RE: [fw-wiz] VPN concentrators

From: R. DuFresne (
Date: 08/27/02

From: "R. DuFresne" <>
To: Crispin Harris <>
Date: Tue Aug 27 21:35:21 2002

On Wed, 28 Aug 2002, Crispin Harris wrote:


> My personal preference is to have a policy enforcement system between the
> VPN Terminator and the internal networks. This is mostly because I don't
> trust that the traffic INSIDE the VPN is as clean as it cold be. Much of
> this is because I am a paranoid SOB, who is aware that the easiest (and
> often cheapest) ways to break a network are _NOT_ through the firewall:
> - Steal the CEO/CFO/CTO's laptop.
> - Break-in to the CEO/MIS' house and use the "Fully Authenticated,
> Encrypted" VPN.
> - Bribe the secretary.
> - Break in to a partner organisation who has a useless firewall/VPN
> security setup.

These days, there's perhaps one more area even less secure and a better
route for attacking;

The wireless network. It's often fully exposed and unencrypted, even in
those environments that know better from the wired end. And, one can gain
in places totally free and annonymous wireless access into the internet
from which to probe and attack others from, but, this is an additional
side issue to the wirelss side attack on a company...


Ron DuFresne

        admin & senior security consultant:
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!