Firewall Wizards: RE: tunnel vs open a hole

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

RE: tunnel vs open a hole

From: Bruce Platt <Bruce () ei3 com>
Date: Tue, 8 Apr 2003 16:24:34 -0400

I've enjoyed this thread, so let me add my $.02.

There is one advantage of an IPSEC VPN in this sort of circumstance which
narrows the "zones of insecurity" somewhat.

One can create SA's and SPI's which more tightly specify which network
entities can communicate through this sort of "tunnel".

In addition to the benefit of authentication, one does have the ability to
perform more specifically tuned tunneling than one would achieve by using
the http proxy on a firewall which as so many have noted is just an open
hole.

None of the above means I think a generalized IPSEC VPN solution is
necessarily better than Anton's alternative of "opening another port" in the
context which has evolved in this thread.  Rather, no one has offered the
benefits of this approach which can also offer authorization as part of the
implementation can therefore be a suitable solution for certain
requirements.

Regards,

Bruce

-----Original Message-----
From: Frederick M Avolio [mailto:fred () avolio com]
Sent: Tuesday, April 08, 2003 3:07 PM
To: Dave Piscitello; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] tunnel vs open a hole

No one discussed the benefits of using an encrypted, authenticated
tunnel (SSL, SSH, ...), which do provide additional

controls. If I were

developing/deploying a (presumably) distributed application *today*,
I would begin with the assumption that I need stronger authentication
than UIPW, message integrity, and message confidentiality. Many of
the problems we struggle to correct today stem from the fact that
we think of security as something orthogonal to application

functionality

rather than a core component/requirement.



Of course, encryption exacerbates the problem. :-) We can then gain a 
tremendously high level of assurance that Dave Piscitello did 
something 
over SSL to a particular IP address from a particular IP 
address. Which 
adds authentication and little else on top of the paragraph you cited:

"The real question is whether the tunnelling system provides _ANY_
security controls above and beyond ip/src/dest/logging."



Fred


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

RE: tunnel vs open a hole Behm, Jeffrey L. (Apr 07)
- <Possible follow-ups>
- RE: tunnel vs open a hole Melson, Paul (Apr 08)
- RE: tunnel vs open a hole Bruce Platt (Apr 08)
  - RE: tunnel vs open a hole Dave Piscitello (Apr 08)
- RE: tunnel vs open a hole Marcus J. Ranum (Apr 09)
  - Re: tunnel vs open a hole George Capehart (Apr 09)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
    - Re: tunnel vs open a hole George Capehart (Apr 09)