Firewall Wizards mailing list archives
RE: tunnel vs open a hole
From: Bruce Platt <Bruce () ei3 com>
Date: Tue, 8 Apr 2003 16:24:34 -0400
I've enjoyed this thread, so let me add my $.02. There is one advantage of an IPSEC VPN in this sort of circumstance which narrows the "zones of insecurity" somewhat. One can create SA's and SPI's which more tightly specify which network entities can communicate through this sort of "tunnel". In addition to the benefit of authentication, one does have the ability to perform more specifically tuned tunneling than one would achieve by using the http proxy on a firewall which as so many have noted is just an open hole. None of the above means I think a generalized IPSEC VPN solution is necessarily better than Anton's alternative of "opening another port" in the context which has evolved in this thread. Rather, no one has offered the benefits of this approach which can also offer authorization as part of the implementation can therefore be a suitable solution for certain requirements. Regards, Bruce
-----Original Message----- From: Frederick M Avolio [mailto:fred () avolio com] Sent: Tuesday, April 08, 2003 3:07 PM To: Dave Piscitello; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] tunnel vs open a holeNo one discussed the benefits of using an encrypted, authenticated tunnel (SSL, SSH, ...), which do provide additionalcontrols. If I weredeveloping/deploying a (presumably) distributed application *today*, I would begin with the assumption that I need stronger authentication than UIPW, message integrity, and message confidentiality. Many of the problems we struggle to correct today stem from the fact that we think of security as something orthogonal to applicationfunctionalityrather than a core component/requirement.Of course, encryption exacerbates the problem. :-) We can then gain a tremendously high level of assurance that Dave Piscitello did something over SSL to a particular IP address from a particular IP address. Which adds authentication and little else on top of the paragraph you cited:"The real question is whether the tunnelling system provides _ANY_ security controls above and beyond ip/src/dest/logging."Fred _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: tunnel vs open a hole Behm, Jeffrey L. (Apr 07)
- <Possible follow-ups>
- RE: tunnel vs open a hole Melson, Paul (Apr 08)
- RE: tunnel vs open a hole Bruce Platt (Apr 08)
- RE: tunnel vs open a hole Dave Piscitello (Apr 08)
- RE: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)