Your assumption (about how traffic inside a VPN cannot interact with the routers it passes through and the devices that may happen to see it while encrypted) is correct. I am not aware of methods, however, by which someone may break out of a PVC, but my gut reaction is to agree with you that a VPN is more secure. The downside of this is if you implement IDS, you will need to put the sensors in places where they will see the traffic either before encryption or after decryption. And, er, one other thing...you might want to set up something akin to a hotmail account and post from that instead of your company email account. I'm not entirely sure that everyone who sees these postings is a good guy :) > Our network engineer proposed ATM PVC's as a means to route Internet traffic > across our corporate backbone. Obviously, the best approach is to carry the > Internet traffic on totally separate channels. However, we have to > distribute Internet access to far flung sites on our corporate owned > network, and network engineering does not want to pay for independent > communication channels. They insist on using the existing corporate network > infrastructure because it is already there. I proposed VPN's as more secure > than PVCs. Any other alternatives? I am looking for feedback on using PVC's > versus VPN's as a security barrier between our corporate network and the > Internet. Note I am proposing that VPN's provide security in the reverse > direction than how they are typically used. Rather than protecting traffic > inside the VPN transversing an insecure network, I am proposing that a VPN > can protect a corporate network from the insecure Internet traffic confined > within the VPN. Is this a valid assumption? Note: both ends of the VPN > terminate at a firewall that we control. Comments?
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 17:35:32 PDT