'RE: Question - What is a VPN?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vpn
Subject:    RE: Question - What is a VPN?
From:       Kent Dallas <KDallas () intelispan ! com>
Date:       1999-06-05 0:14:54
[Download RAW message or body]

> From:	TC Wolsey [twolsey@realtech.com]
> Sent:	Friday, June 04, 1999 7:40 AM
> Subject:	Re: Question (fwd)

[SNIP]
> control, your privacy still only extends to the weakest point in your
> implementation, but I  believe that assessing your own weaknesses can
> be much less of a chore than assessing those of your provider. 

Kent Dallas writes:
I agree with the "weakest link" argument, but disagree that a typical
customer is better at assessing their security solution than a service
provider SHOULD be.  And for a couple of reasons:

1)  The hardest mistake (or weakness) to find is the one that you have
created.  It is much easier to find fault in someone else's implementation
than your own.
2)  A typical customer is in some business other than information security.
They are not likely to have the on-staff talent necessary to perform a solid
security assessment.  Service providers SHOULD have the on-staff talent of
sufficient caliber to perform a solid security assessment.
3)  A typical customer does not have any past experience in performing such
an assessment.  Service Providers SHOULD have learned from past mistakes,
and can help a typical customer avoid common errors.

> Three things that I like to see addressed in the privacy
> component of a VPN solution:

> Confidentiality - assurance that the information is not
> exposed to unauthorized parties
> Integrity - assurance that the information is not modified
> in transit b/w authorized parties
> Authentication - assurance that the information actually originated
> from authorized parties

Kent Dallas writes:
As I wrote in an earlier message on a different thread, "VPNs are not a
security solution.  But they can be a part of one."  I would expect each of
those components, plus three more, in any security solution.  But my VPN
does not have to provide all of them.  The other three are:

Access Control - the ability to control access to resources on a selective
basis
Non-reupidation - the sender cannot deny sending and the recipient cannot
deny recieving
Availability - critical systems are resistant to attacks which limit its
ability to perform

Access Control can also be described as Authorization, which was implied as
a requirement in each of the original three components, so perhaps these are
just two more.  And it is not surprising to that they are often omitted -
few VPN solutions address them.

IF your application could guarantee all of the above components, you
wouldn't need to rely on your network to do it.  There is certainly a market
for adding security features to a network - but the market only exists
because the appropriate security mechanisms are not in place where they
should be, IMHO... I agree with the posts of Suzette Szostwoski and Jay
Wack.

> From:	John Fulmer [john.d.fulmer@mail.sprint.com]
> Sent:	Friday, June 04, 1999 9:27 AM
> Subject:	Re: Question (fwd)

> AFAIK, common terminology is that "Virtual Private Network" implies an
> encrypted, encapsulated conduit (which, granted often may be turned off
> in any given implementation.) and 'tunnel' implies only an encapsulated
> conduit. Or, in other words, a VPN is an encrypted tunnel.

> Is there something wrong with this definition?

No, as long as you understand that it is your own creation, and not
necessarily shared by everyone else.  I think it would certainly be safe to
state it the other way around: that an encrypted tunnel is a VPN.

If you believe otherwise, you are taking a position that encryption is the
only way to provide privacy (or confidentiality, whichever) - it isn't, and
that tunnels are the only way to provide a virtual network - they aren't.

Regards,
Kent Dallas

****************************************************************
TO POST A MESSAGE on this list, send it to vpn@listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn@listserv.secnetgroup.com

****************************************************************

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic