I hadn't thought about opening up a possibility for man-in-the-middle and I
guess you are right. The PSS is a very long one and it does get changed
alot. I will address your concerns though .. they make sense to me.
Thank you Joel.
Lance
----- Original Message -----
From: "Joel M Snyder" <[EMAIL PROTECTED]>
To: "Lance Ecklesdafer" <[EMAIL PROTECTED]>
Cc: "Joel M Snyder" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, March 31, 2000 12:14 PM
Subject: Re: IPSec and NAT
> Since PSS only authenticates using the IP address, I'm guessing that you
> have a static and permanent mapping (i.e., the address 'leaving' the LAN
> is known ahead of time for all time) and that's the way that you entered
> it into the gateway on the other side.
>
> But that's actually a problem---the IP address IN the packet doesn't
> match the IP address OUTSIDE the packet. IPSEC itself doesn't require
this
> IP address to be checked, but a large percentage of security vendors
> do verify that the IP addresses match and won't take that tunnel using
> PSS.
>
> You are, in effect, opening yourself up to a MITM attack, especially given
> that the only thing keeping your network secure is the PSS. I hope it's
> a long one and that it gets changed a lot!
>
> jms
>
>
> --
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
> [EMAIL PROTECTED] http://www.opus1.com/jms Opus One
> This was written from my laptop, so it is highly unlikely
> that I am in the office. Send email if you want to talk.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
