PFG @ yahoo asked:
> Has IPSec been implemented on MPE yet. I have the
> need to ftp files from a vendor to one of our 3K's.
> The only way our vendor will let us do it is via an
> IPSec tunnel.
Mark B. already gave the current answer: No.
I will add that this specific subject was discussed at some
length during SIGWEB at SIG3000 last week, and I believe
we had a general consensus of attendees that IPSec was the
"preferred solution" (Even though Bruce Schneier of Applied
Cryptography fame (now of www.counterpane.com) has a
number of reservations about the current implementation of
IPSec (overall complexity to manage and implement), he and
at least one of his collaborators also say that IPSec is a lot
better than anything else out there right now in this specific
area; and that they hope future revisions will improve the
overall implementation).
Of course I leave it to Michael Gueterman to publish the final
post-SIG3000 SIGWEB list, and I did not take extensive notes
during SIGWEB. But IIRC we collectively agreed to modify
what was SIGWEB "pre-SIG3000" Item # 11 ("Provide
standard encryption / decryption of files for transfer over a
network using ftp, etc."). My recollection of the mod (which
may not be exactly the way the "official" rendition of the mod
comes out) was that it was going to specifically mention
TELNET in addition to FTP; and at least mention IPSec as
the "leading candidate" for a solution.
<vested_interest_alert>:
Assuming specific mention of IPSec comes up on a SIGWEB
ballot item, I urge all to consider voting for this enhancement:
Even if you do not need it right now, it is a strategic hole in the
HP 3000 offering that needs to be filled; and soon: Without
going into details that I can't go very far in to, large segments
of Government are likely to get considerably more restrictive
in the near future; and essentially reach the same state as
PFG's vendor: The only way FTP and TELNET will be allowed
outside a local firewall is via an IPsec tunnel; compliance
will NOT be optional. If the e3000 cannot do this, there will
be one more check-box that cannot be checked; when
comparing e3000 to NT, etc.... and existing systems will face
the prospect of inserting another intermediate NT box and / or
partially disconnecting from even semi-local internal networks
(definition of "semi-local" cannot be more precisely defined in
this forum).
A port of IPSec to the e3000 is probably a "cross-SIG" issue
between SIGWEB and SIGMPE, but I don't particularly care
which SIG list it comes up on, as long as I get a chance to
vote for it somewhere.... :-)
Not-a-SIDEBAR: During the SIGWEB@SIG3000 meeting,
HP pointed out that another benefit of doing encryption at the
transport / IP level was that all applications (HP and end-user)
can get the benefit WITHOUT having to be modified in any
way (a huge advantage, IMO). That is not the case with other
options such as Kerberos, etc. (HP also mentioned that
implementing Kerberos in the real world had a high level of
complexity for the application).
I further second Wirt's original motion (somewhere in a recent
email): If an IPSec port to the e3000 is accomplished, that the
initial version at least be fully compatible with the Micro$oft
IPSec version that is bundled with Windows2000. That should
take care of 95+ percent of the current e3000 user base...
Michael has not specifically called for a "user champion" for
the SIGWEB items, but if someone with more knowledge than
I have in this area (many of you, no doubt) does not speak up
and a champion is necessary to keep IPSec from dropping
off the list, I will try and fill that roll..... but since I have all the
items from the TurboIMAGE and HPSQL ballots to process
and make ready for voting, I really, *really* hope someone
else more qualified than I am will sign up as "champion" for
the IPSec item; if said champion is still needed... How about
you, PFG ????.... :-)
Ken Sletten
|
