The problem with these "add-ons" is that they are just that, mere "feature"
check lists. When you start digging into what software vendors are offering
you quickly find that it is typically rather rudimentarily. Things like
manual keys, DES only support and encryption vs. cryptography (replay
prevention, non-repudiation, etc.) are all issues that must be addressed.
Just my $02 worth.
To: Joseph L. Moll
Subject: Re: VPN's over the internet
Date: February 28, 1996 12:55
Several Firewall vendors now produce firewalls with firewall-firewall
link encryption. I recently installed Smartwall from V-One (Gauntlet
VAR) and it worked fine.
My big issue with multi-firewall designs is the problem of remote
management vs. an expert at each site. Smartwall has secure Telnet based
on their one-time password product so you can be at two places at once.
I managed not to lock myself out too often...8-)
Performance is another issue. Smartwall had an optional DES encryption
board (- with German markings (huh?)) to boost performance but that
forced them to use the same password/key on all firewalls in the VPN that
talked to each other. I think that's acceptable since the VPN
essentially extends your local net to the remote site. If one
firewall/site is compromised the whole net is compromised. Of course you
could add filter rules on each box if you don't want a full access
Last I heard Raptor, Sun and possibly others had or were working on
encrypted links - a flood is coming. DEC and others make stand alone
encryption boxs to toss on the front of your network.
Always ask about key distribution and the security of remote management -
assuming your policy allows remote management (a sore point.)
This is my 2 cents worth (or less), not my employers.
On Mon, 26 Feb 1996, Joseph L. Moll wrote:
> I am in the middle of a design that will require a Firewall product that
> will also serve as a end node to a VPN.
> I would appreciate any input from folks that have actually implemented