Ya'll security doods. Got a crypto question for ya

Started by LynK, November 14, 2017, 08:04:10 AM

Previous topic - Next topic

wintermute000

#15
Theres talk of being allowed to officially register VPNs but I ain't got any deets on that.

re: proxy-IDs or the 'interesting traffic ACL', I've seen scenarios where even the order has to match exactly (e.g StrongSwan stack used in a lot of 'nix based appliances). i.e. if you have the same content but the lines are in different order, some stacks will reject this... I'm with Deanwebb, match all the things EXACTLY (heck if you're ASA to ASA then theres no excuse not to, no syntax translation required)

Not helpful probably but policy-based SUCKS - if your ASA version is high enough I believe they finally introduced route based VPNs in latest 9.x

DesertFox

#16
Quote from: deanwebb on November 15, 2017, 08:12:00 AM
Quote from: DesertFox on November 15, 2017, 05:05:14 AM
Hi Guys,

I am working on the ISP side. The IPSEC is a no-no in China. You should consider MPLS.

Building on that: the reason here is that the public internet is heavily censored and filtered in the People's Republic of China, while business networks going over private MPLS links can have their business-only traffic pass through without the level of censorship that goes with public traffic. PRC wants to control civilian usage, not obstruct businesses.

Not going to comment on whether or not PRC is letting business traffic flow so that it can steal intellectual property. Next question, please.

But it will permit encryption of traffic going across private business links. There are also rules on where centralized control devices are allowed to sit. PRC likes them to be sitting in China, whenever possible. And if you think it's impossible, they smile and insist you can try harder. So, that China location may have a WLC even if other sites of its size use Flex Mobility with the 5508 in the Singapore data center...

ADDED: Russia has similar restrictions on civilian VPN usage.

Not sure about encryption over MPLS. Mostly in the mind of the customers and colleagues, MPLS = secure connection, so we are not even trying selling any encryption on top of it.

In Russia restrictions are the devices that could be imported to the country- special license of Cisco routers, etc. Again, we don't have troubles selling MPLS over there.

BTW, I am not sure I didn't find it on this forum indeed, but:
http://www.wired.co.uk/article/china-great-firewall-censorship-fang-binxing

deanwebb

Within China, there can be intense competition within a company to the point where different departments or branches are spying on each other. That leads to encryption within encryption, you co-workers are your biggest insider threat.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.