Greetings:
[EMAIL PROTECTED] said:
> > VPNs put the encryption boundary on an untrused host (that may not be
> > owned or configured by the company) that is forced to connect to an
> > untrustable network in the clear to initiate its session. That
> > completely
> > negates the phrase "complete lockdown" in my book.
> Hmm, I guess you're configuring VPN differently than I am. Our VPN
> Server is part of our firewall (PIX), but the certificate servers that
> grant access to the network are on the inside of the firewall. The
> encryption boundary is at the DMZ, and access beyond that is granted
> only if the right certificates are present, verified through a 3rd
> party CA.
No, you and Paul are looking at different ends of the VPN tunnel.
The untrusted host that he refers to is the end in the home office, which may
not be a company owned box, and which is almost certainly less well secured
than the end point at the enterprise.
By extending trust out to the home office, you have effectively reduced the
strength of that trust web to the security level of the home office.
AL
--
+--------------------------------------------------------------------+
| Al Potter Manager, Network Security Labs |
| apotter at-yay icsa ot-day net ICSA Labs |
| (If the spambots learn piglatin...) |
| PGP Key: 0x58C95451 http://www.icsa.net |
| PGP Fingerprint: D3 1D BE 8C B5 DD 12 61 5A 4A 65 32 93 E5 D9 36 |
+--------------------------------------------------------------------+
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
