Great Circle Associates Firewalls
(January 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: What _is_ a VPN, anyway? [Was: Re: Pushing the envelope...]
From: daemond @ ibm . net
Date: Thu, 15 Jan 1998 23:17:26 -0500 (EST)
To: Paul Ferguson <ferguson @ cisco . com>
Cc: Paul McNabb <mcnabb @ argus-systems . com>, connie . j . sadler @ lmco . com, firewalls @ GreatCircle . COM, Geoff Huston <gih @ telstra . net>
In-reply-to: <3 . 0 . 5 . 32 . 19980115161931 . 007cde80 @ lint . cisco . com>

Just had an idea on transfering keys to both parties securely: PGP.  Just
exchange public PGP keys then use PGP to encrypt the keys for the VPN and
send it across via e-mail.  A hassle, but VERY safe.  Oh and for the REALLY
paranoid: make your PGP public key (with the ascii armor) then call the
other person and verbally tell them the letters.

-----------------------------------------------------------------------------
Geoff Gowey		| NetBSD: the best multi-platform OS 
daemond(at)ibm.net	| www.netbsd.org
*****************************************************************************
Spammers beware: I do not buy from companies that spam and I keep track!
Above policy STRICTLY ENFORCED!
*****************************************************************************
"All I ask is for the chance to prove that money can't buy me happiness"
or more simply put "SHOW ME THE MONEY!!!"

On Thu, 15 Jan 1998, Paul Ferguson wrote:

* ->As an aisde, I would like to remark that VPN's are not
* ->solely restricted to situations where encrypted
* ->relationships exist.
* ->
* ->Geoff Huston and I are working on a paper ("What is
* ->a VPN?"), which is about 80% complete, which we plan on
* ->submitting for ACM SIGCOMM'98. I'll submit a pointer to
* ->the list when the paper is completed, but the abstract
* ->is included below:
* ->
* ->Abstract ? The term "VPN," or Virtual Private Network, has
* ->become almost as recklessly used in the networking industry
* ->as has "QoS" (Quality of Service) to describe a broad set of
* ->problems and "solutions," when the objectives themselves have
* ->not been properly articulated.  This confusion has resulted
* ->in a situation where the popular trade press, industry pundits,
* ->and vendors and consumers of networking technologies alike,
* ->generally use the term "VPN" as an offhand reference for a set
* ->of different technologies.  This paper attempts to provide a
* ->common sense definition of a VPN, and an overview of different
* ->approaches to building them. While this paper is principally
* ->concerned with VPN?s in a TCP/IP network environment, however,
* ->it is recognized that VPN?s encompass essentially all types
* ->of protocols and a brief overview of non-IP VPN?s is also
* ->provided.
* ->
* ->- paul
* ->
* ->At 09:50 AM 1/13/98 -0600, Paul McNabb wrote:
* ->
* ->>
* ->>VPNs are great solutions but they have some restrictions.  For a VPN
* ->>to work, both sides have to have some kind of key.  Aside from the
* ->>key management issues, VPNs only work when you can be sure of having
* ->>a limited, or at least known, set of machines on the outside connecting
* ->>to your inside server.  If you are providing extranet services to an
* ->>potentially unlimited number of partner computers, the VPN management
* ->>can become pretty unwieldy.
* ->>
* ->>A combination of a VPN, an access token (such as SecureID), and a good
* ->>firewall can be very powerful, but even then you are going to need to
* ->>protect the server host itself.  By definition you are going to have a 
* ->>bunch of "authorized" users using one or more network services on a
* ->>machine and subnet that are sensitive.  Bugs in network daemons and
* ->>applications, systems configuration problems, and other concerns could
* ->>allow "authorized" but malicious users to break your security.
* ->>
* ->
* ->
* ->--
* ->Paul Ferguson                                           ||        ||
* ->Consulting Engineering                                  ||        ||
* ->Herndon, Virginia   USA                                ||||      ||||
* ->tel: +1.703.397.5938                               ..:||||||:..:||||||:..
* ->mailto:ferguson @
 cisco .
 com                          c i s c o S y s t e m s
* ->



Follow-Ups:
References:
Indexed By Date Previous: FW-1 v3.0 on NTv4.0 (with SP3 and FW-1 patches)
From: Yinan Yang <YYANG @ nla . gov . au>
Next: SNI revised -- (was: Fraudulent SA's solved)
From: daemond @ ibm . net
Indexed By Thread Previous: What _is_ a VPN, anyway? [Was: Re: Pushing the envelope...]
From: Paul Ferguson <ferguson @ cisco . com>
Next: Re: What _is_ a VPN, anyway? [Was: Re: Pushing the envelope...]
From: "Norman Widders" <winspace @ atinet . com . au>

Google
 
Search Internet Search www.greatcircle.com