Re: [fw-wiz] VPN endpoints

• Previous message: Paul D. Robertson: "Re: [fw-wiz] IPv6 and IPSec"
• In reply to: Rodel Collado Urani: "Re: [fw-wiz] VPN endpoints"
• Next in thread: Kevin Sheldrake: "Re: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Rodel Collado Urani <sparc@ucomputer.org>
Date: Mon, 30 Aug 2004 08:17:42 -0400 (EDT)

On Sun, 29 Aug 2004, Rodel Collado Urani wrote:

> hello,

Hi,

>
> VPN is secure by default and it uses several encryption algorithm to
> satisfy the endpoint security every administrator and endusers is looking
> for. As long as it is within the VPN jurisdiction (i mean the client

This is a common misconception. VPNs are not secure by default,
implementation and architecture have a lot to do with security for VPNs,
simply adding encryption doesn't add security, it adds a bunch of
disciplines that need to be considered, like key handling and active
enforcement of an encryption boundary.

Key management is *especially* important- in LAN to LAN VPNs, it's easy to
keep key control limited to those who are trained to handle it well, in
node-to-LAN VPNs, the keys are under physical and often logical control of
your dumbest user.

> and server who are accessing the service) the communication cannot be
> easily be compromised (it may take long to get that) because the data
> are encrypted while traversing the unsecured public internet. Also consider
> what types of service or protocols are you going to employ there are
> like L2TP, PPTP from Microsoft, IPSec VPNs and the new one which is the
> SSL VPN where its elimates hassles on part of the Security Admin (whoever
> is in-charge in your organization) to configure the vpn client because
> lots of internet browsers has now have their own SSL embedded in it.

The "hassle" of configuring things is often what separates a safe network
from one which is easily compromised by an attacker with the same default
configuration as a legitimate user. It also often makes a social
engineering vector more difficult to obtain.

> The question must be like this, is the security still remains if the
> message or data transmitted is still secure when it goes out of the VPN
> server? Like when you transfer it to your PC or any machine that is already
> out of the VPN jurisdiction. Absolutely NOT! unless you have implemented
> an OpenSecurity Infrastructure (OSI) that will totally secure by encrypting
> all data transmitting in (your LAN) and out (that is the use of VPN)
> of your network.

Adding more encryption doesn't add more security automatically. Adding
more nodes in the group that must have keys _increases_ your risk in most
situations.

> Actually, I coined OSI ;-) as an implementation of distinct security
> techniques and several processes particularly in protecting the inter-

Well, stop overloading already used abbreviations. It's a bad practice.

>
> network. Meaning adept in the disposal of security components such us
> encryption, PKI, openPGP, software/hardware firewall, antivirus software
> that will make sure it will guarantee the protection of your data wherever
> it goes. ;-)

If the data "goes" somewhere, you can't guarantee its protection, you can
only reduce the risk of compromise. Adding components without a sound
architecture doesn't decrease risk. Adding complex software often
increases risk.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "Re: [fw-wiz] IPv6 and IPSec"
• In reply to: Rodel Collado Urani: "Re: [fw-wiz] VPN endpoints"
• Next in thread: Kevin Sheldrake: "Re: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Re: Secure Intranet? ... need to have a minimum level of security that is in line with your policies. ... Sygate has a product that does security policy enforcement for VPN called ... Sygate Secure Enterprise. ... Sygate Secure Enterprise Data Sheet ... (Security-Basics) Re: Another RWW versus VPN question ... Sarbanes Oxley and all other regulations are silent as to technology. ... One could argue that after the CISCO/Michael Lynn Blackhat/Vegas issue that Cisco isn't that secure. ... With VPN access, the data could be pulled over the wire to my home users, they "could" introduce more risk to my network if they are not patched, updates and protected. ... I have a client that recently had a programmer from a large security based company come by and demo the Access database he is working on for them. ... (microsoft.public.windows.server.sbs) Re: Another RWW versus VPN question ... And after Blackhat I wouldn't be trusting of Cisco PIX either. ... One could argue that after the CISCO/Michael Lynn Blackhat/Vegas issue that Cisco isn't that secure. ... With VPN access, the data could be pulled over the wire to my home users, they "could" introduce more risk to my network if they are not patched, updates and protected. ... I have a client that recently had a programmer from a large security based company come by and demo the Access database he is working on for them. ... (microsoft.public.windows.server.sbs) Re: Another RWW versus VPN question ... A Pix does not ...by itself make you more secure. ... VPN "can" make you more insecure. ... I have a client that recently had a programmer from a large security based ... (microsoft.public.windows.server.sbs) RE: RE : PGP versus PKWare ... potentially file encryption as well. ... Not just secure connections such as ... Check out a google search on enterprise e-mail encryption. ... Yes, we've looked at other solution, VPN, SFTP, SSL, Email encryption and ... (Security-Basics)