[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles



On Thu, 20 Jun 2002, Paul Koning wrote:

> Excerpt of message (sent 19 June 2002) by Chinna N.R. Pellacuru:
> > As I saw it, a minority of implementors who build high end security
> > gateways, complained about not just the value of minimal access control in
> > IPsec, but also about the inefficiency of doing this in IPsec and having
> > to do it in the firewall feature processing anyway (because firewall
> > provides extensive and true access control and intrution detection).
>
> As one who worked on a product that arguably fits in this category,
> I'd have to disagree.  There certainly is overlap between the
> classification processes done in IPsec, in firewalls, in traffic
> managers, and so on.  That doesn't mean things have to be
> inefficient.  Instead, it means you have the opportunity to provide
> all three functions through a single classification step.  That
> requires more care in implementation, but it certainly is possible.
>
> 	 paul
>

Because we do the packet classification once, we test the result in
multiple places and that is not inefficient. Someone has to sync the
policies of all these modules so that the policies of all the modules play
nicely with every other module that does the exact same functionality. I
think these assumptions are lacking practical experience and large scale
deployment headaches.

    chinna