[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPsec Usage Question

    Excerpt of message (sent 1 February 2002) by CAVANNA,VICENTE V (A-Roseville,ex1):
    >  I am one of those who think an IPSEC
    > tunnel to a gateway and then an unsecured path to the storage device is not
    > enough security for storage traffic but the reality is that this may be the
    > only security available initially.
    > In fact it is possible that we have nested tunnels and we may be dealing
    > with more than two IP addresses.
    Nested tunnels is certainly one example.  But there are other reasons:
    1. You mention a preference for having end to end (rather than gateway
    to somewhere) security.  That's one valid preference.  But in general
    the choice of what is required is driven, among other things, by a
    threat analysis.  Threats differ for different installations; one size
    does not fit all.  There will be plenty of sites where the threat
    analysis says that a security gateway (protecting traffic going beyond
    a security boundary) is the correct solution.
    2. One reason why practical IPsec installations show a preference for
    security gateways is that it reduces the number of places where
    security must be managed.  Security management is one of the hardest
    management jobs.  (This is one of the serious problems with mandating
    security everywhere!)  So network adminstrators generally put a
    security gateway in a suitable spot, and lavish a lot of attention on
    configuriging that correctly and carefully.  The resulting secure
    channel then protects lots of other nodes at little or no extra cost.


Last updated: Sun Feb 03 18:18:03 2002
8610 messages in chronological order