IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
Simon Spero
ses at tipper.oit.unc.edu
Mon Jan 22 23:01:19 PST 1996
I tend to oscillate between the two positions; at the moment I think that
firewalls are still needed with IPSEC.
Firewalls cannot be removed if
1) You need to control outbound as well as inbound traffic
2) There are still non IPSEC machines on the network.
3) There are network services on IPSEC machines that do not
understand IPSEC security, and which cannot be easily secured
through IPSEC aware wrappers.
I can't see anyway to cope with the first problem- however the latter two
are legacy headaches, which tend to clear up given time.
What I do see happening is more and more IPSEC machines moving out into
a quasi-DMZ as it becomes much easier to make ordinary machines secure
enough to go over-the-top; however, it'll take more than just IPSEC to
make this fool-proof enough to move everybody out there.
One worry I do have is that if such a machine is misconfigured it could
cause more damage as that machine is trusted more because it's using
IPSEC.
Simon
(defun modexpt (x y n) "computes (x^y) mod n"
(cond ((= y 0) 1) ((= y 1) (mod x n))
((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n))
(t (mod (* x (modexpt x (1- y) n)) n))))
More information about the cypherpunks-legacy
mailing list