[Info-vax] "Linux Shminux - IPsec is Snake Oil!" VMS Mgmnt

Richard B. Gilbert rgilbert88 at comcast.net
Thu Apr 9 23:30:01 EDT 2009 

Steven Underwood wrote:
> 
> 
> "Richard Maher" <maher_rj at hotspamnotmail.com> wrote in message 
> news:gre36n$6nd$1 at news-01.bur.connect.com.au...
>> Hi,
>>
>> In addition to the Apple, IBM, SUN, Microsoft, and HP-UX support for 
>> IPsec I
>> wanted to see what the level of Linux/IPsec support was out there. 
>> Well as
>> far as Linux goes, I found comprehensive IPsec support has existed for 
>> some
>> time on Red Hat, SuSe, and Debian flavours. Are there others I should 
>> look
>> at?
>>
> 
> This is a serious question to everyone here though it may sound like a 
> slam to Richard's argument,
> 
> Yes, IPsec exists on these other platforms, but how much is it being 
> actually used?  is it really needed?
> 
> In the last 12 years, I have been in only 2 different environments and 
> neither used IPsec.  The Windows environment has been a secondary 
> support environment for me in both of these positions, basically keeping 
> things running, but being small enough locations that I was included in 
> decision making.
> 
> The first was a completely Win98/Netware environment until less than 4 
> years ago.  There were only 2 servers at this company, one at each of 2 
> sites connected via 56K PTP. About 2005 we started replacing Win98 with 
> WinXP desktops but they had still not moved off of the Novell servers as 
> of March 2007, though there were plans.  Interior security was not a 
> major issue beyond file ACL's.  This was a public company which needed 
> to meet Sarbanes-Oxley regulations and auditing, most of which covered 
> security.
> 
> My current employer is still approximately 25% Win2000 and the rest 
> WinXP for the desktops.  We have about 50 servers (25% Win2000, 75% 
> Win2003, a couple WinNT, a couple RH Linux boxes and one Win2008 
> currently being tested).  Most of these are IIS web servers (https) for 
> both internal and external access.  The file/print servers are Win2000.  
> Again, internal security is not an issue considered worthy of funding 
> with ACL's providing the access to files people need.  IPsec may be in 
> use here by default in the background, I would not know how to tell 
> whether it was working or not.  I suspect not since none of the options 
> listed at: http://unixwiz.net/techtips/iguide-ipsec.html#flavors have 
> been issues for us when dealing with internal systems (CheckPoint VPN 
> access for IT being the only real exposure to those concepts)
> 
> In both of these companies, I have had numerous different vendors 
> discussing our network wants/needs and nobody had ever mentioned IPsec 
> in either asking if we were currently using it or telling us why we 
> would need it (and need them to help us implement it to its fullest).  
> No SOX auditors ever mentioned this as a potential problem or even as an 
> improvement to what we were doing (and they made LOTS of recommendations).
> 
> Thank you

I couldn't say whether IPSEC or some other form of encryption was really 
needed or not but I'm reasonably certain that none of my jobs since 
being discharged from the Army in 1969 used any form of encryption for 
internal network traffic.  I think I would have known if the VMS systems 
were using encryption.  I might not have known if the desktops were 
using encryption but I saw no evidence that they were nor any reason to 
use encryption.  I can understand and accept that there may be 
situations where encryption is required even though I have not 
encountered any such.

There are two basic reasons for using encryption: security and 
authentication.

Security means that you encrypt your traffic so that no one other than 
the intended recipient can read it.

Authentication means that you know who sent a message because he is the 
only one who could have encrypted it using that key.

Both situations tend to be rather rare.  It's most unlikely, for 
example, that anyone would bother to encrypt an order for eight cases of 
Campbell's Tomato Soup!

There are cases where you do need encryption: storing or transmitting 
credit card numbers, for example.

More information about the Info-vax mailing list