[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: new to VPN

> -----Original Message-----
> From: owner-ipsec@xxxxxxxxxxxxxxxxx
> On Behalf Of Stephen Kent
> although I agree it improves the situation. Dedicated
> hardware devices usually do not have the OS services present to shut
> off, so they are better off.  

I am not sure I really understand. Once you have switched off services,
what is the difference? You agree that it improves security and then you
say hardware is better. Can you tell me attacks that are OS specific and
not related to a service?

> I think we see more of this flavor in
> modern firewall products as well, so I think there is a parallel
> evolution path here.

Which modern hardware firewalls? Newest thing in security is to solve
the intrusion problem and weed out Trojans. A recent test has shown that
hardware based systems performed miserably.

There are a lot of things you can do in software to catch detect
intrusions and catch Trojans, that you can never do by using a
standalone hardware.

> >There is a lot more to practical security than FIPS level 3. Maybe
> >box is fine, but a Trojan can have a field day with the computers
> >your box.
> Yes, but it's not the fault of the box, which is the focus of this
> discussion.

In my very first e-mail, I _very_ clearly stated that software based
systems will have an advantage in detecting Trojans. And therefore may
have an advantage in overall security. 

If you did not agree to that statement and wanted to talk only about the
security of VPN box, you could have mentioned it a lot earlier. 

> Since the comment applies to just the security of the IPsec device,
> not the computers behind it, I think it is fair to say that a
> dedicated, hardware implementation of IPsec has the potential to be
> considerably more secure than an implementation that runs on a
> general purpose computer with a general purpose OS, even if one
> attempts to harden the OS by turning off extraneous services.

The reason for my original response was that a general perception has
been created that hardware is more secure than software. Maybe (a real
maybe), VPN hardware is more secure than software based VPN, but somehow
that gets generalized to overall security. IMHO that is not correct. 

Here is a good example of hardware relying on software to improve

Several leading VPN hardware vendors are working with those who
specialize in host-based security to ensure that the host configurations
have not been altered to infect the host with a virus/Trojan. These
secure VPN boxes were serving as a conduit to spread viruses and Trojans
and wreaking havoc on corporate security.

To summarize, security based on your lowly desktop OS is looking good.
It provides an excellent platform to integrate security function to
improve ease of configuration, management, event correlation, protection
against internal attacks, Trojan & intrusion detection and is a better
solution for overall security. Not to mention that it is much more
Performance is excellent as well.