[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec vs. firewalls

To: Dan Stromberg <strombrg@hydra.acs.uci.edu>
Subject: Re: ipsec vs. firewalls
From: Henry Spencer <henry@spsystems.net>
Date: Mon, 11 May 1998 11:56:44 -0400 (EDT)
cc: ipsec@tis.com
In-Reply-To: <35533A56.5D9C@hydra.acs.uci.edu>
Sender: owner-ipsec@ex.tis.com

> > The problem is that for a corporate network of any substantial
> >   size, there will *never* be a way to make the interior crunchy.
> 
> Eventually, I believe it is reasonable to expect that vendors will
> automate patch application, and that patches will be obtained from the
> vendor over the network...

Perry has already pointed out that big outfits with mission-critical
applications want to vet new software releases very carefully.  Even
less-fussy organizations often want to do updates in a controlled way,
because changes and new releases so often have unwanted side effects.
(Auto-update schemes would be more acceptable to many users if the
software suppliers weren't such bungling incompetents half the time.)

To say nothing of the security implications of having your binary-only
software going off and doing unspecified things over the network without
being asked...  "Trust us, it's for your own good."  Yeah, right.  One
of the reasons why firewall configurations often restrict outgoing calls,
as well as incoming ones, is distrust of software suppliers.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

References:

Re: ipsec vs. firewalls

From: Dan Stromberg <strombrg@hydra.acs.uci.edu>

Prev by Date: RE: 3DES
Next by Date: Re: 3DES (was: ipsec vs. firewalls)
Prev by thread: Re: ipsec vs. firewalls
Next by thread: Re: ipsec vs. firewalls
Index(es):
- Main
- Thread