Jun. 24th, 2005

backerman: Two meerkittens being cute (Default)

I just finished taking Cisco's Secure Virtual Private Networks class, which is mostly about their 3000-series VPN concentrators. While the instructor seemed to know the material, I can't really say the same about the people who actually wrote the course. According to them:

  • "Network Associates PGP" is a CA for your X.509 certificates.
  • 3DES "effectively doubles encryption strength over 56-bit DES."
  • 768 bit RSA key size "provides sufficient security."
  • It's perfectly fine to use DES to encrypt your sensitive traffic.

Now, the last two are rather—erm—strange. Especially since the operational doctrine says:

Diffie-Hellman group – used for computing the encryption key (choices: #1 (768 bit modulus), #2 (1024 bit modulus), #5 (1536 bit modulus), group #5 should be used where possible, otherwise use group #2
(i.e., never use a 768-bit modulus),
Cisco suggests a minimum modulus size [for an RSA key pair] of 1024 bits.
and
Unless you have a very sound reason to use DES, (e.g. 3DES doesn’t provide the needed performance) always use 3DES. The DES algorithm is not acceptable, however, to protect information between two peers over a hostile, unprotected network (e.g. the Internet), so use 3DES for such cases.

(The router security config guide was last modified in December 2003, but that's still recent enough that I wonder why it doesn't cover AES; the Cisco VPN concentrators do support 128- and 256-bit AES encryption in software and hardware.)

On the bright side, somebody who uses the lowest-level encryption as in the course will probably also do something even stupider, such as putting a preconfigured VPN client binary on their public web page and not requiring user authentication to connect to the concentrator (fellow attendee's previous job), or spending millions of pounds on a financial industry project without having a penetration testing team or a chief security officer (BTDTBTTS and I really wish I had been able to watch the Hong Kong Monetary Authority ream them a new one).

Profile

backerman: Two meerkittens being cute (Default)
Brad Ackerman

November 2011

S M T W T F S
  12345
67 8 9101112
13141516171819
202122232425 26
27282930   

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 5th, 2025 10:23 am
Powered by Dreamwidth Studios