[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec and Filtering Question?

To: IP Security List <ipsec@tis.com>
Subject: Re: IPSec and Filtering Question?
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 4 Aug 1998 16:50:17 -0400 (EDT)
In-Reply-To: <s5c6f34f.076@prv-mail20.provo.novell.com>
Sender: owner-ipsec@ex.tis.com

> If IPSec and Firewall (filtering) is on the same box (security 
> gateway),  what is the order of processing for both inbound and outbound 
> packets? Should the filtering rules be applied first and then IPSec?

Note that good firewalls do not have just one layer of filtering, so the
right answer is probably "both". 

However, the IPSEC SPD might be deemed sufficiently powerful to make some
of the filtering superfluous, e.g. an incoming encrypted packet from the
insecure side will face stringent checking in IPSEC anyway.  There is also
rather limited benefit in filtering encrypted packets, since so little is
known about them.  If one wishes to filter in just one place in a security
gateway, the secure side (where the packets are plaintext and their
innards are visible) would seem the right place to do it.  So packets
bound for the insecure side get filtered before they enter IPSEC, and
packets bound for the secure side get filtered after they emerge from
IPSEC. 

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

References:

IPSec and Filtering Question?

From: "Umesh Muniyappa" <UMUNIYAPPA@novell.com>

Prev by Date: A question about the IKE phase2 proposals
Next by Date: Re: IPSec and Filtering Question?
Prev by thread: IPSec and Filtering Question?
Next by thread: Re: IPSec and Filtering Question?
Index(es):
- Main
- Thread