OK, shall we savage another security solution?
Dave Korn
dave.korn at artimi.com
Mon Sep 24 13:57:51 EDT 2007
On 24 September 2007 18:50, Florian Weimer wrote:
> * Steven M. Bellovin:
>
>> If done properly -- i.e., with cryptographic protection against new
>> firmware or policy uploads to it -- it's immune to host or user
>> compromise as a way to disable the filter.
>
> Some of the models only have got a single USB connector. I can't see
> how they can ensure that they are always on the forwarding path.
The first review I read didn't make it clear, but browsing the
manufacturer's website and glossy pdfs suggests that there is indeed only a
single USB connector - but there's an ethernet connector too. You use it as
an inline device and leave your normal ethernet NIC unplugged. This is what
they refer to as "wired" operating mode, and given Steven's proviso about
controlling the firmware (and let's hope there's no holes or overflows in the
web admin interface either...) I think that this mode could just about be made
secure.
The alternative, "wireless" mode, which was what initially I thought it did
all the time, does indeed rely on proxying your network traffic out over the
usb, then back to the main computer, then out over its own NIC - and that, of
course, can easily be bypassed.
cheers,
DaveK
--
Can't think of a witty .sigline today....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list