should I encrypt over a private network?

Suppose a company has 2 sites, A and B, one is primary, the other is
secondary for DR reasons. A and B are separated significantly
geographically. Both A and B use a SAN for their data. A and B are
connected by a private network. The SAN data is replicated between A
and B over this private network using some replication product. My
question is, "should I be worried about the fact that the SAN
replication product does not do encryption?". When I raised these
concerns the answer I was given was "its a private network so its not
a problem". I am still not sure. Maybe I'm paranoid but I thought most
security jobs were inside jobs and this is made easier if the data
going over the wire is always in plaintext. But then again, data sent
around the LAN using NFS is not encrypted either.

Regards,

Andrew Marlow

marlow.andrew@googlemail.com writes:
> Suppose a company has 2 sites, A and B, one is primary, the other is
> secondary for DR reasons. A and B are separated significantly
> geographically. Both A and B use a SAN for their data. A and B are
> connected by a private network. The SAN data is replicated between A
> and B over this private network using some replication product. My
> question is, "should I be worried about the fact that the SAN
> replication product does not do encryption?". When I raised these
> concerns the answer I was given was "its a private network so its not
> a problem". I am still not sure. Maybe I'm paranoid but I thought most
> security jobs were inside jobs and this is made easier if the data
> going over the wire is always in plaintext. But then again, data sent
> around the LAN using NFS is not encrypted either.

in the mid-80s, there were claims that the corporate internal network
had over half of all the link encryptors in the world (basically any
link leaving corporate premise had to be encrypted) ... this was
about the time that the size of arpanet/internet finally exceeded
the internal network (which had been larger from just about the
beginning until sometime mid-85) ... misc. posts mentioning internal
network:
http://www.garlic.com/~lynn/subnetwork.html#internalnet

in that period there was a story about a foreign consulate location, in
one of the major city, apparently was chosen because it had line-of-site
of a large microwave communication antenna array for major cross-country
communication. there were comments that a lot of foreign government
espionage was heavily intertwined with industrial espionage.

slightly earlier, in the early part of the 80s ... was looking at
deploying dial-up access into the corporate network for both (actually
major expansion for) home access (since i've had dial-up access at home
since mar70) and hotel/travel access. a detailed study found that hotel
pbx rooms were frequently especially vulnerable ... and as a result
encryption requirement was extended to all dial-up access ... which
required designing and building a custom encrypting dial-up modem for
these uses.

a lot of the internet hype seems to have distracted attention from both
other forms of external compromises as well as internal attackers.

marlow.andrew@googlemail.com wrote:

> Suppose a company has 2 sites, A and B, one is primary, the other is
> secondary for DR reasons. A and B are separated significantly
> geographically. Both A and B use a SAN for their data. A and B are
> connected by a private network. The SAN data is replicated between A
> and B over this private network using some replication product. My
> question is, "should I be worried about the fact that the SAN
> replication product does not do encryption?". When I raised these
> concerns the answer I was given was "its a private network so its not
> a problem". I am still not sure. Maybe I'm paranoid but I thought most
> security jobs were inside jobs and this is made easier if the data
> going over the wire is always in plaintext. But then again, data sent
> around the LAN using NFS is not encrypted either.

The network is only being private in that selected people are given
access to it -- so much for the theory. In practice, the network is
just as open as all geographically diffused networks. Someone may
install wiretaps or even just connect to the network like all others.

So indeed, your worries aren't unfounded. Usually it's best to encrypt
the link using your VPN product of choice, like OpenVPN.


Regards,
Ertugrul.


--
http://ertes.de/

Ertugrul Söylemez wrote:
> marlow.andrew@googlemail.com wrote:
>
> > Suppose a company has 2 sites, A and B, one is primary, the other is
> > secondary for DR reasons. A and B are separated significantly
> > geographically. Both A and B use a SAN for their data. A and B are
> > connected by a private network. The SAN data is replicated between A
> > and B over this private network using some replication product.

> The network is only being private in that selected people are given
> access to it

No, not in this case. I should have been clearer. It is private
because there is dedicated circuitry. It really IS a private network,
NOT a VPN.

> In practice, the network is
> just as open as all geographically diffused networks. Someone may
> install wiretaps or even just connect to the network like all others.

I was worried about breaches originating via inside jobs. Since the
circuitry is private no-one else can connect to it easily. Wiretaps
are still a possibility.

>
> So indeed, your worries aren't unfounded. Usually it's best to encrypt
> the link using your VPN product of choice, like OpenVPN.

This is not a VPN. My understanding (and I am a beginner here) is that
all VPNs use encryption as std.

-Andrew Marlow

marlow.andrew@googlemail.com wrote:

> > > Suppose a company has 2 sites, A and B, one is primary, the other
> > > is secondary for DR reasons. A and B are separated significantly
> > > geographically. Both A and B use a SAN for their data. A and B are
> > > connected by a private network. The SAN data is replicated between
> > > A and B over this private network using some replication product.
> >
> > The network is only being private in that selected people are given
> > access to it
>
> No, not in this case. I should have been clearer. It is private
> because there is dedicated circuitry. It really IS a private network,
> NOT a VPN.

This isn't sufficient for a network to be private.


> > In practice, the network is just as open as all geographically
> > diffused networks. Someone may install wiretaps or even just
> > connect to the network like all others.
>
> I was worried about breaches originating via inside jobs. Since the
> circuitry is private no-one else can connect to it easily. Wiretaps
> are still a possibility.

Not only are wiretaps a possibility, but anyone who manages to
comprehend the circuitry can connect to it. Unless the link is
encrypted, the network is considered public from the point of view of
security.


> > So indeed, your worries aren't unfounded. Usually it's best to
> > encrypt the link using your VPN product of choice, like OpenVPN.
>
> This is not a VPN. My understanding (and I am a beginner here) is that
> all VPNs use encryption as std.

No, a VPN (virtual private network) is just a network inside of another
network. Traditionally it was an emulation of a private network with a
private address space inside of a public network like the internet.
It's a purely virtual construct. Naturally it's a good layer to also
add encryption and authentication.


Regards,
Ertugrul.


--
http://ertes.de/