--
> >Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
> >COSPO/OSIS Computer Support					EMT-B
> >-----------------------------------------------------------------------
> >This message is not an official statement of COSPO policies.
> 
> Eric Vyncke                        
> Consulting Engineer                Cisco Systems EMEA
> Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
> E-mail: evyncke at cisco.com          Mobile: +32-75-312.458
> 
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
> 
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
> 
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
> 
> ****************************************************************
> 

Steven A. Brown, MBA., CCSA, CCSE,
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
Research Triangle Park, NC, 27513  
Author:Implementing Virtual Private Networks, McGraw-Hill
CoAuthor:CheckPoint Firewall-1, McGraw-Hill
sbrown at cw.net, Steven.Brown at cwusa.com


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list