Jason Costomiris writes:
> On Sunday, February 2, 2003, at 11:11 PM, Dick St.Peters wrote:
> > Giving a remote site access to the DMZ over the VPN is exactly the
> > example intended.
>
> Ok, if that's the case, what's wrong with RFC 1918 space in the DMZ???
> If this DMZ is only ever accessed over a VPN, using globally routable
> IP space is just plain wasteful.
A DMZ accessed _only_ over a VPN isn't much of a DMZ. The usual
purpose for a DMZ is a place to locate bastion hosts that provide
public services and run proxies allowing the internal network to
access the internet without actually exchanging packets between the
internal network and the internet.
You want your bastions to be at globally routable IP addresses so the
public can reach your public services, and you don't want NAT in the
way so you don't restrict your proxying to NAT-tolerant applications.
You generally want your internal network to have considerably more
open access to your bastions than the internet does so your people can
update their areas on the bastions. The point of a VPN is usually to
extend the meaning of "internal" to other locations, so you want more
open access from the VPN than from the internet.
> You also seem hung up on this notion of a "virtual wire" and how you
> seem to think that IPsec doesn't act like one. As another poster has
> pointed out, an IPsec tunnel meets your definition of a "virtual wire".
>From the FreeSWAN FAQ:
"IPsec tunnels are not just virtual wires; they are virtual wires
with built-in access controls."
Quoted from
http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/faq.html
(If I had realized I was virtually quoting the FreeSWAN FAQ, I'd have
cited it previously. The same sentence is in the older versions that
I read long ago.)
Other VPN technologies make tunnels that are virtual wires.
I am an advocate of FreeSWAN for cases where I think IPsec is
appropriate. The core difference between us seems to be that you
think IPsec is always apprpriate, whereas I feel that most of the time
its baggage outweighs its advantages. You want people to plan their
networks around IPsec's rigidity, whereas I feel there's no reason to
put up with that rigidity when you don't have to.
--
Dick St.Peters, [EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
