Firewall Wizards: Re: tunnel vs open a hole

[Frederick M Avolio <fred () avolio com>]

At 04:25 PM 4/8/2003 -0400, Dave Piscitello wrote:
> At 03:07 PM 4/8/2003 -0400, Frederick M Avolio wrote:
>
> >Of course, encryption exacerbates the problem. :-) We can then gain a 
> tremendously high level of >assurance that Dave Piscitello did something 
> over SSL to a particular IP address from a particular >IP address.
> This "opaque tunnel is worse than a cleartext channel" argument is tiresome.
Calling it "tiresome" is an old debating trick. :-)

I didn't say it was worse (although, of course, it is) (Note, I employ 
debating trick: proof by assertion). I said that it didn't address Marcus' 
comment about granularity in control.  It adds authentication. On top of 
that, you are trusting the end application to secure itself. We know that 
doesn't usually work (c.f., Netscape or IE and Java). Also, the end 
application does not know that the traffic was in an IPSEC tunnel, so 
cannot make use of that "knowledge."
But, anyway, you (Dave) and I agree on all of this. VPNs are good, 
firewalls are good, but both must be properly deployed. We also agree that 
encrypted tunnels of any kind do not add much to prevent abuse of the end 
application, except having higher assurance of the attacker's identity. My 
only point was the obvious one -- and it was aimed at the non-wizards on 
this list: just because it is encrypted and authenticated doesn't mean you 
can trust it. Also, wanting application-level checking in a firewall while 
allowing encrypted connections through it are mutually exclusive (assuming 
a firewall that doesn't have a real, SSL proxy -- the kind that the 
moderator kept asking for in his previous job).
Fred


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards