RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 05/05/04

  • Next message: Shimon Silberschlag: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks" 
    To: Karl Mueller <karlm@acshelp.com>
Date: Wed, 5 May 2004 11:04:11 -0400 (EDT)

    On Wed, 5 May 2004, Karl Mueller wrote:

    > Maybe one reason is this the trend to route mission critical info over the
    > Internet (albeit over VPN tunnels). We'd like to say that you MUST use
    > private lines for really secure information, but money tends to talk in
    > these situations. Since a lot of networks span multiple sites, and WAN
    > prices don't scale well, buisnesses are turning to the Internet and VPNs as
    > a way to make their sites well-connected without the cost of a full-mesh FRS
    > or private-line network. Of course a well-configured VPN router will block
    > all traffic that does not come through the tunnel, this is still not an 'air
    > gap' since you're still physically connected to the Internet. In this case,
    > one small config error on your firewall/VPN endpoint opens up your entire
    > network to the Internet.

    I was predominately focusing on the gap being between "business" networks
    and "production" networks- regardless of VPN/WAN issues. Most of the risk
    these days comes from desktops, there's no reason the PC in the mail room
    needs to be able to hit the CAT scanner in a hospital, for instance. Even
    if your hospital's CAT scanner is VPNed to another hospital's diagnostics
    expert.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Shimon Silberschlag: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"

    Relevant Pages

    • RE: [fw-wiz] Worms, Air Gaps and Responsibility
      ... Internet (albeit over VPN tunnels). ... Since a lot of networks span multiple sites, ...
      (Firewall-Wizards)
    • Re: Recomendation for firewall
      ... We run a hedge fund with 6 active users and a total of 15 pc/servers. ... We are 100% reliant on the internet for price feeds, emails, etc, etc. ... On top of that we have file server replication and public folder ... We need to provide for 6 vpn tunnels for users and 1 vpn tunnel for the ...
      (comp.security.firewalls)
    • RE: [fw-wiz] Worms, Air Gaps and Responsibility
      ... > Internet (albeit over VPN tunnels). ... > one small config error on your firewall/VPN endpoint opens up your entire ... And the present state of VPN madness does not, often mitigate much risk, ...
      (Firewall-Wizards)
    • Re: [fw-wiz] ASA routing over VPN
      ... I only had time to look at the vpn to internet "hairpinning" scenario. ... I have 4 VPN tunnels. ... and 3 over a Frame relay ...
      (Firewall-Wizards)
    • Re: tpg cancel attack
      ... Internet connections to move traffic. ... common set of communications protocols. ... The vast collection of inter-connected networks across the world that ... A worldwide network of computer networks. ...
      (talk.politics.guns)