Firewall Wizards mailing list archives
IPsec and firewalls
From: Aleph One <aleph1 () dfw dfw net>
Date: Fri, 6 Feb 1998 11:26:20 -0600 (CST)
On Fri, 6 Feb 1998, Adam Shostack wrote:
Ok, I'll grant you that, and suggest that its a Hard fight to win. IPsec is only going to make it harder, unless we get to the point of an encryption standard that seperates authentication from confidentiality, and the keying of the two to allow an authorized third party to participate. As a cryptanalyst, I believe those goals are amazingly hard to meet. I haven't look closely enough at IPsec and Oakley/ISAKMP to understand what they do to firewalls in the context of your question. I'm afraid I might have to write RFCs, and argue that the standard needs more work. But my desire to see IPsec deployed outwieghs my desire to see proxy firewalls deployed.
Acutally, IPsec does separate authentication from confidentiality (RFC1827 and RCS1826). I was just talking to someone about this at USENIX. I see a market for someone that implements and ISAKMP daemon that supports transfering keys to a trusted third party. Of curse this brings you all the same headackes that Kerberos does having to maintain a secured machine with possible all session keys but hopefully your firewall maintains that level of security so it should not add many more risks. Probably any such protocols between the ISAKMP server and the firewall should be standarized by a RFC. Anyone have any comments?
Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- encapsulated protocols? Mark Horn [ Net Ops ] (Feb 03)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 06)
- Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- IPsec and firewalls Aleph One (Feb 07)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Aleph One (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
- Re: IPsec and firewalls Ted Doty (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 07)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- Re: encapsulated protocols? Larry J. Hughes Jr. (Feb 09)