Re: [fw-wiz] IPv6 and IPSec
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 08/28/04
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Off-Topic: Memo of Understanding for Using an Ethical Hacker"
- In reply to: suren: "[fw-wiz] IPv6 and IPSec"
- Next in thread: Michael H. Warfield: "Re: [fw-wiz] IPv6 and IPSec"
- Reply: Michael H. Warfield: "Re: [fw-wiz] IPv6 and IPSec"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: suren <suren@intotoinc.com> Date: Sat, 28 Aug 2004 09:43:33 -0400 (EDT)
On Thu, 26 Aug 2004, suren wrote:
> Hi,
> IPSec based security is MUST for IPv6. Due to this, I would
> assume that end systems would use IPSec to secure the traffic
> going out.
Why? It's not a must for IPv4, why would adding address space suddenly
require IPSec? Heck, the cascading headers for V6 offer the chance for
pseudo-out-of-band control and encapsulation, why again would you use
IPSec?
>
> Quite a number of times, organizations would like to filter out
> the connection(Firewall) run the data through centralized virus
> scanning/spam scanning engines. This requires clear traffic.
>
Not quite, it requires the ability to inspect the traffic, which is a
different thing entirely. There was, at one point, a major push to do
alternate decryption keys for such purposes.
> With respect to these, I have questions on how the deployments
> going to be. One type of depolyments I can think of is:
>
> Central gateway implementing Firewall/Virus Scanning
> engine and also terminting IPSec tunnels from local PCs and
> creating tunnels from the gateway to ultimate destination.
> By doing this, the gateway gets hold of clear packets, can
> apply firewall rules, scan and any other operations.
>
> What other types of deployments would be required/considered by
> organizations having IPv6 networks?
The same as today- where we have those (application layer firewalls, for
instance) as well as NAT and straight through and trust the host security
and bunches of others. The only thing v6 brings that might be
"interesting" from a security perspective[1] is encapsulated or cascading
headers, that'll allow some socks-like stuff to happen if enough people
get momentum (likely though it'll be QoS that first tries it.)
Paul
[1] Admittedly, I haven't looked at v6 in a good number of years, so
something may have changed since I looked at the drafts way back when.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Off-Topic: Memo of Understanding for Using an Ethical Hacker"
- In reply to: suren: "[fw-wiz] IPv6 and IPSec"
- Next in thread: Michael H. Warfield: "Re: [fw-wiz] IPv6 and IPSec"
- Reply: Michael H. Warfield: "Re: [fw-wiz] IPv6 and IPSec"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
