Re: Opinions on VPN?

["Rodney van den Oever" <roever () nse simac nl>]

>  I incorporated a similar design in a previous incarnation.  Keep in mind
> that it really depends on the business case.  The downside in this design
is
> that the "secret" data is in clear text on the firewall while it is being
> evaluated.  Thereby making it available to anyone with firewall access
(good
> guys or bad guys).  In the banking community this information can be
account
> numbers and "secret" passwords.  Or in business implementations it could be
> credit card information, etc.  Using the "need to know" principal do these
> folks have a need to know this information?  I struggled with this design
> for a while - decrypt on the firewall or allow encrypted traffic through.
> There are risks either way.  Your mileage may vary; only your business case
> knows for sure.

Then I guess you would need to have the data encrypted at the application
layer on the originating host (the internal server) first, because it would
be send out across the local network in clear text, where other
administrators or evil uses could run a sniffer (or IDS).

The firewall then encrypts the data again, thereby hiding the actual
IP-adresses as well as the original data, at the cost of additional
packet-overhead (the packet will get a lot bigger as well, requiring
fragmentation).

--
Rodney van den Oever / 0x06 3547CA1 / PGP Key ID 0x0A6CCE53
'Windows 2000: the 1623 part Swiss Army knife for customers who only want to
pare an apple'