Firewall Wizards mailing list archives
Re: Why VPNs aren't magic silver bullet solutions
From: TC Wolsey <tc () thebiz net>
Date: Wed, 30 Aug 2000 13:31:24 -0400 (EDT)
On Tue, 29 Aug 2000 Jeffery.Gieser () minnesotamutual com wrote:
Marty, #If i have sensitive data traversing data links i have no control over, why #not extrapolate what you pointed out and implement encryption at each #application level where it is required rather then everything traveling #between the two points... ?? Is there a performance difference ?? #Where is the advantage in wholesale encryption between two points as #opposed to application selective encryption ?? #Ok, so i can think of one already: ;) #- Client/server applications which are closed source with no inbuilt #means of encrypting connections. #What are some others ? I can think of four other reasons. 1. A VPN encrypts everything between two end points. I do not have to maintain/troubleshoot 40 different encryption techniques and keys for the 40 different applications that I want encrypted data for between two end points. I just need to maintain one VPN solution and one set of keys. 2. Having been a Signals Intelligence Analyst in a former life I know I can prevent more types of traffic analysis by having a VPN that encrypts everything between two end points rather than encrypting at the application layer. 3. I only have to worry about the implementation bugs in the VPN solution rather than worrying about the implementation bugs in the 40 add-on application layer encryption modules for the 40 applications. 4. Hopefully, a company who sells a security product like a VPN is better at the whole encryption thing than a company who's real job is to build remote control software or some other application. Regards, Jeffery Gieser
I'll add one more - it is easier for a clued person to administer the config of two VPN endpoints. When the number of VPN peers grows management becomes more complex which usually means frustrated admins or decentralized control. Do you want users (who really just want to use some app to get their job done) making decisions regarding which cipher, hash, DH group, etc, they should use? Decisions with major security implications should be in the hands of the people who are responsible for security. Regards, --tcw _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Why VPNs aren't magic silver bullet solutions TC Wolsey (Sep 05)
- <Possible follow-ups>
- Re: Why VPNs aren't magic silver bullet solutions Steve Goldhaber (Sep 05)