Merton,
Comments inline...
Merton Campbell Crockett wrote:
> At the Microsoft Federal Security Conference last year, Microsoft had a
> presentation on L2TP and IPsec. L2TP does use an IPsec encryption scheme
> but does not provide a virtual connection in the same sense as SSH.
>
> SSH allows you to establish a secure communication path to the target
> system. It only affects packets destined for the target system, i.e. you
> retain connectivity to your local network and access to your local network
> resources.
Ehm. Please don't mix up SSH and IPsec. Even though SSH Communications
Security, Inc makes an IPsec implementation, IPsec is _not_ "Secure
Shell".
Okay, 'nuff ranting.
> L2TP, on the other hand, "binds" you to the target system. Although the
> local network is used as a transport media, you are, effectively, no
> longer connected to the local network. You lose access to any NFS or SMB
> file systems that you may have been using before establishing the L2TP
> connection. The network resources available to you are those provided by
> the target system.
As I've said before (here or on fw-wiz, I can't recall), I fail
to see the real difference in security.
Plain old IPsec can easily be made to behave exactly this way, by
specifying one single "rule" that says that all outgoing data should
be encrypted. Anything else (ie incoming plaintext traffic) would
get caught by the default rule which is to drop.
*sigh* Marketing puts a spin on things for the execs again :-(
If there are implementations that won't allow this, those
implementations are just plain stupid or made for a very, very,
very specific purpose. If it's the former, their vendors deserve
to go out of business, but I haven't seen such a one (yet).
Anyways, thanks for your response even though it wasn't what I'd
hoped for. Any input is better than none =P
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
