On Sunday, February 2, 2003, at 03:41 PM, Dick St.Peters wrote:
Useless? Hardly. Most ISPs aren't handing out lots of IP space, particularly to small customers these days. You do NAT for the couple of boxes that you stick in the DMZ, unless the systems are being accessed over the VPN. In this day & age, when ISPs are handing out a /28 or even a /29, do you really want to blow additional IPs by further subnetting an already small IP space? I'd file that one under "bad planning". Plus, adding NAT gives you a bit more protection, granted not a lot, but every little bit counts.A DMZ with RFC1918 private-IP-space addressing? I'll grant that's imaginative ... kinda useless though.
You only need an additional tunnel when you fail to plan your network properly, but then again, we've already covered this.The issue is that with VPN technologies other than IPsec you can point multiple routes through a single tunnel, whereas with IPsec you need a separate tunnel for each route ... for each pair of subnets or gateways you want to connect.
You seem confused. IPsec does not have any filtering built in. In most cases, your IPsec tunnels are terminated on a firewall, which DOES have filtering capabilities.Other VPN technologies create tunnels that act like virtual wires. IPsec creates tunnels that act like virtual wires with filters that limit the connection to a specific subnet/gateway pair. With other VPN technologies you can add such filters if you want them, but with IPsec you can't remove them if you don't want them.
Yeah. Go on ahead and believe that if you like. Your company just struck new partnerships with 3 companies, one with a Check Point firewall, one with a Cisco Pix and another with an OpenBSD pf firewall. While you're scrambling to add IPsec capabilities to your network, or trying to convince your partners to run some solution that interoperates with NOTHING, I'll be bringing the new tunnels online. I'll be done in 10 minutes. You'll be done in.. Well, who knows when?As for interoperability, tunnels that act like virtual wires interoperate with anything wires do.
I've been building networks for 13 years, and VPNs for 7 years. I've never once had to re-architect a network to deploy an IPsec VPN. Some IPsec configurations have been easier than others, and those are the ones done on *well-planned* networks.IPsec tells you what you can't do. When dealing with real life networking, you want solutions you don't have to work around. You want to build your networking around your company's needs, not around IPsec's needs.
Personally, I suspect that in the long run, IPsec transport mode will prove more important than IPsec tunnel mode.
I'd agree with that, only if IPv6 ever takes off.
--
Jason Costomiris <><
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
