Re: [fw-wiz] VPN endpoints

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 08/30/04

  • Next message: Dave Piscitello: "[fw-wiz] resource pages" 
    To: firewall-wizards@honor.icsalabs.com
Date: Mon, 30 Aug 2004 22:03:41 +0530

    On 30/08/04 14:48 +0100, Kevin Sheldrake wrote:
    > Hmm
    >
    > I thought OSI was Open System Interconnection, as in 7 Layer OSI Model.
    >
    > VPNs are not secure by default for two differently abstracted reasons:
    > 1) Some VPN products default to allowing the Null encryption algorithm.

    That is seriously broken. Have a list you can share?

    > So, unless you like no encryption, VPNs are not secure (although some
    > specific examples may be 'secure' (see 2)). Also, bear in mind the
    > implementation of the VPN encryption algorithms might not be textbook -
    > how will you know?
    >
    > 2) 'Secure' is an undefined term. What's secure for me might not be

    "Secure" is a very well defined term.

    A system is secure when the cost of an unauthorised entity accessing the
    data on the system or the loss of the data itself is higher than the value
    of the data itself.

    However, this definition of security involves terms like cost, the
    calculation of which which is not very well understood by the general
    population.

    > secure for you - it all depends upon the sensitivity of the information
    > and the impact on the business in cases of compromise, whether that be
    > confidentiality, integrity or availability.

    The cost of compromise is a function of the risk that the data may be
    compromised. The hard part of doing any type of security work is in
    calculating this risk. I don't know of any insurance company that has
    formulae to estimate such risks.

    > SSL VPNs are IMHO generally a bad idea. In a nutshell, this is because
    > most of the benefits are in the fact that practically any client can be
    > used, and that the authentication mechanisms are not particularly
    > intrusive (and often are fault-tolerant). By allowing uncontrolled
    > clients you introduce potentially major risks; controlling the clients

    <not_a_troll>
    Is a Microsoft Windows (tm) system that has been connected to a non trusted
    network a controlled client?
    </not_a_troll>

    Replace MS Windows by any other OS of choice, as needed. The only reason
    I use that example is because it is the most common one around.

    > would point back towards a traditional IPSec solution. The authentication
    > mechanisms may be compromised by a little technology and average user
    > ignorance (fake certificates, for instance); restricting the
    > authentication mechanisms would again point back towards traditional IPSec
    > solutions.

    The problem as I see it is not the technology itself, it is the fact
    that the technology puts a great deal of responsibility for policy
    enforcement on the end user who is non technical that is the problem.

    > Quote:
    > > Actually, I coined OSI ;-) as an implementation of distinct security
    > > techniques and several processes particularly in protecting the inter-
    > >
    > > network. Meaning adept in the disposal of security components such us
    > > encryption, PKI, openPGP, software/hardware firewall, antivirus software
    > > that will make sure it will guarantee the protection of your data
    > > wherever
    > > it goes. ;-)
    >
    > "adept in the disposal of security components"? "make sure"? "guarantee"?
    >
    > Wow, it sounds like there's no need for risk assessments or systems
    > analysis anymore; I better retrain as a plumber.

    Actually a good idea if you are in a place where jobs are being
    outsourced, plumbers are appaently rarer than unemployed IT personnel
    and earn about the same.

    g,d&r

    Devdas Bhagat
    PS: For the humour impaired, that last is a joke.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Dave Piscitello: "[fw-wiz] resource pages"

    Relevant Pages

    • Re: Best practices for internal/external servers
      ... >less of a security risk than does an inbound VPN. ... >> anyone anywhere in the world to attempt to attack the IMAP server. ... Then if a client machine is compromised the only thing it'll be ...
      (comp.mail.imap)
    • [NEWS] Cisco VPN 5000 Client Multiple Vulnerabilities
      ... Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) ... 5000 Client software. ... These vulnerabilities are documented as Cisco bug ID ... CSCdx17109 - MAC OS VPN 5000 Client password vulnerability ...
      (Securiteam)
    • Re: VPN clients unable to connect to other resources.
      ... gateway matches the IP of the remote client, and DNS and WINS point to the ... remote (although it takes close to a minute to connect, ... This is just regular Windows VPN, ... VPN server, remote routing and access running on the SBS 2003 server ...
      (microsoft.public.windows.server.sbs)
    • RE: Slow VPN logon and Spuratic folder visibility
      ... I understand that the remote VPN client ... network configuration. ... the VPN client can access SBS fine? ... Slow VPN logon and Spuratic folder visibility ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN timeouts
      ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
      (microsoft.public.windows.server.sbs)