Great Circle Associates Firewalls
(March 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: VPN's over the internet
From: Frank Willoughby <frankw @ in . net>
Date: Wed, 6 Mar 96 23:49:58 -0500
To: jeromie @ garrison . com (Jeromie Jackson)
Cc: firewalls @ GreatCircle . com 
At 11:11 AM 3/6/96 CST, Jeromie Jackson allegedly wrote:
>To: frankw @
 in .
 net, firewall @
 greatcircle .
 com
>Subject: RE: VPN's over the internet
>
>o Most commercial firewalls offer firewall->firewall encryption, 
>  so extra encryption h/w or s/w isn't usually needed.
>
>	Yes, but many of the firewalls do it via software, causing potential 
>bottlenecks @ high bandwidth, therefore it IS beneficial to move to a hardware
>platform that has a dedicated processor.

True.  However, some also have a hardware encryption board with its own CPU
to offload the CPU-intensive chore of encryption sessions.



>o Many (most?) firewalls when performing firewall->firewall encryption
>  are only providing an IP encryption tunnel through the firewalls.
>
>	You would think any 1/2-way intelligent firewall company would not allow
>such a thing to happen.  Why would they effectively breach the complete 
>functionality of the application proxy server?  If they fully trust the other
>entity they should add in the appropriate rulesets to allow such behavior. The
>idea of "I have a VPN therefore I bypass my proxy based services" is obscene.

I agree with you 100%.  However, you are preaching to the choir.  I think 
that this is an area that the firewall vendors need to take care of - ASAP.



>  It is important to note that *NO* applications filtering is performed.
>  While this may offer protection from a MITM (Man-In-The-Middle) attack 
>  (Internet, etc), it offers *NO* protection from the other entity's
>  network.  A problem on their network is a problem on your network.
>>
>
>	If this is true, again, if you moved to an independant hardware solution
>you would be able to still have the complete functionality of the proxy 
>services.

It is true.  However, I agree with you about front-ending the firewall with
an encryption box.  This is one of my work-arounds for the above-mentioned
problem.


>o It is usually beneficial to firewall VPN connections to localize
>  contamination in the event one of the VPN entities is breached.
>
>
>Jeromie Jackson
>Garrison Technologies
>jeromie @
 garrison .
 com

Best Regards,


Frank

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com
Home of the Free Internet Firewall Evaluation Checklist
Indexed By Date Previous: [no subject]
From: Jose Vigil <jose @ movi . com . ar>
Next: Re: Spoofing Subscriptions (fwd)
From: dolphin @ interramp . com (Tidewater Cyberfish)
Indexed By Thread Previous: RE: VPN's over the internet
From: jeromie @ garrison . com (Jeromie Jackson)
Next: RE: Possible Java hack
From: Steve Gibbons <steve @ aztech . net>
Google
 
Search Internet Search www.greatcircle.com