On Thu, 10 May 2001, Ben Nagy wrote:
> This sounds like a repeat of the VLAN effect - something that's not designed
> for security being used as a security solution. Maybe we should be saying
> "use a separate channel, end of story"?
Indeed, out of band wins every time...
> OK, all I'm saying is that encryption adds nothing here. It's untrusted
> traffic, so confidentiality isn't an issue. VPNs don't make it any more
> likely that traffic will stay where it should.
It does add a measure of protection if you're transiting traffic that
contains internal addresses. The leaking traffic won't be understood by
a device that it's addressed to since it's encrypted and you'd obviously
not use those keys for internal machines.
> Assuming that BOTH these mechanisms fail (firewall r00ted, ACLs bypassed)
> then the PVC solution is the only one that might restrict the traffic. The
> PVCs may ALSO fail, but at least they're a line of defence - the VPNs fall
> over with the firewall.
Why not encrypt traffic prior to putting it in the PVC and get all the
layers you can stuff into it?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
