Firewall Wizards mailing list archives
RE: tunnel vs open a hole
From: Dave Piscitello <dave () corecom com>
Date: Tue, 08 Apr 2003 20:18:42 -0400
At 04:24 PM 4/8/2003 -0400, you wrote:
There is one advantage of an IPSEC VPN in this sort of circumstance which narrows the "zones of insecurity" somewhat.
It's both advantageous and disadvantageous - IPsec creates network connections - a client or remote LAN joins your LAN environment
One can create SA's and SPI's which more tightly specify which network entities can communicate through this sort of "tunnel".
But IPsec selectors only have IP header and UDP/Port access control granularity - IPsec gateways can specify a host and service, but can't control access at the application data object level.
In addition to the benefit of authentication, one does have the ability to perform more specifically tuned tunneling than one would achieve by using the http proxy on a firewall which as so many have noted is just an open hole.
SSL VPN appliances allow you to do even more of the kind of granular security policy you mention for IPsec, above the "network connection" level, so you can set host/url/folder/file permissions per user. Most of these appliances "webify" network file shares and have client side java applets to facilitate thin client, terminal services, green screen apps.
None of the above means I think a generalized IPSEC VPN solution is necessarily better than Anton's alternative of "opening another port" in the context which has evolved in this thread. Rather, no one has offered the benefits of this approach which can also offer authorization as part of the implementation can therefore be a suitable solution for certain requirements.
Well, I began the (ahem) exchange. David M. Piscitello Core Competence, Inc. & 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com 843.689.5595 www.corecom.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: tunnel vs open a hole Behm, Jeffrey L. (Apr 07)
- <Possible follow-ups>
- RE: tunnel vs open a hole Melson, Paul (Apr 08)
- RE: tunnel vs open a hole Bruce Platt (Apr 08)
- RE: tunnel vs open a hole Dave Piscitello (Apr 08)
- RE: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)
- Re: tunnel vs open a hole Adam Shostack (Apr 09)