Great Circle Associates Firewalls
(March 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: VPN's over the internet
From: Craig McLellan <mclelcl @ onto . network . com>
Date: Thu, 29 Feb 96 00:50:00 CST
To: firewalls <firewalls @ greatcircle . com> 
The problem with these "add-ons" is that they are just that, mere "feature" 
check lists.  When you start digging into what software vendors are offering 
you quickly find that it is typically rather rudimentarily.  Things like 
manual keys, DES only support and encryption vs. cryptography (replay 
prevention, non-repudiation, etc.) are all issues that must be addressed.

Just my $02 worth.

RGRDS.....clm
 ----------
From: firewalls-owner
To: Joseph L. Moll
Cc: firewalls
Subject: Re: VPN's over the internet
Date: February 28, 1996 12:55


Several Firewall vendors now produce firewalls with firewall-firewall
link encryption.  I recently installed Smartwall from V-One (Gauntlet
VAR) and it worked fine.

My big issue with multi-firewall designs is the problem of remote
management vs. an expert at each site.  Smartwall has secure Telnet based
on their one-time password product so you can be at two places at once.
I managed not to lock myself out too often...8-)

Performance is another issue.  Smartwall had an optional DES encryption
board (- with German markings (huh?)) to boost performance but that
forced them to use the same password/key on all firewalls in the VPN that
talked to each other.  I think that's acceptable since the VPN
essentially extends your local net to the remote site.  If one
firewall/site is compromised the whole net is compromised.  Of course you
could add filter rules on each box if you don't want a full access
VPN.....

Last I heard Raptor, Sun and possibly others had or were working on
encrypted links - a flood is coming.  DEC and others make stand alone
encryption boxs to toss on the front of your network.

Always ask about key distribution and the security of remote management -
assuming your policy allows remote management (a sore point.)

Have fun,
Adam Safier
Computer Scientist
CSC-SED Infosec

This is my 2 cents worth (or less), not my employers.


On Mon, 26 Feb 1996, Joseph L. Moll wrote:
> I am in the middle of a design that will require a Firewall product that
> will also serve as a end node to a VPN.
>
> I would appreciate any input from folks that have actually implemented 
this
> configuration.
Indexed By Date Previous: RE: What port does NT use for logins?
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Next: RE: Proxy-server for AOL client???
From: Rafael Portillo <rafa @ uap . edu . ph>
Indexed By Thread Previous: RE: VPN's over the internet
From: Frank Willoughby <frankw @ in . net>
Next: Re: VPN's over the internet
From: bjm @ ottawa . net (Brian McIntosh)
Google
 
Search Internet Search www.greatcircle.com