IETF Logo Mail Archive

Re: [perpass] "Guide to intranet protection"?

Phillip Hallam-Baker <hallam@gmail.com> Thu, 28 November 2013 14:41 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56FBC1AE022 for <perpass@ietfa.amsl.com>; Thu, 28 Nov 2013 06:41:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4S1jeuz3Z7rI for <perpass@ietfa.amsl.com>; Thu, 28 Nov 2013 06:41:27 -0800 (PST)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 22D771ADFB0 for <perpass@ietf.org>; Thu, 28 Nov 2013 06:41:26 -0800 (PST)
Received: by mail-la0-f52.google.com with SMTP id y1so4278280lam.11 for <perpass@ietf.org>; Thu, 28 Nov 2013 06:41:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uznid94MwaxAACxIVTKBVRbj7+D6GLztwF41qYbcBRA=; b=P0BGMGatosBHi+2UP19dlFHUKOv/Uwjl5ra9ivsepAhXpbLZA5mD/zOCUd9ZEr4AvO oFRT19Qu0uUX1JalHjM3SnKgEBVyFuiSZvQ2w7Lm3Ln8PRxk8nM4IZ1RkucuZg3fFMSd gurQgd1T5+gS5keZyXLqYA3kKSL5M9Mm7pGEP9wcwtEy3BsmXg3Y8lQ5TdFyGKgsPd2M QEAIloVp/1Q+bj6F8XOtRRtVYu8wDcbO6WudZ7/RWxAwV4llL879Fu4epgQAaH8H/CBL 3zRUK0fnOKtHkKiO5Vhg9//5SZy8A/bfmbMcZzKkP/C1Ke2JNan2J7DH3ItZgyxNFWY2 17qg==
MIME-Version: 1.0
X-Received: by 10.112.167.3 with SMTP id zk3mr15460127lbb.23.1385649685333; Thu, 28 Nov 2013 06:41:25 -0800 (PST)
Received: by 10.112.37.172 with HTTP; Thu, 28 Nov 2013 06:41:25 -0800 (PST)
In-Reply-To: <m2mwkpgpi0.wl%randy@psg.com>
References: <5295FC4F.7060309@dcrocker.net> <5295FDE8.5000402@cs.tcd.ie> <m2mwkpgpi0.wl%randy@psg.com>
Date: Thu, 28 Nov 2013 09:41:25 -0500
Message-ID: <CAMm+LwhuCu8LsUbnCgpGiJr1wjP0qU16y6gzffRdiyfaF0CDmA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Randy Bush <randy@psg.com>
Content-Type: multipart/alternative; boundary="001a11c264a4470f5404ec3db5e8"
Cc: perpass <perpass@ietf.org>, Dave Crocker <dcrocker@bbiw.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [perpass] "Guide to intranet protection"?
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2013 14:41:29 -0000

On Wed, Nov 27, 2013 at 10:43 PM, Randy Bush <randy@psg.com> wrote:

> >> I'm assuming that providing meaningful protection takes a statement
> >> beyond "encrypt all your links".  Perhaps it doesn't, but I thought
> >> I'd ask...
> > I'd say that'd be a fine thing if we could get someone who'd done that
> > job to help write it.
>
> may not work out as well as we might wish, as folk who have done it may
> not want to disclose details.  but i am sure there are folk who have not
> done it who will be happy to tell others how they should run their
> networks :)
>

That is less of an issue than you might imagine.

Absent an external threat, companies see each other as competitors. An
external attack changes minds very quickly.

I don't think anyone is going to be putting a network diagram of their
datacenter on the table but that isn't really the point. It is the
processes and controls that matter, not the instances. Microsoft and Google
cooperate here to write a specification but they don't usually share source
code. And even if they do as in Chromium, it does not make a great deal of
difference as competitors don't start from the same legacy.

The number of people who move companies in the valley is very large. The
chance that any of the details are really very secret is small. NDAs stop
people blabbing about it to likely attackers, but thats about all.

The business value in sharing the information is greater than the business
value in keeping it secret.


-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email