FW: CISCO PIX Vulnerability

Ted Doty ted@iss.net
Thu, 18 Jun 1998 09:42:12 -0400


At 01:27 PM 6/17/98 -0500, Rick Smith wrote:
>At 01:51 PM 6/17/98 -0700, Hal wrote:

>>Gosh, I thought only NSA people argued like that. 
>
>NSA people don't argue. They just issue you the crypto. If it doesn't solve
>your problem, you have to either do the job unprotected or rearrange the
>job to fit their architectural straitjacket. In Desert Storm, people
>sometimes had to do without, since they couldn't always fit things into the
>straitjacket.

This is why the military tactical radios come with a "Transmit in the
clear" switch.  When the general tells you to call in the airstrikes, he
doesn't want to hear "But sir, they're behind a NAT gateway and the AH MD5
checksum doesn't match."

>In the commercial world we ought to be able to do better than that.

I don't think we'll always have that luxury.  There will be times that
policy will have to be overridden by appropriate authorities, and our
systems need to be able to support this.

I kind of think we're argiung the same thing, tho.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems 	     | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA              	     | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE