At 04:24 PM 4/8/2003 -0400, you wrote:
>There is one advantage of an IPSEC VPN in this sort of circumstance which
>narrows the "zones of insecurity" somewhat.
It's both advantageous and disadvantageous - IPsec creates
network connections - a client or remote LAN joins your LAN environment
>One can create SA's and SPI's which more tightly specify which network
>entities can communicate through this sort of "tunnel".
But IPsec selectors only have IP header and UDP/Port access control
granularity - IPsec gateways can specify a host and service, but can't control
access at the application data object level.
>In addition to the benefit of authentication, one does have the ability to
>perform more specifically tuned tunneling than one would achieve by using
>the http proxy on a firewall which as so many have noted is just an open
>hole.
SSL VPN appliances allow you to do even more of the kind of granular
security policy you mention for IPsec, above the "network connection"
level, so you can set host/url/folder/file permissions per user. Most of
these appliances "webify" network file shares and have client side
java applets to facilitate thin client, terminal services, green screen apps.
>None of the above means I think a generalized IPSEC VPN solution is
>necessarily better than Anton's alternative of "opening another port" in the
>context which has evolved in this thread. Rather, no one has offered the
>benefits of this approach which can also offer authorization as part of the
>implementation can therefore be a suitable solution for certain
>requirements.
Well, I began the (ahem) exchange.
David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave_at_corecom.com
843.689.5595
www.corecom.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 09 2003
Intro
