Firewall Wizards mailing list archives

Re: stealth firewalls

From: ark () eltex ru
Date: Fri, 18 Jan 2002 14:23:46 +0300

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

VPN peers are not required to be visible from VPN itself.

You can build a bridge that will take packet from (bridging) interface 0 on
machine A, encapsulate and encrypt it, send it via interface 1 to machine B's 
interface 1, that will decrypt it and send out via interface 0 on machine B,
and vice versa.

Thus we have encrypted A0-B0 bridge and no VPN peers that are A1-B1 are
visible from _inside_ the VPN. There are no ip addresses on A0 and B0 and
no routing from A0 to A1.

"Volker Tanger" <volker.tanger () discon de> said :

ark () eltex ru wrote:

 > YOU (Volker Tanger) WROTE:
 >
 >> Second problem is doing VPN - or: not! Without a (visible) VPN peer
 >> there is no VPN to be established.

Why not? I see no technical reason why one cannot build birdging
functionality over 100% isolated underlying VPN infrastructure and
virtual tunneling interfaces.



Okay, misunderstanding: you can not do VPN without an IP address 

for the VPN peers. 


If the firewall is expected to do the VPN stuff, it has

to have an IP address responding to IKE, ICMP, whatever.
But with this it is no longer a stealth (i.e. IP-addressless)
firewall.


Of course you can do VPN between two peers with a stealth firewall in 
between (that is if the firewall allows), but that was not the point.



                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQCVAwUBPEgFvaH/mIJW9LeBAQGxdwQAnnm0/Qj2sNj0hw7s2u9a5xvlnqmg1bWd
HR1xZdg+O8m9e5GqLgY6RpOFKyhcgtU0UTxwsxcvY+lLOCmOLtabd6emghvN/OfV
pw+jLbYS7pyiEDh1aiYzeALNqKw8oFpA3xDsPVYSgGsGGtq5yg9m+L/glNJGVeGh
6IHfTw4nrm0=
=frVg
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: stealth firewalls, (continued)
- - RE: stealth firewalls Ofir Arkin (Jan 18)
  - Re: stealth firewalls ark (Jan 18)
    - RE: stealth firewalls Don Flanagan (Jan 19)
- Re: stealth firewalls Volker Tanger (Jan 17)
  - Re: stealth firewalls ark (Jan 18)
    - Re: stealth firewalls Volker Tanger (Jan 18)
- Re: stealth firewalls Peter Lukas (Jan 17)
- Re: stealth firewalls Dave Mitchell (Jan 18)
- Re: stealth firewalls Roelof JT Jonkman (Jan 18)
- Re: stealth firewalls ark (Jan 17)
- Re: stealth firewalls ark (Jan 18)
  - Re: stealth firewalls Volker Tanger (Jan 18)
- Re: stealth firewalls Valerie Anne Bubb (Jan 19)
- Re: stealth firewalls Valerie Anne Bubb (Jan 19)