[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: Stephen Kent <kent@bbn.com>
Date: Fri, 21 Jun 2002 15:35:18 -0400
Cc: ipsec mailling list <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.44.0206210835410.15498-100000@cypher.cisco.com>
References: <Pine.GSO.4.44.0206210835410.15498-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 8:37 AM -0700 6/21/02, Chinna N.R. Pellacuru wrote:
>Putting it in your own words...
>
>
>"I agree that proxy firewalls can offer better security than packet
>filtering firewalls, assuming suitable care is applied to the..."
>
>     chinna
>

yes, my own words, but still not sufficient to support your 
ill-articulated assertions. for example, in deriding simple packet 
filtering vs. other firewall access controls, you have never 
described which other firewall controls you are using as a reference. 
you also started including references to IDS, which is irrelevant to 
the discussion.

do you really not understand the difference between the poor security 
offered by a router filter which makes access control decisions based 
on packet header fields that are from an UNAUTHENTICATED souce and 
which have NO INTEGRITY PROTECTION, vs. making the same checks in an 
IPsec context where we have authenticated the source and provided 
integrity for these fields?

Steve

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: RE: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread