>Authentication and confidentiality are more for VPN Virtual Private
>Network than for firewalls. IPsec with X.509 certificates is becoming
>available for nearly all firewalls nowadays, this will solve the
Why should it stop at the VPN. Most attacks are internal. The overhead to exchange keys on "modern" machines is low. Why stop at the firewalls. At least cover all the servers if not workstations.
The next thing is that IPsec on firewalls with X.509 does not solve all the problems. X.509 amy specify a null-null-null MAC/encryptor. If the internal network uses PCKS#x signed packets the firewall must just allow them through. Either that or we religate users to clear text again.
X.509 with IPsec will start to help when the firewall/gateway is not a classical firewall, but an encryption gateway that even if it passes clear information to the world (is someone looking at your web server), still encrypts all internal traffic.
Finally, all this is do-able now. The overhead is low. Cost is not great.
Craig S. Wright
From: Eric Vyncke
Sent: Wednesday, October 22, 1997 2:10 AM
To: Jyri Kaljundi; Firewalls @
Subject: Re: sex, lies, and firewall code
At 15:54 21/10/97 +0300, Jyri Kaljundi wrote:
>Sun, 19 Oct 1997, Craig S. Wright wrote:
>> When there is finally a gateway product that has full
>> authenication = based on digital certification. That links to all
>> machines in the = domain. That does a host AND user authenication
>Yes, I believe also this is the future way to go. Every PC using
>transparent encryption to the firewall, using strong encryption and strong
>authentication methods between each of them. Preferably so, that every
>user has their certificate or key for that matter on a smart card (or
>floppy, whatever) and they have their rights and policies going through
>the firewall connected to the identity stored on the smart card.
Authentication and confidentiality are more for VPN Virtual Private
Network than for firewalls. IPsec with X.509 certificates is becoming
available for nearly all firewalls nowadays, this will solve the
But you still have to fight against:
- DoS: ping 'o death, OOB, SYN attack
- contents filtering: URL, java applets, ...
Just my 0.25 BEF to add to the discussion ;-)
>AS Stallion Ltd
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke @
com Mobile: +32-75-312.458