Re: stealth firewalls

[Valerie Anne Bubb <Valerie.Bubb () Sun COM>]

> From: "Volker Tanger" <volker.tanger () discon de>
> To: ark () eltex ru
> Date: Fri, 18 Jan 2002 12:31:50 +0100
>
> > VPN peers are not required to be visible from VPN itself.
> >
> > You can build a bridge that will take packet from (bridging) interface 0 on
> > machine A, encapsulate and encrypt it, send it via interface 1 to machine B's 
> > interface 1, that will decrypt it and send out via interface 0 on machine B,
> > and vice versa.
>
>
> Yes - but A1 and B1 have visible IP interfaces to the rest of the world 
> between them - thus A and B are no longer stealth firewalls by 
> definition? At least if using standard VPN like IPsec?

No, not necessary.  They need access to an otherwise unused
IP address that can be used for tunnelling, so they can rewrite
the headers - but this IP address will no actually belong to
any machine.

Also, if you don't want to tunnel (just encrypt, leaving original
IP headers in tact) you don't even need that IP address.

> As for A0 and B0, yes, that part was understood. Albeit I prefer 
> "proper" (i.e. normal) routing over bridging. Makes debugging network 
> connections easier IMHO.

I think someone else already mentioned this, but it is easier
to place a stealth or bridging firewall into an existing 
network, or to subdivide two parts of the same network (the
end hosts don't need any knowledge of the device, and will not
need to change their routing).

Valerie
--
valerie.bubb () sun com
bubb () bubb org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards