[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: new to VPN
At 10:35 AM -0800 2/3/03, John Lindal wrote:
> >>Several leading VPN hardware vendors are working with those who
>>>specialize in host-based security to ensure that the host configurations
>>>have not been altered to infect the host with a virus/Trojan. These
>>>secure VPN boxes were serving as a conduit to spread viruses and Trojans
>>>and wreaking havoc on corporate security.
>>
>> There are lots of means by which malicious code can be introduced into a
>> host. Transit via an IPsec SA is one choice, but so is transit via an SSL
>> connection, an S-MIME e-mail attachment, etc. The issue is where the
>> secure communication path is terminated, and this where it can be
>> examined for malicious code. The use of hardware or software devices
>> along the path is immaterial to the fundamental issue here.
>
>You've hit the nail on the head.
>
>I think the misunderstanding in this discussion stems from the fact that
>all commercial hardware implementations are gateway based. When somebody
>asks about "hardware vs software," as in the post that started this thread,
>they are actually asking the question of "gateway-based vs. end-to-end."
>
>As you implied, end-to-end security is far superior to gateway-based
>solutions. In fact, I've noticed many companies have started to falsely
>advertise end-to-end security these days in order to jump on the bandwagon
>which we at Trlokom helped get rolling :)
>
I thought some vendors have offered individual host IPsec products in
the past, e.g., IPsec on a NIC products. But maybe I misremembered.
We certainly agree that in many instances it is preferable to
maintain an SA all the way to the target host, vs. terminating it at
a security gateway. But, this is not always true; it depends on the
perceived threat.
As for bandwagon jumping, I'll just note that BBN built the first
end-to-end packet net encryption devices for DARPA in the mid-1970s.
They were placed in front of individual hosts, used a KDC for key
management, and no, they didn't use a general purpose OS.
Steve