[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP gateway function



   Date: Tue, 2 Dec 1997 13:38:33 -0500 (EST)
   From: "M.C.Nelson" <netsec@panix.com>

   This question from Michael Giniger touches on one of the things that I
   have never understood about the IPSEC security architecture.  It seems
   that 68-80% of the attacks for which encryption would provide some
   protection are on the local network.  The classic example of course, is
   sniffing a password on LAN #1, for a machine on LAN #2, while the machine
   on LAN #2 is being accessed by a user on LAN #1. Imagine that you are
   operating LAN #2, that your are required to allow access from other LANs,
   and that you have know of way of enforcing end-to-end encryption on the
   other LANs.  Is there something in the current IPSEC documents that
   answers this?

IPSEC can also be used in a host-to-host mode, which is far better mode
to use due to the end-to-end arguments that you cite.

The problem is that for many companies, it's much cheaper to simply put
up a firewall and hope that that all of the bad guys are on the outside
of the firewall.  IPSEC is designed to work either in the end-host or in
a security gateway.

						- Ted


References: