On Thu, Apr 9, 2009 at 1:31 PM, Wayne E. Bouchard <web@typo.org> wrote:
Meh...
Sure, it rehashes what we pretty well already know, "If a bad guy can get access to your network or your management tools, you're boned."
actually... what it says is that 'hey, your "VPN' isn't really 'private' like an IPSEC tunnel was". Save some really high-end crypto-cracking-gear if you ipsec your transport it doesn't matter where in the world it goes, it's "secure" from end to end. (secure from snooping, which seems to be the majority of their point in the article). Folks I saw at former-employer were moving from 'frame' or 'atm' private networks and to 'mpls vpn' because it was: 1) less complex for the customer 2) cheaper for the customer 3) the 'new shiny thing!!' There was little understanding initially that this might be: 1) run over the same IP core as the 'internetz' 2) not very 'private' if you count 'can not sniff' in your 'is private' bailiwick 3) less/more/equally as 'secure' as what they had previously. Noting to customers that MPLS-vpn was essentially as 'secure' as Frame/ATM was sort of an eye-opener. Some of the customers even said: "Why would I do this over internet-based IPSEC vpn?" or "Oh, so I'll still have the IPSEC management pain?" The thrust of the article (aside from the scare-mongering and press for the 'researchers' of course) is that: "Hey, just because it says: 'VPN' in the name doesn't mean its really 'private'", and that ip or application level security is still important for anything that leaves your physical perimeter AND has some level of importance to you or your business. -Chris