[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec vs. firewalls

To: "M.C.Nelson" <netsec@panix.com>, Damien Wetzel <dwetzel@iway.fr>
Subject: Re: ipsec vs. firewalls
From: Raul Miller <rdm@test.legislate.com>
Date: Fri, 8 May 1998 13:58:27 -0400
Cc: Phil Karn <karn@qualcomm.com>, ipsec@tis.com
In-Reply-To: <Pine.SUN.3.94.980508095421.13178B-100000@panix.com>; from M.C.Nelson on Fri, May 08, 1998 at 10:43:54AM -0400
Mail-Followup-To: "M.C.Nelson" <netsec@panix.com>,Damien Wetzel <dwetzel@iway.fr>, Phil Karn <karn@qualcomm.com>,ipsec@tis.com
References: <3.0.1.32.19980507104731.00949e20@mail.iway.fr> <Pine.SUN.3.94.980508095421.13178B-100000@panix.com>
Sender: owner-ipsec@ex.tis.com

M.C.Nelson <netsec@panix.com> wrote:
> Nonetheless, organization-level access control is probably an
> important security service and something like a firewall is probably
> the right way to do it. The trick is to be able to passively
> authenticate datagrams.

Not really. If you want a central administrative system the right way to
do is is establish an administrative protocol to administer corporate
entities, and establish an auditing system to detect entities so far
gone that they are invisible to the administrative protocol.

Also, you need to think quite a bit about what you're trying to achieve.
All too often, people wind up implementing something that looks like a
bank vault door mounted on a paper house with holes cut in the walls,
when what they really wanted was a wooden house with glass windows and
latches on the doors.

-- 
Raul

References:

Re: ipsec vs. firewalls

From: Damien Wetzel <dwetzel@iway.fr>

Re: ipsec vs. firewalls

From: "M.C.Nelson" <netsec@panix.com>

Prev by Date: Re: 3DES (was: ipsec vs. firewalls)
Next by Date: certificate key usage in IKE
Prev by thread: Re: ipsec vs. firewalls
Next by thread: Re: ipsec vs. firewalls
Index(es):
- Main
- Thread