|
Adam:
Tom Liotta
I want to correct you on something Tom, because I feel that, not necessarily bad information, but misleading information. VPN should not be a security issue in regards to being a conduit through your firewall. Why you may ask? Because your VPN endpoint should have firewall rules enabled. Whether it is a CISCO VPN or a Linux box running CIPE. The VPN endpoint should be running firewall rules so that AS SOON AS THE TRAFFIC IS UNENCRYPTED it is analyzed to determine if it should be blocked or not.
As an example, I run CISCO PIX at work and my external firewall is my VPN. So, I do have access-lists enabled for that interface. I also have a custom built CIPE VPN server on linux sitting in the DMZ. Now, if I wanted to, I could use IPTABLES on the linux box to handle the firewalling, but instead I use the firewall rules of the firewall segmenting my DMZ from the internal network. So technically, someone on the CIPE VPN can hit other DMZ machines, but with the people I have at the other end of that one, I downplayed the risk factor. But if I was concerned about it, I would IPTABLE the CIPE server to stop bad traffic at it's source.
Again, if implemented properly, VPN should not open any security holes through your firewall.
I feel the trick to security and firewalling is looking at your network for
chokepoints. Data typically funnels down to certain areas. Use them for
analyzing bad traffic.
----- Original Message ----- From: "Tom Liotta" <qsrvbas@xxxxxxxxxxxx>
Newsgroups: midrange.public.pctech
To: <pctech@xxxxxxxxxxxx>
Sent: Friday, August 06, 2004 12:35 AM
Subject: Re: [PCTECH] Re: VPN questions
Dan:
"More secure"... well, more secure against what?
Are you in a situation where your communications are likely to be tapped by someone who can make a difference to your company? Are you, for example, at an end-point within a hostile network or are your communications forced through a hostile network segment? See, encryption really only matters if the conversation can be monitored by someone who can take advantage of it.
Who's monitoring your traffic? I suspect the chances are pretty close to zero that _anyone_ outside of your target LAN can see anything at all that you do, much less enough packets to construct any resemblence of a conversation.
Perhaps there's a risk at your ISP that you're concerned about? Why not start by calling them and asking them what their policy is? Certainly once they start routing your packets towards the Internet backbone, you're getting into the category of the feds doing the monitoring, but I'd be surprised if they do. And if someone at your ISP is in fact doing it, you're probably at significantly more risk over your non-VPN traffic -- perhaps even at higher risk of losing control over your own PC.
But IMO, that's paranoid.
Yes, VPN will encrypt your traffic. And while doing so, it technically becomes a superb conduit right through your target network firewall. If anything does get installed on your PC, some kind of virus for example, it now has an excellent route to travel. (Since you're using a Cisco client, I assume you have a Cisco VPN appliance at the other end, possibly a different IP address than the non-VPN router. Otherwise, you'd probably just use the Microsoft VPN client. Go search through the mailing lists at http://securityfocus.com/archive on pen-tests, firewalls, etc., for all the opinions on whether routing, firewalling, VPNing, etc., ought to be combined into single appliances.)
The risk is much less that traffic can route through your PC between two networks; I wouldn't worry about that any more than I'd worry about someone at your ISP. Routing isn't the problem. Something installed on your PC is the bigger potential problem; no routing involved there -- it talks direct. You probably have programs already installed on your PC that are examples of how it's done -- iSeries Access functions do it all the time. If your normal Internet connection ever results in a hostile executeable getting installed on your PC, well, there you go.
Of course, if you _don't_ use VPN, then your normal target network firewall can see everything. This helps greatly when it needs to know whether to block something or not.
All of this is pretty extreme. Assuming decently working firewalls, active anti-virus, competent security patches at the various points, you know -- normal standard stuff we all _know_ ought to be done, problems are unlikely.
Adding VPN increases security from various forms of sniffing but also opens a hole through which traffic might pass undetected. Why use VPN at all if traffic content itself doesn't actually need to be secure?
And then, there are a couple various problems with VPN itself... like it or not, few protocols are perfect.
I suspect you're getting the gist of it.
Security isn't an absolute item. It's always a tradeoff. For a business, the tradeoffs ought to be measureable essentially in dollars. If a risk is more expensive than a cure, you go for the cure.
Enough rambling; I'm _not_ a VPN expert by any means. I hope I hit enough generalities to get discussion farther along.
Tom Liotta
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.