On Wed, 8 Mar 2000, Paul D. Robertson wrote:
> On Wed, 8 Mar 2000, John Adams wrote:
>
> > What about people working from home? Forget it. The only good solution is
> > to put the entire network into complete lockdown and run VPN for outside
> > access. Bring outside services in via encrypted sessions.
>
> VPNs put the encryption boundary on an untrused host (that may not be
> owned or configured by the company) that is forced to connect to an
> untrustable network in the clear to initiate its session. That completely
> negates the phrase "complete lockdown" in my book.
Hmm, I guess you're configuring VPN differently than I am. Our VPN Server
is part of our firewall (PIX), but the certificate servers that grant
access to the network are on the inside of the firewall. The encryption
boundary is at the DMZ, and access beyond that is granted only if the
right certificates are present, verified through a 3rd party CA.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
