Issues in inter-organisational encryption systems: The problem with FedLink

摘要

Organisations look towards encryption and Virtual Private Networks (VPNs) as the solution to a range of business requirements. Often, this involves the protection of internal traffic in transit between different locations. However it can also be used as a means of securely exchanging information with business partners. As inter-organisational encryption systems scale to accommodate larger numbers of participants, a number of challenges arise in maintaining reliability and scalability whilst also preserving the security of the system. In some cases these inter-organisational VPNs may involve hosts such as mail relays that also interact with other mail relays on the Internet external to the encryption or VPN service. In such circumstances, there are several attack vectors other than exploits against encryption or authentication components which may be used to cause sensitive traffic to either be erroneously forwarded without being encrypted, or forwarded to the incorrect encryption/VPN peer. This paper examines one of the security issues that can occur in such an architecture; the requirement that other application or system dependencies such as DNS are themselves appropriately secured. It describes how this issue manifests in the ‘FedLink’ inter-organisational encryption system deployed within the Australian Federal Government. It assesses how well some techniques such as DNSSec might mitigate the issues described and proposes other controls that could reduce the risk of information leakage. The proposed controls involve leveraging existing device capabilities and existing policy requirements. This makes the application of the controls both cost-effective and reasonably achievable. The controls also have minimal configuration overhead once implemented, meaning that the overall system retains its existing scalability characteristics.