Firewall Wizards mailing list archives
Re: Link encryptors vs. IPSec
From: Rick Smith at Secure Computing <rick_smith () securecomputing com>
Date: Mon, 27 Aug 2001 16:31:11 -0500
Just back from vacation, I read the question from George Capehart:
The requirement is to provide over-the-wire privacy between two organizations. ... The two classes of options to solve the problem seem to be: - Use link encryptors (like Cylink) between the routers and the telecomm interfaces, or - Use IPSec on the public side of the routers. I am agnostic with respect to the solution. I have a personal bias, but it's based on the KISS principle and it seems to me that the link encryptor option is a little simpler than is using IPSec. At least that has been my (admittedly limited) experience.
I suspect it's a toss-up. You probably want to go with whatever the administrative people feel most comfortable with. The big pain will be key management, so pick the one with the cleanest key management support, given the ways the two sites interact (i.e. can you quickly and safely exchange the keys you need).
IPSEC (or some evolved variant of it) may prove to be the ultimate long-term solution, but it'll go through a few rounds of major upheaval in the next few years anyway. So you'll have to overhaul things eventually regardless of whether you choose IPSEC immediately or choose link encryption that is eventually replaced by IPSEC.
Rick. smith () securecomputing com roseville, minnesota "Authentication" coming in October http://www.visi.com/crypto/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Link encryptors vs. IPSec George Capehart (Aug 20)
- Re: Link encryptors vs. IPSec Rick Smith at Secure Computing (Aug 28)