Re: [fw-wiz] VPN endpoints

From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 08/30/04

  • Next message: Adam Graham: "Re: [fw-wiz] Off-Topic: Memo of Understanding for Using an , Ethical Hacker"
    To: sparc@ucomputer.org, hermit921@yahoo.com
    Date: Mon, 30 Aug 2004 14:48:16 +0100
    
    

    Hmm

    I thought OSI was Open System Interconnection, as in 7 Layer OSI Model.

    VPNs are not secure by default for two differently abstracted reasons:
    1) Some VPN products default to allowing the Null encryption algorithm.
    So, unless you like no encryption, VPNs are not secure (although some
    specific examples may be 'secure' (see 2)). Also, bear in mind the
    implementation of the VPN encryption algorithms might not be textbook -
    how will you know?

    2) 'Secure' is an undefined term. What's secure for me might not be
    secure for you - it all depends upon the sensitivity of the information
    and the impact on the business in cases of compromise, whether that be
    confidentiality, integrity or availability.

    SSL VPNs are IMHO generally a bad idea. In a nutshell, this is because
    most of the benefits are in the fact that practically any client can be
    used, and that the authentication mechanisms are not particularly
    intrusive (and often are fault-tolerant). By allowing uncontrolled
    clients you introduce potentially major risks; controlling the clients
    would point back towards a traditional IPSec solution. The authentication
    mechanisms may be compromised by a little technology and average user
    ignorance (fake certificates, for instance); restricting the
    authentication mechanisms would again point back towards traditional IPSec
    solutions.

    Quote:
    > Actually, I coined OSI ;-) as an implementation of distinct security
    > techniques and several processes particularly in protecting the inter-
    >
    > network. Meaning adept in the disposal of security components such us
    > encryption, PKI, openPGP, software/hardware firewall, antivirus software
    > that will make sure it will guarantee the protection of your data
    > wherever
    > it goes. ;-)

    "adept in the disposal of security components"? "make sure"? "guarantee"?

    Wow, it sounds like there's no need for risk assessments or systems
    analysis anymore; I better retrain as a plumber.

    Kev

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On Tue, 24 Aug 2004 10:36:43 -0700 hermit921 <hermit921@yahoo.com>
    >
    > hello,
    >
    > VPN is secure by default and it uses several encryption algorithm to
    > satisfy the endpoint security every administrator and endusers is looking
    > for. As long as it is within the VPN jurisdiction (i mean the client
    > and server who are accessing the service) the communication cannot be
    > easily be compromised (it may take long to get that) because the data
    > are encrypted while traversing the unsecured public internet. Also
    > consider
    > what types of service or protocols are you going to employ there are
    > like L2TP, PPTP from Microsoft, IPSec VPNs and the new one which is the
    > SSL VPN where its elimates hassles on part of the Security Admin (whoever
    > is in-charge in your organization) to configure the vpn client because
    > lots of internet browsers has now have their own SSL embedded in it.
    > The question must be like this, is the security still remains if the
    > message or data transmitted is still secure when it goes out of the VPN
    > server? Like when you transfer it to your PC or any machine that is
    > already
    > out of the VPN jurisdiction. Absolutely NOT! unless you have implemented
    > an OpenSecurity Infrastructure (OSI) that will totally secure by
    > encrypting
    > all data transmitting in (your LAN) and out (that is the use of VPN)
    > of your network.
    >
    > Actually, I coined OSI ;-) as an implementation of distinct security
    > techniques and several processes particularly in protecting the inter-
    >
    > network. Meaning adept in the disposal of security components such us
    > encryption, PKI, openPGP, software/hardware firewall, antivirus software
    > that will make sure it will guarantee the protection of your data
    > wherever
    > it goes. ;-)
    >
    > Cheers,
    >
    > a.k.a Sparc
    >
    > RODEL COLLADO URANI
    > -----BEGIN PGP SIGNATURE-----
    > Note: This signature can be verified at https://www.hushtools.com/verify
    > Version: Hush 2.4
    >
    > wkYEARECAAYFAkEzZT8ACgkQQ7QUZrvBIZ0/eQCeOG+2Zlh8TPLb47VdH19Chg78c3YA
    > niVaSZrbTfztEBuJ6NuYpBEPKCEB
    > =imhZ
    > -----END PGP SIGNATURE-----
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >

    -- 
    Kevin Sheldrake MEng MIEE CEng CISSP
    Electric Cat (Bournemouth) Ltd
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Adam Graham: "Re: [fw-wiz] Off-Topic: Memo of Understanding for Using an , Ethical Hacker"

    Relevant Pages

    • Re: Internet security on "hotspots"
      ... Network Security Engineer ... visiting HTTPS sites so, she doesn't need encryption'. ... then a VPN wasn't needed. ... personal firewall can be a dangerous venture. ...
      (Focus-Microsoft)
    • RE: RE : PGP versus PKWare
      ... potentially file encryption as well. ... Not just secure connections such as ... Check out a google search on enterprise e-mail encryption. ... Yes, we've looked at other solution, VPN, SFTP, SSL, Email encryption and ...
      (Security-Basics)
    • RE: VPN and Security
      ... Do you mean for a more secure setup he should split tunnel? ... the split tunneling makes me think 'less secure' precisely ... network printer or accessing a share on the file server at the office. ... Subject: VPN and Security ...
      (Security-Basics)
    • Re: Another RWW versus VPN question
      ... And after Blackhat I wouldn't be trusting of Cisco PIX either. ... One could argue that after the CISCO/Michael Lynn Blackhat/Vegas issue that Cisco isn't that secure. ... With VPN access, the data could be pulled over the wire to my home users, they "could" introduce more risk to my network if they are not patched, updates and protected. ... I have a client that recently had a programmer from a large security based company come by and demo the Access database he is working on for them. ...
      (microsoft.public.windows.server.sbs)
    • Re: Another RWW versus VPN question
      ... A Pix does not ...by itself make you more secure. ... VPN "can" make you more insecure. ... I have a client that recently had a programmer from a large security based ...
      (microsoft.public.windows.server.sbs)