On Wed, 27 Feb 2002, Alvin Oga wrote:
[SNIP]
> dumb question ...
> - why is VPN needed ??? ssh seems to do everything i need
> - if its (VPN) for network neighborhood to go browsing...
> shoot it/kill it/stomp it (network neighborhood)...
>
Unless ssh is terminated on the outside <so it's decrypted prior to
enterning the network> dgillett's point was you do not really know what is
passing across the firewall or network perimiter. Thus, most folks tend
to do their VPN terminations outside, on a controlled DMZ system, so that
the decrypted traffic can be subject to the rules of the perimiter
inspection tools in place to enforce the sites security policy. SSH
through the perimiter devices tends to tunnel traffic mush as HTTP does,
making it hard to inspect and know what is traversing the outside
connection<s>. Unless of course I read his last response to you
incorrectly, Few admins these days feel comfortable in trusting their
users to know and do the right things on traffic they can not inspect,
they all tend to want to snoop the wires inside and out...
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
