On Wed, 29 Dec 1999, Mikael Olsson wrote:
>
> Just a little .... slap on the wrist :-P
Rebuke accepted.
> Merton Campbell Crockett wrote:
> >
> > L2TP is interesting from a security perspective as it isolates the system
> > from its current network and connects it to the target network. Once the
> > connection is established to the target network, all connectivity is lost
> > to the local network, i.e. any mapped drives are unreachable as are any
> > shared devices such as printers.
> >
> > Voila! None of the back channel problems of IPsec.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> IPsec implementations do not have a back channel problems unless
> you configure them to have back channel problems.
Or, depending upon OS, configure them not to have a back channel problem.
> It is completely possibly to divert ALL traffic to the IPsec connection
> ("VPN tunnel"), the same way it is possible to establish a connection
> only for a single port and forward all other traffic in plain text.
> Flexibility does not automagically mean insecurity.
It is equally important to remember that IPsec defines a mechanism for
encrypting traffic between the end points of a virtual circuit and shares
the physical interface with other traffic. IPsec secures data while it is
in transit. It does not, inherently, provide a secure communications
link.
> I for one would rather be able to choose which way best fits my
> needs (and security model).
One should consider IPsec. Its a useful, interoperable mechansim for
encrypting traffic while it passes over a public Internet.
Merton Campbell Crockett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
