On Sat, Jul 15, 2017 at 7:56 AM, Roland Dobbins <rdobb...@arbor.net> wrote: > On 15 Jul 2017, at 18:19, Daniel Kahn Gillmor wrote: > >> I'd like to hear from the people who are doing full-take network capture >> within their datacenters about how they protect the security of the >> internal decryption systems. > > > Firstly, they generally aren't storing everything, forever. Most of the > time, they feed into collection/analysis systems, and most if not all of the > actual packets are discarded. > > In many cases, they're only enabled on a situational basis - say, a security > incident or a troubleshooting session. Most if not all of the packets are > discarded afterwards, in most cases. > > In most cases, they're running on completely out-of-band management > networks, using transparent taps or SPAN ports or equivalent. In some > cases, they can be used to intervene in the cryptostream - but even in that > in-band case, all the management functions are still isolated on out-of-band > management networks which are not interconnected with the production > network, and are further isolated as necessary by implementing > situationally-appropriate network access policies.
When I have done this in the past in environments I've managed, I always used a one way cable (receive only), set up the interface for receive only, and then use the same protection mechanism offered by the switch. > >> It certainly sounds like a tempting target for any adversary interested in >> datacenter operations. > > > I guarantee you that your bank, your hospital, your insurance provider, your > credit card processor, your retailer, and/or your government welfare agency > are doing this, and have been doing it for a long time. > > It's quite common in the national security space, as well as other > governmental bureaux. > > I'm not saying everyone has implemented this perfectly, or optimally - but > it is a common practice which has been going on for many years, and the loss > of the ability to perform these functions would result in a net security > loss for these organizations and for their customers and constituents - > i.e., proles like you and me. > > It isn't new, it isn't unique, it isn't a case of a small group engaging in > special pleading. What's amazing is that very few engaged in this > discussion seems to understand all this. > > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- Best regards, Kathleen _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
