[6023] in cryptography@c2.net mail archive
Re: HOWTO: Encryption on local LAN
daemon@ATHENA.MIT.EDU (dstoler)
Thu Nov 4 15:02:09 1999
Mime-Version: 1.0
Message-Id: <v04210100b4475f362991@[208.196.122.15]>
In-Reply-To: <199911032206.RAA16219@out-of-band.media.mit.edu>
Date: Thu, 4 Nov 1999 11:18:54 -0800
To: Lenny Foner <foner@media.mit.edu>
From: dstoler@globalpac.com (dstoler)
Cc: cryptography@c2.net, me@nettest.dk
Content-Type: text/plain; charset="us-ascii"
Lenny,
A sufficiently skilled attacker with physical access to any computer, including those running Windows NT, can do any number of malicious things, some of which are extremely hard to detect. That vulnerability applies to any software product installed on the platform, and includes firewalls, routers, etc. If that is the threat model, then the administrator must provide for the physical security of the NetLOCK Gateway, the network behind it, and the devices it is protecting.
The NetLOCK Gateway has been designed to protect against outside network attacks. As an IPsec device, it provides authenticated, secure communications with other IPsec devices (VPNs, other NetLOCK Agents, etc.) and can be configured to ignore (block) all other network traffic.
I am acutely aware that the devil is in the details, of course.
>A software implementation on an ordinary PC seems to make the NetLOCK
>machine an extraordinarily tempting target for a subtle attack, such
>as one that patches the running code to dramatically reduce the
>keyspace used. May I assume that they have some clever scheme to
>prevent this, or is it just that I misunderstand what they're doing?
