Re: [fw-wiz] VPN endpoints

• Previous message: Fetch, Brandon: "RE: [fw-wiz] About Port Forwarding, Apache and Firewall Rules"
• In reply to: Devdas Bhagat: "Re: [fw-wiz] VPN endpoints"
• Next in thread: Devdas Bhagat: "Re: [fw-wiz] VPN endpoints"
• Reply: Devdas Bhagat: "Re: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Devdas Bhagat <devdas@dvb.homelinux.org>
Date: Mon, 30 Aug 2004 14:12:32 -0400 (EDT)

On Mon, 30 Aug 2004, Devdas Bhagat wrote:

> > VPNs are not secure by default for two differently abstracted reasons:
> > 1) Some VPN products default to allowing the Null encryption algorithm.
>
> That is seriously broken. Have a list you can share?

Note that "default to allowing" is different than "default to using." One
of my few gripes with ICSA Labs SSL VPN criteria was in even allowing a
null cipher to be specified.

> > So, unless you like no encryption, VPNs are not secure (although some
> > specific examples may be 'secure' (see 2)). Also, bear in mind the
> > implementation of the VPN encryption algorithms might not be textbook -
> > how will you know?
> >
> > 2) 'Secure' is an undefined term. What's secure for me might not be
>
> "Secure" is a very well defined term.
>
> A system is secure when the cost of an unauthorised entity accessing the
> data on the system or the loss of the data itself is higher than the value
> of the data itself.
>
> However, this definition of security involves terms like cost, the
> calculation of which which is not very well understood by the general
> population.

Nor the general security practicioner ;)

>
> > secure for you - it all depends upon the sensitivity of the information
> > and the impact on the business in cases of compromise, whether that be
> > confidentiality, integrity or availability.
>
> The cost of compromise is a function of the risk that the data may be
> compromised. The hard part of doing any type of security work is in
> calculating this risk. I don't know of any insurance company that has
> formulae to estimate such risks.
>
> > SSL VPNs are IMHO generally a bad idea. In a nutshell, this is because
> > most of the benefits are in the fact that practically any client can be
> > used, and that the authentication mechanisms are not particularly
> > intrusive (and often are fault-tolerant). By allowing uncontrolled
> > clients you introduce potentially major risks; controlling the clients
>
> <not_a_troll>
> Is a Microsoft Windows (tm) system that has been connected to a non trusted
> network a controlled client?
> </not_a_troll>
>
> Replace MS Windows by any other OS of choice, as needed. The only reason
> I use that example is because it is the most common one around.
>
> > would point back towards a traditional IPSec solution. The authentication
> > mechanisms may be compromised by a little technology and average user
> > ignorance (fake certificates, for instance); restricting the
> > authentication mechanisms would again point back towards traditional IPSec
> > solutions.
>
> The problem as I see it is not the technology itself, it is the fact
> that the technology puts a great deal of responsibility for policy
> enforcement on the end user who is non technical that is the problem.

Actually, I think the technology needs a little blame. Traditional
red/black network designs are great for crypto, as is potentially,
LAN-to-LAN VPN- it's the "untrusted, general computing client with split
tunneling or network roving" problem that's not well-solved by current
technological solutions. Smart cards might help some, as does turning off
split tunneling, personal firewalls, etc. But the technology isn't ideal
for the solutions it's being sold for.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Fetch, Brandon: "RE: [fw-wiz] About Port Forwarding, Apache and Firewall Rules"
• In reply to: Devdas Bhagat: "Re: [fw-wiz] VPN endpoints"
• Next in thread: Devdas Bhagat: "Re: [fw-wiz] VPN endpoints"
• Reply: Devdas Bhagat: "Re: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Gen. Mod and Nano companies in trouble? ... Bio to Nano: Technology, Risk and Democracy ... and public/media context around risk following 10 years of relentless ... (misc.invest.stocks) Gen. Mod and Nano companies in trouble? ... Bio to Nano: Technology, Risk and Democracy ... and public/media context around risk following 10 years of relentless ... (misc.invest.stocks) Re: New Series: Re-watchability? ... as we know he had no prior experience with that technology. ... Two thirds of their life cycle passed before they found the ... potentially disastrous for the Human race, and the Doctor is as much at ... wanted to keep them alive without risk a Three Month tour of the Universe ... (rec.arts.drwho) Ten Things Your IT Department Wont Tell You ... technology than using the sometimes clunky office technology our company ... But, to keep everybody honest, we also turned to security pros to learn just ... chief information risk strategist at ... your private, Web-based email account, such as Gmail or Hotmail. ... (alt.privacy) Re: security issue with XP and school network ... I would suggest you pay attention to your technology director's ... otherwise you could compromise your educational career. ... | network with my XP computer. ... | by plugging into a port with a CAT5 cable. ... (microsoft.public.windowsxp.security_admin)