On 27 Feb 2002, at 18:39, Ron DuFresne wrote: > On Wed, 27 Feb 2002, Alvin Oga wrote: > > [SNIP] > > > dumb question ... > > - why is VPN needed ??? ssh seems to do everything i need > > - if its (VPN) for network neighborhood to go browsing... > > shoot it/kill it/stomp it (network neighborhood)... > > > > Unless ssh is terminated on the outside <so it's decrypted prior to > enterning the network> dgillett's point was you do not really know what is > passing across the firewall or network perimiter. Thus, most folks tend > to do their VPN terminations outside, on a controlled DMZ system, so that > the decrypted traffic can be subject to the rules of the perimiter > inspection tools in place to enforce the sites security policy. SSH > through the perimiter devices tends to tunnel traffic mush as HTTP does, > making it hard to inspect and know what is traversing the outside > connection<s>. Unless of course I read his last response to you > incorrectly, Few admins these days feel comfortable in trusting their > users to know and do the right things on traffic they can not inspect, > they all tend to want to snoop the wires inside and out...
Couldn't have (didn't, apparently) put it better myself. DG _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
