Re: Link encryptors vs. IPSec

[Rick Smith at Secure Computing <rick_smith () securecomputing com>]

Just back from vacation, I read the question from George Capehart:

> The requirement is to provide over-the-wire privacy between two
> organizations.  ... The two classes of options to solve the
> problem seem to be:
>  - Use link encryptors (like Cylink) between the routers and the
> telecomm interfaces, or
>  - Use IPSec on the public side of the routers.
>
> I am agnostic with respect to the solution.  I have a personal bias, but
> it's based on the KISS principle and it seems to me that the link
> encryptor option is a little simpler than is using IPSec.  At least that
> has been my (admittedly limited) experience.

I suspect it's a toss-up. You probably want to go with whatever the 
administrative people feel most comfortable with. The big pain will be key 
management, so pick the one with the cleanest key management support, given 
the ways the two sites interact (i.e. can you quickly and safely exchange 
the keys you need).

IPSEC (or some evolved variant of it) may prove to be the ultimate 
long-term solution, but it'll go through a few rounds of major upheaval in 
the next few years anyway. So you'll have to overhaul things eventually 
regardless of whether you choose IPSEC immediately or choose link 
encryption that is eventually replaced by IPSEC.

Rick.
smith () securecomputing com          roseville, minnesota
"Authentication" coming in October http://www.visi.com/crypto/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards