Re: VPN questions -- PCTECH

There are basic levels of security and then it goes deeper from there.
There are many companies that have an IT person that ONLY handles security
screening and implementation.  It can be that specialized.

Disagreement typically lies in what one person thinks is adequate security
and the other thinks isn't.  A lot of it is perspective.  My typical
security philosophy is that 1) Security through obscurity is horribly wrong.
2) "breaking" routing and other basic ways networking works as opposed to
other lockdown methods is incorrect. 3) If you develop security holes
because the end user was able to break security rules, then you have no
security.

In your VPN example, I feel that you have to implement security assuming
that the person connecting to your VPN could be a bad guy.  So, with that in
mind, you lock down all information incoming and outgoing over that VPN to
only what is specifically neccessary.  As an example, iSeries access onyl
needs everal ports.  If that is all you are going to be doing over the VPN,
then NO data over any other port should traverse the connection.  That way,
if any virus or trojan is on your computer, it onyl has a chance if it
utilizes those ports.  Also, you lock it down base don the ip address you
are going to use.  So, nto only do you lock down those ports to use, but
only allow the traffic to go over them if it is going to the ip address of
the iSeries.  This way, you essentially narrow down the security threat to
somoen knowing a password and user id, which ultimatelty a sysadmin can
never completely solve that problem.  No matter hwo secure you make it, if
someone knows all the catch phrases, you have to let them in.

Now, with everythign locked down properly, there risk of someone being on
the internet the same time is greatly lessened.  Plus, if you DON'T
implement the above procedures and yuor solution is to jsut kill their
internet connection while they are VPNed, what happens if they manually
adjsut their routing tables to get on the Internet?  Now you have no
protection because the end user was able to subvert it on their own.

----- Original Message ----- 
From: "Dan Bale" <dbale@xxxxxxxxxxxxx>
To: "PC Technical Discussion for iSeries Users" <pctech@xxxxxxxxxxxx>
Sent: Thursday, August 05, 2004 9:47 AM
Subject: RE: [PCTECH] VPN questions


> Boy, I thought this was going to be a short thread!  It seems to be
delving
> into such fine (low-level?) points of security that I can only rely on
> expert opinions, as opposed to making intelligent decisions.  It seems to
> me, decidedly non-expert in terms of security, that the several of you
> participating in this thread know what you're talking about.
>
> So I would just like to ask where some of you are in disagreement.  Is it
> simply a matter of opinion of the risk of exposure?  I acknowledge that
> there is risk involved in everything we do.  One of you might say that the
> risk of exposure of surfing the web locally while having a VPN connection
to
> work is so miniscule that it's not worth worrying about, and someone else
> may feel that it is significant enough that it shouldn't be allowed.  Or
are
> there two (or 500) ways to bake a cake?  Both have made their decisions
> based on education and experience.  It is clear that everyone here behaves
> professionally, and I am thankful that there are no pi$$ing matches.  (So
> let's keep it that way! <G>)  But this also means that I'm not getting a
> clear picture of the nature of the differences.
>
> In the end, this has made me sharply aware of my security deficiencies.
But
> I have also learned a bunch.
>
> Thanks!
> db