Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPsec and firewalls

From: carson () tla org
Date: Sat, 7 Feb 1998 19:56:40 -0500 (EST)
"Aleph" == Aleph One <aleph1 () dfw dfw net> writes:


Aleph> and RCS1826). I was just talking to someone about this at USENIX. I see a
Aleph> market for someone that implements and ISAKMP daemon that supports
Aleph> transfering keys to a trusted third party. Of curse this brings you all
Aleph> the same headackes that Kerberos does having to maintain a secured machine
Aleph> with possible all session keys but hopefully your firewall maintains that
Aleph> level of security so it should not add many more risks. Probably any such
Aleph> protocols between the ISAKMP server and the firewall should be standarized
Aleph> by a RFC. Anyone have any comments?

_Every_ authentication scheme relies on a trusted 3rd party of some
sort. The only question is who is trusted, and when that trust must be
validated. If you make your proxy/firewall/nat/whatever a trusted CA, you
can proxy just about anything, including stripping ActiveX from HTTP over
SSL sessions. I agree that it would be nice for this "trusted spoofing" or
"friendly man in the middle" approach to be designed in rather than
reverse-engineered.

-- 
Carson Gaspar -- carson () cs columbia edu carson () tla org carson () cugc org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
Previous By Date Next
Previous By Thread Next

Current thread: