Re: Communication Device Protocols from Externalrouter d irectthrough Firewall

["Horvath, Kevin M." <KEVIN.M.HORVATH () saic com>]

Understood but let me clarify the IPSec tunnels.  There are two options I am
referring to; one to the network (I should say) and one possibly to an
isolated dmz (being no other services) for syslogs for example.  The first
option would be to a vpn concentrator or some other vpn device hanging off
of your firewall.  

Regardless the point is, all services should not enter you network but if
for some reason (such as ssh or ipsec) if they do then they must go to a
dmz.

Cheers,
Kevin

-----Original Message-----
From: firewall-wizards-bounces () listserv cybertrust com
[mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Frank
Knobbe
Sent: Tuesday, November 07, 2006 12:11 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Communication Device Protocols from Externalrouter
directthrough Firewall

On Wed, 2006-11-01 at 01:11 -0500, Horvath, Kevin M. wrote:
> [...], so now onto SSH.  SSH shouldn’t be allowed as this should only
> be done via your LAN (specifically a an ADMIN VLAN or better yet an
> OOB connection) or over an IPSec tunnel.  Yes its encrypted once the
> tunnel from the client to the server has been built but why should you
> allow anyone to attempt to make this connection externally?  It’s a
> recipe for disaster.  So even if you filter by source IP then there is
> the potential to be spoofed and then if you are running an older
> version of SSH that is vulnerable to a remote exploit you are sunk.  

While I agree with most of your post, I don't think the last statement
is valid. I could counter that you should never let IPsec in from the
outside, especially since the disclosure of the more IPSec flaws not too
long ago. Why would you want to expose your network like that?

SSH is a VPN protocol like others. It had flaws in the past, but so does
IPSec. So do other VPN protocols. There is no absolute security, which
I'm sure you know. SSH can be very safe on the Internet. Many words have
been written on secure SSH configurations, so I don't see a problem
using SSH as a VPN protocol. Personally, I'm more afraid of IPSec,
especially since everyone assumes it's safe when in reality it is not.

Regards,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards