[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec and Filtering Question?

To: <henry@spsystems.net>, <ipsec@tis.com>
Subject: Re: IPSec and Filtering Question?
From: "Umesh Muniyappa" <UMUNIYAPPA@novell.com>
Date: Tue, 04 Aug 1998 19:16:39 -0600
Sender: owner-ipsec@ex.tis.com


>>If one wishes to filter in just one place in a security
>>gateway, the secure side (where the packets are plaintext and their
>>innards are visible) would seem the right place to do it.  So packets
>>bound for the insecure side get filtered before they enter IPSEC, and
>>packets bound for the secure side get filtered after they emerge from
>>IPSEC. 

If the filtering is applied before IPSEC  on packets bound for insecure side,
won't the filtering rules block the packets though there is an SA to that destination.

For example, I want to block all FTP traffic from the secure side to insecure side (internet) 
and allow only the IPSEC packets to go to insecure side.

Now I want the FTP traffic to go through the IPSec Tunnel to the other Secure Gateway. Here, if filtering 
is applied first and then IPSEC, then all the FTP traffic gets blocked. On the other hand, if 
IPSEC was applied first and then filtering, then only non-ipsec ftp packets gets dropped.

Any suggestions on this issue.

thanks
umesh

Prev by Date: Re: IPSec and Filtering Question?
Next by Date: Re: A question about the IKE phase2 proposals
Prev by thread: Re: IPSec and Filtering Question?
Next by thread: A question about the IKE phase2 proposals
Index(es):
- Main
- Thread