[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ipsec through firewalls (was re:INITIAL-CONTACT issues)
On Mon, 10 May 1999, Waters, Stephen wrote:
> I know it is a leap of faith, but folk will just have to get used to
> trusting their IPSEC security gateways. If you can get that far, then you
> don't need a Firewall for the IPSEC tunnel traffic, so you don't have to
> poke holes.
Alas, it is not that easy. If the IPSEC is being done by a well-run
security gateway, which is itself careful about what gets sent (i.e., it
is itself functioning as a firewall), that may be okay. But that won't
always be the case... and as a result, there are two problems:
1. You may want to know whether the IPSEC is being done right. Careful
efforts to keep your networking secure aren't going to do very much good
if some twit is sending company-confidential traffic encrypted with
Microsoft's 40-bit DES.
2. You may want to know what's flowing through those tunnels. Firewall
operators nowadays are often almost as worried about what's inside the
firewall as about what's outside. (The problem is not the users, but the
people who wrote the users' software.)
A place that has serious concerns about either of these issues is just
going to have to mandate use of IPSEC proxies on the firewalls: you don't
get to make an encrypted end-to-end tunnel through the firewall, you make
a tunnel to the firewall and it makes one the rest of the way.
Henry Spencer
henry@spsystems.net
(henry@zoo.toronto.edu)
Follow-Ups: