Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Frederick M Avolio <fred () avolio com>
Date: Wed, 09 Apr 2003 10:40:38 -0400
At 04:25 PM 4/8/2003 -0400, Dave Piscitello wrote:
At 03:07 PM 4/8/2003 -0400, Frederick M Avolio wrote:>Of course, encryption exacerbates the problem. :-) We can then gain a tremendously high level of >assurance that Dave Piscitello did something over SSL to a particular IP address from a particular >IP address.This "opaque tunnel is worse than a cleartext channel" argument is tiresome.
Calling it "tiresome" is an old debating trick. :-)I didn't say it was worse (although, of course, it is) (Note, I employ debating trick: proof by assertion). I said that it didn't address Marcus' comment about granularity in control. It adds authentication. On top of that, you are trusting the end application to secure itself. We know that doesn't usually work (c.f., Netscape or IE and Java). Also, the end application does not know that the traffic was in an IPSEC tunnel, so cannot make use of that "knowledge."
But, anyway, you (Dave) and I agree on all of this. VPNs are good, firewalls are good, but both must be properly deployed. We also agree that encrypted tunnels of any kind do not add much to prevent abuse of the end application, except having higher assurance of the attacker's identity. My only point was the obvious one -- and it was aimed at the non-wizards on this list: just because it is encrypted and authenticated doesn't mean you can trust it. Also, wanting application-level checking in a firewall while allowing encrypted connections through it are mutually exclusive (assuming a firewall that doesn't have a real, SSL proxy -- the kind that the moderator kept asking for in his previous job).
Fred _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 08)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
- Re: tunnel vs open a hole Frank Knobbe (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 06)
- Re: tunnel vs open a hole Mikael Olsson (Apr 06)
- Re: tunnel vs open a hole Bernie, CTA (Apr 06)
- Re: tunnel vs open a hole Christine Kronberg (Apr 07)
- Re: tunnel vs open a hole Anton A. Chuvakin (Apr 07)
- Re: tunnel vs open a hole R. DuFresne (Apr 07)
- Re: tunnel vs open a hole Dave Rinker (Apr 07)
- Re: tunnel vs open a hole Mikael Olsson (Apr 08)
- Re: tunnel vs open a hole Bill Royds (Apr 08)