Re: [fw-wiz] VPN concentrators
From: m p (sumirati@yahoo.de)
Date: 08/26/02
- Next message: Schouten, Diederik (Diederik): "RE: [fw-wiz] VPN concentrators"
- Previous message: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- In reply to: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: m p <sumirati@yahoo.de> To: Patrick Darden <darden@armc.org>, scouser@paradise.net.nz Date: Mon Aug 26 10:34:49 2002
--- Patrick Darden <darden@armc.org> schrieb: >
> I don't agree. Putting authenticated and authorized traffic through a
> firewall is redundant. IPSEC traffic is trusted traffic. A VPN is an
> extension of your network--it is as trusted as any traffic internal to
> your network--perhaps more, as it can be completely accounted
> for--remember that every packet has a confirmed sip, dip, and payload.
>
I beg to differ.
He talked about VPN - not authorized and authenticated traffic from a source he
can trust 100%.
Traffic via a VPN can be from different sources with different levels of trust.
It can be a company or an employee or a branch office. That are 3 classes of
different trustworthy. Perhaps there are more.
There were some DoS-attacks against the Windows IPSEC implementation last year.
There too was a DoS attack against some open source IPSEC implementation. If
you can limit the addresses that connect to the termination point of your VPN
it may be worth the additional layer of security.
To make sure each person that logins / operate via the VPN is only allowed to
see what he/she/it should see there should be a firewall behind the termination
point of the VPN.
Yes, traffic via VPN should be the same as normal "in-house" traffic. But the
connection begin can be a problem - and if traffic via VPN is not "in-house"
traffic. If you firewall the RAS users in your company you should too firewall
the VPN users.
Just my 2 euro cent
Marc
__________________________________________________________________
Gesendet von Yahoo! Mail - http://mail.yahoo.de
Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
- Next message: Schouten, Diederik (Diederik): "RE: [fw-wiz] VPN concentrators"
- Previous message: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- In reply to: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
