[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: new to VPN

To: John Lindal <jafl@trlokom.com>
Subject: RE: new to VPN
From: Stephen Kent <kent@bbn.com>
Date: Mon, 3 Feb 2003 16:06:57 -0500
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <200302031835.h13IZtn16232@localhost.localdomain>
References: <200302031835.h13IZtn16232@localhost.localdomain>
Sender: owner-ipsec@lists.tislabs.com

At 10:35 AM -0800 2/3/03, John Lindal wrote:
>  >>Several leading VPN hardware vendors are working with those who
>>>specialize in host-based security to ensure that the host configurations
>>>have not been altered to infect the host with a virus/Trojan. These
>>>secure VPN boxes were serving as a conduit to spread viruses and Trojans
>>>and wreaking havoc on corporate security.
>>
>>  There are lots of means by which malicious code can be introduced into a
>>  host. Transit via an IPsec SA is one choice, but so is transit via an SSL
>>  connection, an S-MIME e-mail attachment, etc. The issue is where the
>>  secure communication path is terminated, and this where it can be
>>  examined for malicious code. The use of hardware or software devices
>>  along the path is immaterial to the fundamental issue here.
>
>You've hit the nail on the head.
>
>I think the misunderstanding in this discussion stems from the fact that
>all commercial hardware implementations are gateway based.  When somebody
>asks about "hardware vs software," as in the post that started this thread,
>they are actually asking the question of "gateway-based vs. end-to-end."
>
>As you implied, end-to-end security is far superior to gateway-based
>solutions.  In fact, I've noticed many companies have started to falsely
>advertise end-to-end security these days in order to jump on the bandwagon
>which we at Trlokom helped get rolling :)
>
I thought some vendors have offered individual host IPsec products in 
the past, e.g., IPsec on a NIC products.  But maybe I misremembered.

We certainly agree that in many instances it is preferable to 
maintain an SA all the way to the target host, vs. terminating it at 
a security gateway. But, this is not always true; it depends on the 
perceived threat.

As for bandwagon jumping, I'll just note that BBN built the first 
end-to-end packet net encryption devices for DARPA in the mid-1970s. 
They were placed in front of individual hosts, used a KDC for key 
management, and no, they didn't use a general purpose OS.

Steve

Prev by Date: RE: Ciphersuites MUSTs and SHOULDs
Next by Date: Re: Modefg considered harmful
Prev by thread: RE: new to VPN
Next by thread: RE: new to VPN
Index(es):
- Date
- Thread