Firewall Wizards mailing list archives
Re: IP-VPN/VoIP
From: Paul Cardon <paul () moquijo com>
Date: Mon, 02 Jul 2001 23:57:25 -0400
Lucas Thompson wrote:
If you're using a secure VPN then it's not really a security hole to allow a range of ports only across the tunnel?
Maybe it isn't a security hole in some situations, but that ultimately depends on the security policies of the networks at each end of the tunnel. I work for an organization where that IS considered a hole unless additional controls are in place. Those controls must be documented and measurable in order for an exception to be granted. If the network at one end of the tunnel is simply an extension of the network at the other end then a firewall probably isn't even necessary. If the endpoints belong to different organizations with very different security policies then a firewall is one of the most important mechanisms to manage that policy. A primary VPN function is to preserve confidentiality. Yes, they are often used in conjunction with some kind of authentication, but once you have a tunnel established that can carry arbitrary IP traffic, something else needs to enforce the policy for what kind of traffic you wish to allow into your network. -paul _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IP-VPN/VoIP Lucas Thompson (Jul 02)
- Re: IP-VPN/VoIP Paul Cardon (Jul 03)