At 11:11 AM 3/6/96 CST, Jeromie Jackson allegedly wrote:
>To: frankw @
net, firewall @
>Subject: RE: VPN's over the internet
>o Most commercial firewalls offer firewall->firewall encryption,
> so extra encryption h/w or s/w isn't usually needed.
> Yes, but many of the firewalls do it via software, causing potential
>bottlenecks @ high bandwidth, therefore it IS beneficial to move to a hardware
>platform that has a dedicated processor.
True. However, some also have a hardware encryption board with its own CPU
to offload the CPU-intensive chore of encryption sessions.
>o Many (most?) firewalls when performing firewall->firewall encryption
> are only providing an IP encryption tunnel through the firewalls.
> You would think any 1/2-way intelligent firewall company would not allow
>such a thing to happen. Why would they effectively breach the complete
>functionality of the application proxy server? If they fully trust the other
>entity they should add in the appropriate rulesets to allow such behavior. The
>idea of "I have a VPN therefore I bypass my proxy based services" is obscene.
I agree with you 100%. However, you are preaching to the choir. I think
that this is an area that the firewall vendors need to take care of - ASAP.
> It is important to note that *NO* applications filtering is performed.
> While this may offer protection from a MITM (Man-In-The-Middle) attack
> (Internet, etc), it offers *NO* protection from the other entity's
> network. A problem on their network is a problem on your network.
> If this is true, again, if you moved to an independant hardware solution
>you would be able to still have the complete functionality of the proxy
It is true. However, I agree with you about front-ending the firewall with
an encryption box. This is one of my work-arounds for the above-mentioned
>o It is usually beneficial to firewall VPN connections to localize
> contamination in the event one of the VPN entities is breached.
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com
Home of the Free Internet Firewall Evaluation Checklist