RE: [fw-wiz] tunnel vs open a hole
From: Bruce Platt (Bruce@ei3.com)
Date: 04/08/03
- Previous message: Adam Shostack: "Re: [fw-wiz] tunnel vs open a hole"
- Maybe in reply to: Anton A. Chuvakin: "[fw-wiz] tunnel vs open a hole"
- Next in thread: Dave Piscitello: "RE: [fw-wiz] tunnel vs open a hole"
- Reply: Dave Piscitello: "RE: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Bruce Platt <Bruce@ei3.com> To: Frederick M Avolio <fred@avolio.com>, Dave Piscitello <dave@corecom.com>, firewall-wizards@honor.icsalabs.com Date: Tue, 8 Apr 2003 16:24:34 -0400
I've enjoyed this thread, so let me add my $.02.
There is one advantage of an IPSEC VPN in this sort of circumstance which
narrows the "zones of insecurity" somewhat.
One can create SA's and SPI's which more tightly specify which network
entities can communicate through this sort of "tunnel".
In addition to the benefit of authentication, one does have the ability to
perform more specifically tuned tunneling than one would achieve by using
the http proxy on a firewall which as so many have noted is just an open
hole.
None of the above means I think a generalized IPSEC VPN solution is
necessarily better than Anton's alternative of "opening another port" in the
context which has evolved in this thread. Rather, no one has offered the
benefits of this approach which can also offer authorization as part of the
implementation can therefore be a suitable solution for certain
requirements.
Regards,
Bruce
> -----Original Message-----
> From: Frederick M Avolio [mailto:fred@avolio.com]
> Sent: Tuesday, April 08, 2003 3:07 PM
> To: Dave Piscitello; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] tunnel vs open a hole
>
>
>
> >No one discussed the benefits of using an encrypted, authenticated
> >tunnel (SSL, SSH, ...), which do provide additional
> controls. If I were
> >developing/deploying a (presumably) distributed application *today*,
> >I would begin with the assumption that I need stronger authentication
> >than UIPW, message integrity, and message confidentiality. Many of
> >the problems we struggle to correct today stem from the fact that
> >we think of security as something orthogonal to application
> functionality
> >rather than a core component/requirement.
>
>
> Of course, encryption exacerbates the problem. :-) We can then gain a
> tremendously high level of assurance that Dave Piscitello did
> something
> over SSL to a particular IP address from a particular IP
> address. Which
> adds authentication and little else on top of the paragraph you cited:
>
> >"The real question is whether the tunnelling system provides _ANY_
> >security controls above and beyond ip/src/dest/logging."
>
>
> Fred
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Adam Shostack: "Re: [fw-wiz] tunnel vs open a hole"
- Maybe in reply to: Anton A. Chuvakin: "[fw-wiz] tunnel vs open a hole"
- Next in thread: Dave Piscitello: "RE: [fw-wiz] tunnel vs open a hole"
- Reply: Dave Piscitello: "RE: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
