[MLB-WIRELESS] The Wireless Esky - sec/crypto
magrathea at subdimension.com
magrathea at subdimension.com
Tue Jan 29 17:29:10 EST 2002
On Tue, 29 Jan 2002, Jeremy Lunn wrote:
> Using a SSH tunnel or VPN is no excuse. The more layers of security,
> the better.
Assuming lots of things, doubling your encryption is next to useless, ie:
encrypting it, then encrypting it again.
I have seen ppl tunneling through tunnels, thinking the security is
_higher_. bzzt.. The crack is simply a function of the two. ie: you still
only have to find one key, which will end up being a function of the two
seperate keys used in each tunnel.
Checkout "Applied Cruptography" By Bruce Schneier if you are really
interested in crypto schemes.
Using encrypted tunnels is great, you should also be using things like
o tripwire or aide - takes fingerprints of files on the system
o snort - IDS.
o titan. - set of scripts to tune a systems security. Scripts are all
bourne shell, no evil perl here! :-)
There are a plethora of other things.
There is a tradeoff between crypto/speed. If you want to have decent
tranfer rates, back off the crypto scheme, if you want a highly secure
link, your tranfer rates will suffer as well as your cpu being hammered.
Simple tests can be done with ssh. ie: change your scheme to tripple des,
then blowfish. (its more noticable with slower machines) But, if you
really want to see a difference, try tunneling netscape or staroffice
through a 3des tunnel, then blowfish, then direct (no tunnel). Screen
redraws are slower with ssh, the general feel of the Xapp is sluggish. (on
slower machines or dodgy networks, this can be _annoying_!!)
I've had major probs with speed on 10mbit wired networks, I hate to
imagine how bad it is over 11mbit or 2mbit wireless.
Of course if your crypto scheme isnt very strong, then snort, aide,
firewall should catch most things. Remember you cant stop everyone.
---
Danny
I'm so high I dont know whats goin on. (c) Towelie
http://thirdeye.dodgyware.com
--
To unsubscribe, send mail to minordomo at melbwireless.dyndns.org with a subject of 'unsubscribe melbwireless'
Archive at: http://melbwireless.dyndns.org/cgi-bin/minorweb.pl?A=LIST&L=melbwireless
IRC at: au.austnet.org #melb-wireless
More information about the Melbwireless
mailing list