VPN costs savings

Sandy Harris sandy at STORM.CA
Tue Jan 30 14:51:29 EST 2001

Stephen Hope wrote:

> The choice of encryption should be - do i have enough security by default in
> the underlying transport, or do i need more?

If in doubt, encrypt. At worst, that wastes resources. An error in the other
direction can be extremely expensive.

>From the FreeS/WAN docs:

|Resisting traffic analysis
|Traffic analysis is the attempt to derive useful intelligence from encrypted
|traffic without breaking the encryption. For example, an eavesdropper might
|deduce something interesting merely by knowing that your CEO was exchanging
|email with a particular venture capital firm. ...
|Except in the simplest cases, traffic analysis is hard to do well. ...
|In general, defending against traffic analysis is also difficult. ...
|IPSEC is not designed to stop traffic analysis and we know of no plausible
|method of extending it to do so. That said, there are ways to make traffic
|analysis harder. ...
|Using "unnecessary" encryption
|One might choose to use encryption even where it appears unnecessary in
|order to make analysis more difficult. Consider two offices which pass a
|small volume of business data between them using IPSEC and also transfer
|large volumes of Usenet news. At first glance, it would seem silly to
|encrypt the newsfeed, ...
|However, if we encrypt a lot of news and send it down the same connection
|as our business data, we make traffic analysis much harder. A snoop cannot
|now make inferences based on patterns in the volume, direction, sizes,
|sender, destination, or timing of our business messages. ...
|As a general rule, though, one can improve resistance to traffic analysis
|by encrypting as much traffic as possible rather than only as much as
|seems necessary.
|Using fewer tunnels
|It may also help to use fewer tunnels. For example, if all you actually
|need encrypted is connections between:
|    mail servers at branch and head offices
|    a few branch office users and the head office database server
|You might build one tunnel per mail server and one per remote database user,
|restricting traffic to those applications. This gives the traffic analyst
|some information, however. ...
|We suggest instead that you build one tunnel per branch office, encrypting
|everything passing from head office to branches. ...

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list