| |
Firewall Testing About VESARiA |
|
|
2.6 Will IPSEC make firewalls obsolete?
Some have argued that this is the case. Before pronouncing such a
sweeping prediction, however, it's worthwhile to consider what IPSEC
is and what it does. Once we know this, we can consider whether IPSEC
will solve the problems that we're trying to solve with firewalls.
IPSEC (IP SECurity) refers to a set of standards developed by the
Internet Engineering Task Force (IETF). There are many documents that
collectively define what is known as ``IPSEC'' [4]. IPSEC
solves two problems which have plagued the IP protocol suite for
years: host-to-host authentication (which will let hosts know that
they're talking to the hosts they think they are) and encryption
(which will prevent attackers from being able to watch the traffic
going between machines).
Note that neither of these problems is what firewalls were created to
solve. Although firewalls can help to mitigate some of the risks
present on an Internet without authentication or encryption, there are
really two classes of problems here: integrity and privacy of the
information flowing between hosts and the limits placed on what kinds
of connectivity is allowed between different networks. IPSEC
addresses the former class and firewalls the latter.
What this means is that one will not eliminate the need for the other,
but it does create some interesting possibilities when we look at
combining firewalls with IPSEC-enabled hosts. Namely, such things as
vendor-independent virtual private networks (VPNs), better packet
filtering (by filtering on whether packets have the IPSEC
authentication header), and application-layer firewalls will be able
to have better means of host verification by actually using the IPSEC
authentication header instead of ``just trusting'' the IP address
presented.
|
 |
Vesaria
3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044
|
