Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Why VPNs aren't magic silver bullet solutions

From: TC Wolsey <tc () thebiz net>
Date: Wed, 30 Aug 2000 13:31:24 -0400 (EDT)
On Tue, 29 Aug 2000 Jeffery.Gieser () minnesotamutual com wrote:



Marty,

#If i have sensitive data traversing data links i have no control over, why
#not extrapolate what you pointed out and implement encryption at each
#application level where it is required rather then everything traveling
#between the two points... ?? Is there a performance difference ??

#Where is the advantage in wholesale encryption between two points as
#opposed to application selective encryption ??

#Ok, so i can think of one already:  ;)

#- Client/server applications which are closed source with no inbuilt
#means of encrypting connections.

#What are some others ?

I can think of four other reasons.

1.  A VPN encrypts everything between two end points.  I do not have to
maintain/troubleshoot 40 different encryption techniques and keys for the
40 different applications that I want encrypted data for between two end
points.  I just need to maintain one VPN solution and one set of keys.

2.  Having been a Signals Intelligence Analyst in a former life I know I
can prevent more types of traffic analysis by having a VPN that encrypts
everything between two end points rather than encrypting at the application
layer.

3.  I only have to worry about the implementation bugs in the VPN solution
rather than worrying about the implementation bugs in the 40 add-on
application layer encryption modules for the 40 applications.

4.  Hopefully, a company who sells a security product like a VPN is better
at the whole encryption thing than a company who's real job is to build
remote control software or some other application.

Regards,
Jeffery Gieser


I'll add one more - it is easier for a clued person to administer the
config of two VPN endpoints. When the number of VPN peers grows management
becomes more complex which usually means frustrated admins or
decentralized control. Do you want users (who really just want to use some
app to get their job done) making decisions regarding which cipher, hash,
DH group, etc, they should use? Decisions with major security implications
should be in the hands of the people who are responsible for security. 

Regards,
--tcw



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: