[cap-talk] network level designation and authorization

[coderman]

On 6/7/06, John Carlson <john.carlson3 at sbcglobal.net> wrote:
> ...
> I don't think that people are referring to SSL in it's traditional
> form.  From what
> I've seen, they prefer stuff like self signed certificates...a lot
> like SSH and GPG.

agreed; i prefer decentralized and/or opportunistic methods over PKI
like hierarchy in almost every case.

but how does this tie to HTTP requests and other stream transport
privacy?  in every instance where communication privacy is referenced
with YURL's and the like it seems to imply SSL/TLS, if not explicitly
stated as the answer. (i'll avoid any tangential rants on client side
certs :)

in part, my VPN position assumes that it is possible and even trivial
to use such VPN configurations in a web of trust / opportunistic model
in addition to the usual highly structured and mutually authenticated
manner.


> Automating the building of trust is what's hard.
>
> VPN with a virus/malware sniffer on traffic may be secure for many
> purposes.

this gets into client/host integrity/security, and that's another
discussion. i mentioned virtual machines in the original post about
VPN's because i am fond of VM's for running less trusted applications
and services on a trusted host.  this is a practical measure as the
ideal solution is an architecture where every buffer overflow does not
lead to ring0.

i also like the appliance concept applied to virtual machines where an
entire runtime and services bundle is built for a specific purpose
with an emphasis on usability and intuitive function.


> I guess the question becomes, is VPN deployable to everyone you want to
> communicate with?  From what I've seen, maintaining more than one VPN
> connection to different sites can be problematic... maybe those
> problems have
> been solved.

not yet but i think it is possible.  some of the tools i think are
part of this solution:
- openvpn style tun/tap devices connected through UDP/TCP with self signed certs
- openssh style vpn's using tun/tap and tcp with opportunistic key exchange
- ipsec vpn's for wireless (and other mediums where peers can
communicate directly) using out of band key management.

this needs to be made ipod simple with secure and intuitive interfaces
(perhaps the largest challenge) but the technical aspects of having
dozens of different VPN's on a single host are straightforward.  (as
an example, i've built a linux runtime that speaks pptp to windows
users, openvpn to mac/bsd/linux/solaris in addition to IPsec in
transport mode over wireless, all concurrently, and without issues.
the configuration and key management for all this is the difficult
part but still possible to solve simply and usably IMHO)


> I've never used VPN--I don't trust it.  I believe you
> need some
> kind of POLA system on your machine outside to insure that the internal
> network remains safe.

i don't trust it as the sole defence (e.g. traditional perimeter
defence). i think it is a useful method for communication privacy
between trusted endpoints, and POLA is a large part of keeping an
endpoint trustworthy.

i see POLA and VPN as complementary and not mutually exclusive.  i do
agree that traditional VPN concepts and deployments are un-POLA-like;
this is the broken model i'd like to leave behind.


> Since I download a lot of software, I tend to
> avoid
> connection to my company's network.  Other people who don't download
> so much software may feel more secure connecting to a VPN.  But what
> about that word document you got from a friend?  Can you trust that?

agreed, which gets back to the point that if your endpoint is
compromised all higher levels are too, regardless of if you are using
capabilities identified by YURL strings or discretionary authorities
delegated according to that private key file the rootkit lifted right
off your hard drive.

as a practical / stopgap measure i've been doing the following for a
secure endpoint (where i manage keys and certs):
- boot from trusted ISO image
- mount loop-aes encrypted disk volumes using passphrase and USB key
storage. (i'd like a nice hardened token based auth but this is too
expensive for popular use)
- perform key management tasks and export the public parts for use by
other domains which perform other tasks (network services, desktop,
etc).

private network connected / desktop instances are started in a similar
fashion but only use a disk mounted by a secure bootstrap and have
access to no others.  (that is, the desktop / server instances are
consumers of the key material prepared in the secure domain above, but
cannot access it's storage.  likewise they may persist sensitive data
on hard disk (YURL's, secret keys, etc) without worry that offline
theft will expose all those credentials/keys). all private domains
communicate via private network, limiting malicious attack against
higher level services more vulnerable to such exploit to authenticated
entities sharing VPN connectivity with me.

and last i'm trying (but not quite there yet) to use ephemeral
instances (like a liveCD with no persistent storage) for all public
communication on untrusted networks, where the risk of compromise is
high and you only want to pull selected subsets of data from these
networks into private domains, or publish public information (torrents
running on a liveCD with no persistent storage).

with a foolproof POLA operating system and application environment i
would not need this kind of domain separation, but i have to use
something on the path toward better security.

and regardless of the endpoint security involved i still think VPN's
are the most robust way to communicate between them privately assuming
the key management and configuration is simple and effective.