Re: [fw-wiz] risk level associated with VPNs?

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 02/05/05

  • Next message: rlmieth_at_arcol.org: "RE: [fw-wiz] risk level associated with VPNs?" 
    To: yash@acm.org, firewall-wizards@honor.icsalabs.com
Date: Sat, 05 Feb 2005 10:48:14 -0500

    Avishai Wool wrote:
    >My claim is that these rules are very risky and a wonderful
    >vector for all kinds of malware.

    "Risky" is too kind a word. "Stupid" is more accurate.

    I could probably dig up one of my old DAT backups from 1990
    with old presentations on VPNs (except I was calling them
    "Virtual Network Perimeter" in those days before the marketing
    took over) - I recall having a slide that basically said VNPs
    should be treated as a trust boundary in spite of their
    convenience. I.e.: only permit minimal service-sets to restricted
    destinations.

    People persist in using even security products at their lowest
    "setting" and then they are shocked and amazed to discover
    that they're not spectacularly effective. :( Frankly, I find it
    baffling, because historically security was a problem domain
    that attracted people with strong analytical skills. Perhaps
    what we're seeing is the results of the shift in the clue-density
    curve that started around the time AOL connected to the Internet...

    >However, customers uniformly disagree with this argument, and tell me that
    >"traffic coming over a VPN is not perceived as a risk so shut up
    >about it."

    They are fools.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: rlmieth_at_arcol.org: "RE: [fw-wiz] risk level associated with VPNs?"