Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

IPsec and firewalls

From: Aleph One <aleph1 () dfw dfw net>
Date: Fri, 6 Feb 1998 11:26:20 -0600 (CST)
On Fri, 6 Feb 1998, Adam Shostack wrote:


      Ok, I'll grant you that, and suggest that its a Hard fight to
win.  IPsec is only going to make it harder, unless we get to the
point of an encryption standard that seperates authentication from
confidentiality, and the keying of the two to allow an authorized
third party to participate.  As a cryptanalyst, I believe those goals
are amazingly hard to meet.  I haven't look closely enough at IPsec
and Oakley/ISAKMP to understand what they do to firewalls in the
context of your question.  I'm afraid I might have to write RFCs, and
argue that the standard needs more work. But my desire to see IPsec
deployed outwieghs my desire to see proxy firewalls deployed.


Acutally, IPsec does separate authentication from confidentiality (RFC1827
and RCS1826). I was just talking to someone about this at USENIX. I see a
market for someone that implements and ISAKMP daemon that supports
transfering keys to a trusted third party. Of curse this brings you all
the same headackes that Kerberos does having to maintain a secured machine
with possible all session keys but hopefully your firewall maintains that
level of security so it should not add many more risks. Probably any such
protocols between the ISAKMP server and the firewall should be standarized
by a RFC. Anyone have any comments?


Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                     -Hume






Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Previous By Date Next
Previous By Thread Next

Current thread: