IETF Logo Mail Archive

Re: [perpass] "Guide to intranet protection"?

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 28 November 2013 14:19 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A25411AE022 for <perpass@ietfa.amsl.com>; Thu, 28 Nov 2013 06:19:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vM7HYyFOlOQf for <perpass@ietfa.amsl.com>; Thu, 28 Nov 2013 06:19:50 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 743FC1ADF9D for <perpass@ietf.org>; Thu, 28 Nov 2013 06:19:50 -0800 (PST)
Received: from Masham-MAC.local ([80.200.183.132]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M5a9E-1VSIhw30au-00xXHE for <perpass@ietf.org>; Thu, 28 Nov 2013 15:19:48 +0100
Message-ID: <52975102.1020202@gmx.net>
Date: Thu, 28 Nov 2013 15:19:46 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Eric Burger <eburger@cs.georgetown.edu>
References: <5295FC4F.7060309@dcrocker.net> <5295FDE8.5000402@cs.tcd.ie> <m2mwkpgpi0.wl%randy@psg.com> <5296C8CC.2060508@dcrocker.net> <027a01ceebfb$df99f290$9ecdd7b0$@huitema.net> <m2d2llgisa.wl%randy@psg.com> <5297142D.6010101@cs.tcd.ie> <F1E81972-34D8-419A-95D7-61060CD3C3CD@cs.georgetown.edu>
In-Reply-To: <F1E81972-34D8-419A-95D7-61060CD3C3CD@cs.georgetown.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:5IBsPjb7vv1B2dKfA2PVtsR7At+5GZCBF0OxwnaBk6scBSPk0bC jfCcqCh3WPS0zQZN01eyiUt6/reCdFEwUb3ul7dKJ4ywhq0DrHf+es+PO3awPciIthjR3Ds 5ElNpozsHlGoUqYpCozCcrtuCq1oTU1jW7rp36sDmJihF33pJmtp5/GG84y00NU449hMtlu g3pnZDTV8VMUmiTuysINA==
Cc: perpass <perpass@ietf.org>, hannes.tschofenig@gmx.net
Subject: Re: [perpass] "Guide to intranet protection"?
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2013 14:19:52 -0000

I think the biggest problem is in the believe that there would be 
something as "inside" and "outside". Outside is supposed to be the 
Internet and inside is the secure enterprise network. There is just the 
perception that stuff inside is secure. Just per definition it is secure.

I have seen this many times.

Am 28.11.13 12:36, schrieb Eric Burger:
> I would offer the problem is not securing links (VPN) or backbones (links), but to remind people of this (seemingly obsolete) IETF principle called ‘end-to-end.’ In the context of security, it is that one cannot presume security because you happen to own the network. Bad things happen within a single, private network for a whole host of reasons. So, lock down stuff at the endpoints.
>
> Put eight pages of boilerplate on the above and I just wrote the entire ID Dave suggested.
>
> On Nov 28, 2013, at 5:00 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>
>>
>>
>> On 11/28/2013 06:08 AM, Randy Bush wrote:
>>>> Randy is quite right.
>>>
>>> has to happen occasionally
>>
>> :-)
>>
>>>> The attacks reported in the news article were against the private
>>>> optical fibers linking the geographically distributed data centers of
>>>> large companies like Google or Yahoo. A discussion about that should
>>>> start with the folks in charge of securing these data centers at
>>>> Google, Yahoo, Facebook, Microsoft, et cetera. I can see some
>>>> difficulties, because a fair bit of the data centers architectures is
>>>> probably treated as trade secret. And I am really not sure that the
>>>> IETF is the best place to conduct such discussions.
>>>
>>> we had/have the same oroblem with datacenter* wgs.  the folk who really
>>> do it think of it as secret sauce.
>>
>> Yep, that's the problem all right. However, we do sometimes
>> get folks who are willing to document stuff like that that
>> they've done, so if there are any out there then they should
>> know that we'd love to see that draft, could get them some
>> help with writing it if that's needed and with moving it
>> through the process-maze.
>>
>> And as Dave said, there is a potential benefit if more
>> organisations secure their internal networks since a lot of
>> them are inter-dependent one way or another via cloudy-foo
>> stuff.
>>
>> Cheers,
>> S.
>>
>>
>>
>>
>> _______________________________________________
>> perpass mailing list
>> perpass@ietf.org
>> https://www.ietf.org/mailman/listinfo/perpass
>
>
>
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass
>

v2.23.0 | Report a Bug | By Email