[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: linux-ipsec: VS: IP tunnel over a NAT (IP masq) possible ?

To: Pekka Turunen <pekka.turunen@netseal.com>
Subject: Re: linux-ipsec: VS: IP tunnel over a NAT (IP masq) possible ?
From: O.Schnapauff@tu-bs.de
Date: Tue, 20 Jul 1999 09:49:49 +0200
Cc: otel@ce.chalmers.se, linux-ipsec@clinet.fi, ipsec@lists.tislabs.com, firewall-wizards@nfr.net
In-Reply-To: <000a01bed1d8$7d31a820$390964c2@baudia.fi>; from Pekka Turunen on Mon, Jul 19, 1999 at 02:18:55PM +0300
References: <14223.33362.904306.427278@blomman18.ce.chalmers.se> <000a01bed1d8$7d31a820$390964c2@baudia.fi>
Reply-To: O.Schnapauff@tu-bs.de
Sender: owner-ipsec@lists.tislabs.com

On stardate Mon, Jul 19, 1999 at 02:18:55PM +0300, Pekka Turunen wrote:
[snip]
> The FireSeal system consists of two main components. The Client component
> works as a part of the IPSec - or any other security application, inside the
> company network boundaries, whereas the server component is attached to the
> firewall. The process of controlling secured network traffic can be divided
> into three steps:
> 
> 1. The client part of FireSeal sends parameters concerning the connection to
> the firewall (IP address, protocol used etc.).
> 
> 2. The firewall decides if the connection is allowed (firewalls normal
> control mechanisms are used). If the connection is accepted then firewall
> sends to the client the needed parameters for the connection (i.e. the NAT
> transform parameters and a SPI number, which identifies the approved
> connection).
> 
> 3. The client does the NAT transformation and sends the data. The data
> passes through the firewall if the SPI matches the ones in firewall.
> 
> I.e. the firewall can use its normal policies to decide, whether or not to
> let the traffic pass through. In regard to applications needing secure
> communications, FireSeal is completely invisible.

Well, if I understand this right you do not add security at all, stricly
speaking. You do trust the client part of fireseal, and the client. If the
client claims to send traffic type A and the firewall allows that, and the 
client lied and sends soemthing else in encrypted packets the firewall has
no chance to control that. Also  you delegate NAT transformations etc to the
client. 

If I make a firewall I dont trust anything else, esp. not "inside" users, 
local machines. Most security problems (80-90%) come from within the
"trusted" local network.

As John already pointed out he is working on NAT for IPSec traffic, but
if you look up the thread from about 7 weeks ago there are severe
limitations on the use. If you are interested I can send you an excerpt
of my thesis where the problem is analysed, but Johns Howto also
mentions the problems, as well as the thread on this mailinglist where
we discussed it in length.

Olaf  

-- 
"The number of Unix installations       Olaf Schnapauff,
has grown to 10, with more expected."   O.Schnapauff@tu-bs.de  
- The Unix Programmer's Manual,1972     http://www.tu-bs.de/~c0033014/
       See Web page and keyservers  for pgp public key

Follow-Ups:

Re: linux-ipsec: VS: IP tunnel over a NAT (IP masq) possible ?

From: "John D. Hardin" <jhardin@wolfenet.com>

References:

IP tunnel over a NAT (IP masq) possible ?

From: Otel Florian-Daniel <otel@ce.chalmers.se>

VS: IP tunnel over a NAT (IP masq) possible ?

From: "Pekka Turunen" <pekka.turunen@netseal.com>

Prev by Date: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
Next by Date: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
Prev by thread: Re: VS: IP tunnel over a NAT (IP masq) possible ?
Next by thread: Re: linux-ipsec: VS: IP tunnel over a NAT (IP masq) possible ?
Index(es):
- Main
- Thread