Transport and
Tunnel Mode
In configuring IPSec, one of the early decisions that must
be made is whether the session is a Tunnel or a Transport mode connection. This
distinction impacts other configuration decisions that have to be made.
Transport Mode
Transport mode
is used between two end-host devices or between a remote host and a gateway
device, where the gateway is the actual destination device. An example of a
gateway device being the target destination would involve an encrypted Telnet
session to configure a router or a PIX Firewall. In either case, this is
basically a one-device to one-device connection. Figure 9-8 shows two possible
examples of a Transport mode connection. In VPN 1, administrator Nancy must be
able to access the perimeter router from home to check the status and make any
configuration changes. In VPN 2, Nancy needs to access a server to make user or
group account changes. In each case, a host-to-host connection exists.
|
Note |
Both examples are offered with the warning that these
practices might be banned by a security policy. Allowing a VPN to pass through
any perimeter router and/or firewall to get directly into the protected LAN is
an especially risky proposition. |
Transport Mode Encryption
In Transport mode, if encryption is performed, only the
upper-layer IP protocol fields (IP packet payload) are encrypted, leaving the IP
header untouched. The IP header must be left unencrypted, so the packet can be
routed through the network. Any device recording a packet in transit would be
unable to read the data, but could easily determine the source and destination
information.
Sections
Comments (0 posted)
Syndication
