Firewalls: Re: IPSEC / IPV6 and Firewalls & Network Security

Firewalls
(April 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IPSEC / IPV6 and Firewalls & Network Security
From:	Adam Shostack <adam @ homeport . org>
Date:	Sat, 12 Apr 1997 09:48:54 -0500 (EST)
To:	steven . j . schulze @ ac . com (steven.j.schulze)
Cc:	firewalls-digest @ GreatCircle . COM
In-reply-to:	<9704120321 . AB2417 @ notes2 . compuserve . com> from "steven.j.schulze" at "Apr 11, 97 08:38:33 pm"

	People with proxy systems won't change them, the security of
packet filters will go up relative to how well the key management
problem is addressed.  (Key mangement is a large problem, and solving
parts of it is a very useful thing.)

	Its worth noting that the fact that you've authenticated some
entity does not mean that you should extend them ultimate trust, it
could mean that their keys have been comprimised.

	I expect that as firewalls get cheaper, we'll start to see the
technology being pushed deeper inside a company, so that every
mailhost runs smtpd, not just the one on "the firewall."

Adam

steven.j.schulze wrote:
| Does anyone want to comment on the conventional wisdom of what IPSEC and IPV6 
| will do for network security, and how this will require changes to firewalls 
| and how they operate?
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

References:

IPSEC / IPV6 and Firewalls & Network Security
From: "steven.j.schulze" <steven . j . schulze @ ac . com>

Indexed By Date	Previous:	Checkpoint 3.0 From: "Gregg Earnhart" <ge @ gte . net>
Indexed By Date	Next:	Re: ident From: Bob Beck <beck @ obtuse . com>
Indexed By Thread	Previous:	IPSEC / IPV6 and Firewalls & Network Security From: "steven.j.schulze" <steven . j . schulze @ ac . com>
Indexed By Thread	Next:	Re: IPSEC / IPV6 and Firewalls & Network Security From: "Marcus J. Ranum" <mjr @ nfr . net>