[unisog] WEB2.0 Security Issues

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jan 25 16:39:54 GMT 2007


On Wed, 24 Jan 2007 21:14:34 CST, "Stasiniewicz, Adam" said:

> I think Valdis made a good point here.  What you will see on "Web 2.0" is a
> whole lot similar to the current Internet.  You will still have the same web
> servers (Apache, IIS, etc) and the same webmaster who don't patch those web
> servers.  You will still have email (and spam) flowing over SMTP.  You will
> still have viruses, worms, and other malware.  There are many proposals on
> what content would be published and who would have access, but in the long
> run, it will probably do little for security.

Equally important, I strongly suspect that the *real* security issues will
come not from any "Web 2.0", but from some new innovative website that doesn't
qualify as "Web 2.0 compliant".  Witness the large swarms of issues that
surround YouTube and Myspace.

> The one thing of interest is IPv6.  It already is sizably deployed in the
> Far East, and most major universities have at least some partial deployment.
> The biggest change in IPv6 is a massive increase in the total amount of IP
> addresses.  There is also work on QOS and IPSec integration, which merits
> attention.  Whatever "Web 2.0", "Internet 2", etc come out with; I think the
> major main stay will be IPv6.  Simply because the world is running out of IP
> addresses.

Web 2.0 is pretty much orthogonal to IPv6

Also, the *ONLY* difference between IPv6 and IPv4 regarding IPSec is that
being *able* to support it is required in v6, while optional in v4.  Given
that almost all modern systems have the *ability* to use the ESP and AH
headers on IPv4, it becomes a question of *deploying* it - it is *totally*
legal and within spec to run an IPv6 network without the IPSec options.
And I'm quite confident that every site that might *possibly* care about
IPSec on IPv6 is *already* using it on IPv4 - everybody else is either
using SSL connections (which also work equally fine on v4 and v6) or
tunneling over ssh (again, v4/6 agnostic).

QoS is likely to end up being a red herring, except for providers that have
poorly provisioned networks.  As Michael Dillon observed, "Preferential
treatment can degrade service, but it cannot improve service." Phrased
differently, QoS means that if the network is undersized for the amount of
traffic, the person paying the provider more will have a less sucky experience
than the person who didn't pay extra.  In most well-designed networks, there
isn't enough in-router queueing for a QoS setting to make any noticable
difference - and if the in-router queues are big enough for QoS to matter,
you are going to be seeing packet drops impacting things like TCP windows
and dropping effective throughput on connections to the point that customers
start complaining.

Oh, and for the most part, the burn rate on IPv4 addresses has dropped
a lot, so there's no immediate danger of running out.  To a large extent,
this has been due to *new* projects going straight to IPv6 (most notably,
things like new networks in the Pacific Rim (especially Japan/Korea), and
Internet-capable cellphone networks and the like).  Most current estimates
show the IPv4 wall being hit somewhere between 6 and 10 years out - which
is basically "too far out to worry" in an industry this fast moving. (Having
said that, IPv6 for *new* deployments does make sense....)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070125/f150f374/attachment.bin 


More information about the unisog mailing list