On 2013-04-06 at 13:48 +0000, Edward Ned Harvey (lopser) wrote: > If you're using AES-256 and keys (not just passwords) then no, they > can't sniff it. No more than they could sniff your VPN traffic on the > public internet.
AES is not magic fairy dust which magically makes things secure, it's a component of a larger system. What we see is that even when the protocols are designed by experts, decades later we're still shaking out the flaws. WiFi crypto started from a very bad place and managed to get a bit better with WPA2. It would be foolhardy to assume that no new attacks will be found. AES in TLS1.2 != AES in <other-system> So, as sysadmins, our task is to set things up to achieve the business objectives while being fairly resilient, finding a balance between "perfect" and "works well enough without getting in peoples' way". WiFi security has taught us that changes take a minimum of a half decade to propagate, as fixes have to be at the hardware or firmware level, can't be applied to all devices (so lifecycle replacement is part of the migration strategy) and that parts will be implemented badly on some devices and you're left trying to argue for security when a VP is insisting on connecting their broken device. By contrast, VPN software is software; it can be replaced, it can be chosen, there are competing technologies. You can use something like VPN Tracker on MacOS to avoid hardware vendors' crappy drivers. Architecturally, designing your security to be based on the component you can best control, manage, update/replace and generally "own" means that you have the authority/control to go with the responsibility. Of course, a single point of failure of the VPN gateway is also bad. I feel the decisions should be around designing to avoid SPoF, not around an assumption that a layer you can't control or replace will always be considered strong enough. -Phil _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
