Penetration Testing mailing list archives

RE: Leased Lines

From: Gorgon Beast <gorgonbeast () hotmail com>
Date: Wed, 14 Oct 2009 07:45:55 -0700


Sebastian,

Surprisingly, I get asked this a lot.  Certainly, it can be done (anything CAN be done).  Anyone that has physical 
access to the cabling can put in a Y and examine traffic.  This is, of course, more difficult that it sounds; trying to 
find the right wires in a bundle of 50,000 other wires, then getting your connector in there without setting off alarms 
is another matter. Or if the bad guy has access to the building, all bets are off.

What it really depends on is what you are sending across.  If you are a bank, or the IRS, then it would be a good idea 
to encrypt it too; these businesses have oodles of cash laying around, just waiting to be spent.  If you are a small 
business sending files back and forth to your other office and it has no personally identifiable information in it, 
then it probably isn't such a high priority.

Since most routers and firewalls have VPN technology built into them these days, it is generally a good idea to do it 
anyway, it doesn't appreciably slow anything down, and it just makes things that much more secure.  Likewise for the 
strong authentication.  

John

Hi,

I'm looking for any information related to the security of leased
lines, specifically if it is feasible to eavesdrop on them outside a
companies building. What would it take to do it?

I'm having a debate about the use fullness of encryption on leased
lines and the use of strong authentication for the PPP session and
such.

I understand there are always risk assessment/costs aspects to
security issues, but I'm currently focused on the technical side of
things :)

                                          
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/171222985/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Leased Lines Sebastiaan (Oct 13)
- RE: Leased Lines Shenk, Jerry A (Oct 13)
- RE: Leased Lines Craig Wilson (Oct 15)
- Re: Leased Lines David Howe (Oct 15)
- Re: Leased Lines Wim Remes (Oct 15)
- <Possible follow-ups>
- RE: Leased Lines Gorgon Beast (Oct 15)
  - Re: Leased Lines Elizabeth Greene (Oct 19)