[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP gateway function
Date: Tue, 2 Dec 1997 13:38:33 -0500 (EST)
From: "M.C.Nelson" <netsec@panix.com>
This question from Michael Giniger touches on one of the things that I
have never understood about the IPSEC security architecture. It seems
that 68-80% of the attacks for which encryption would provide some
protection are on the local network. The classic example of course, is
sniffing a password on LAN #1, for a machine on LAN #2, while the machine
on LAN #2 is being accessed by a user on LAN #1. Imagine that you are
operating LAN #2, that your are required to allow access from other LANs,
and that you have know of way of enforcing end-to-end encryption on the
other LANs. Is there something in the current IPSEC documents that
answers this?
IPSEC can also be used in a host-to-host mode, which is far better mode
to use due to the end-to-end arguments that you cite.
The problem is that for many companies, it's much cheaper to simply put
up a firewall and hope that that all of the bad guys are on the outside
of the firewall. IPSEC is designed to work either in the end-host or in
a security gateway.
- Ted
References: