Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet
Merike Kaeo
merike at doubleshotsecurity.com
Sun Dec 8 21:46:22 UTC 2013
On Dec 6, 2013, at 11:55 AM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
> On Fri, Dec 6, 2013 at 9:48 PM, Jared Mauch <jared at puck.nether.net> wrote:
>
>>
>> On Dec 6, 2013, at 1:39 PM, Brandon Galbraith <brandon.galbraith at gmail.com>
>> wrote:
>>
>>> If your flows are a target, or your data is of an extremely sensitive
>>> nature (diplomatic, etc), why aren't you moving those bits over
>>> something more private than IP (point to point L2, MPLS)? This doesn't
>>> work for the VoIP target mentioned, but foreign ministries should most
>>> definitely not be trusting encryption alone.
>>
>> I will ruin someones weekend here, but:
>>
>> MPLS != Encryption. MPLS VPN = "Stick a label before the still
>> unencrypted IP packet".
>> MPLS doesn't secure your data, you are responsible for keeping it secure
>> on the wire.
>>
>>
> It's always interesting to watch someone's expression when they hear that
> MPLS VPN, even if it says VPN in the name is not encrypted. Priceless every
> time :)
So, just to raise the bar…I had someone once tell me they encrypted everything since they
were using IPsec. Since I only trust configurations, lo and behold the configuration was
IPsec AH. As exercise to reader….determine why using IPsec does not automagically equate to
encrypted traffic.
This was only 2 years ago while doing a security assessment for someone.
I greatly dislike the term 'VPN'…..always have and always will. Marketechture is awesome!
- merike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20131208/856b7c39/attachment.sig>
More information about the NANOG
mailing list