[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Corner-case question



> > If I have per-route policy, I have routing tables that look like:
>             ^^^^^^^^^^^^^^^^ -- read "specific implementation"

Ahhh, okay.  But I did say the same problem could occur otherwise.
Anyway...

> If you allow any machines outside your network to contact your
> encrytping gateway without security, how can you claim to have any
> security at all (much less total security)?

Apart from the obvious bypass required for key mgmt., that encrypting gateway
*may* serve many purposes.  It may be the small company's web server, DNS
server, anonymous FTP drop point, AND the encrypting firewall.  That machine
can be contacted in the clear (i.e. as a host), but to get to anything ELSE
on that net, I have to have the inbound packets be secured.  That's not
unreasonable to expect.

I also specifically said (and if I didn't, I apologize) that it's a
single-address machine for my example, therefore it has ONE point of network
attachment.  To have ONE point of attachment means I'd have to tell the
router that goes to the outside that for my internal network all inbound
packets go through my box.

It's a bit of a convoluted example, but I think my question has been answered
satisfactorily.

Dan


Follow-Ups: