RE: tunnel vs open a hole

[Dave Piscitello <dave () corecom com>]

At 04:24 PM 4/8/2003 -0400, you wrote:
> There is one advantage of an IPSEC VPN in this sort of circumstance which
> narrows the "zones of insecurity" somewhat.

It's both advantageous and disadvantageous - IPsec creates
network connections - a client or remote LAN joins your LAN environment

> One can create SA's and SPI's which more tightly specify which network
> entities can communicate through this sort of "tunnel".

But IPsec selectors only have IP header and UDP/Port access control
granularity - IPsec gateways can specify a host and service, but can't control
access at the application data object level.

> In addition to the benefit of authentication, one does have the ability to
> perform more specifically tuned tunneling than one would achieve by using
> the http proxy on a firewall which as so many have noted is just an open
> hole.

SSL VPN appliances allow you to do even more of the kind of granular
security policy you mention for IPsec, above the "network connection"
level, so you can set host/url/folder/file permissions per user. Most of
these appliances "webify" network file shares and have client side
java applets to facilitate thin client, terminal services, green screen apps.

> None of the above means I think a generalized IPSEC VPN solution is
> necessarily better than Anton's alternative of "opening another port" in the
> context which has evolved in this thread.  Rather, no one has offered the
> benefits of this approach which can also offer authorization as part of the
> implementation can therefore be a suitable solution for certain
> requirements.

Well, I began the (ahem) exchange.

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards