There are two major flavors of data encryption – private key (aka symmetrical) and public key (aka asymmetrical) encryption systems. The distinction between the two is in key management. In private key systems, both ends share a common key that is used to both encrypt and decrypt the data. In public key systems, you encrypt the data with one key and decrypt it with another. This makes key management much easier and explains why public key systems tend to be the methods of choice.
Commonly used public key systems include PGP (Pretty Good Privacy), SSH (Secure Shell) and SSL (Secure Sockets Layer). SSL is used by browsers when they connect to a secure server. SSH is typically used for interactive logins and batch file transfer. PGP is typically used for encrypting data for storage or transit across public networks.
Then there's the issue of pushing versus pulling the data. If you are trying to get data from outside to behind the firewall, pushing it can be dangerous. This is because pushing requires a relationship where the machine inside trusts a machine outside – typically an undesirable situation. The alternative is pulling the data from within. This reverses the trust relationship to a more desirable situation, but suffers in spontaneity – you need a batch process to initiate the pull and it won't know when data is ready to be pulled.
VPNs and SSH with command limiting can be used to design solutions that allow pushes.
John Stewart, IT consultant and Dave Kensiski, engineering development manager for Cable & Wireless, are also SANS Institute instructors. Content from this tip was extracted from their SANS instruction manual on "Web Site Security."
This was first published in July 2002