Posted by: Eric Siegel
I recently had a question come up about the security of a path that crosses the public Internet from one enterprise location to another; i.e., an "Internet substitution" path. These types of connections can be much less expensive and faster to provision than a leased line, but auditors may question their security.
Standard encryption devices can be installed at both ends of
the communications path to ensure that traffic on that particular path won't be
compromised, and if the Internet
connection appears to your encryption devices as a simple leased line
(i.e., a circuit-switch, not a packet-switch), then there shouldn't be any
difference between the security situation for the Internet or for a leased
line.
However, if the Internet connection appears at the
encryption device's outside interface as a packet-switched, IP-based
connection, then there are further considerations:
- First, the encryption devices must positively authenticate each other before opening the encrypted tunnel between them.
- Second, no non-tunneled traffic can be allowed to cross the encryption device. It must act as a firewall, absolutely stopping any traffic that isn't a part of the authenticated, encrypted tunnel. (This function could also be performed by the Internet interface device, but it's easier to guarantee the security of the system if it's the encryption device that's performing this function.)
- Third, there must be no way that an intruder from the Internet can alter the configuration of the encryption device to subvert the firewall, authentication, or encryption functions. Ideally, the encryption box shouldn't have an Internet-accessible control address and shouldn't be discoverable by scanning. If there is an Internet-accessible control address, it must be very tightly controlled.
(Thanks to Ken Agress, of Burton Group's consulting
organization, and to Eric Maiwald of Burton Group's Security and Risk
Management Strategies, for assistance on this blog entry!)
Comments