[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)

To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Subject: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Mon, 10 May 1999 12:35:44 -0400
Cc: Henry Spencer <henry@spsystems.net>, IP Security List <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

A VPN connection is, fundamentally, a (virtual) wire.  Where you terminate
that wire, relative to your firewall, depends on the characteristics of
the other end.  Is it fully trusted?  Is it secure from other intrusions,
including those coming in from the Internet if the ipsec setup doesn't
fully block them?  In such cases, you terminate it inside the firewall.
If it's someone you don't want to let all the way in, you terminate it
outside (for some value of "outside") the firewall, or you integrate your
ipsec endpoint with a firewall that can make access decisions based on
certificate name rather than IP address.

But the real question that has to be answered first is how much you trust
the remote endpoint.

Prev by Date: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
Next by Date: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
Prev by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
Next by thread: Re: INITIAL-CONTACT issues
Index(es):
- Main
- Thread