Re: [fw-wiz] risk level associated with VPNs?

From: hermit921 (hermit921_at_yahoo.com)
Date: 02/07/05

  • Next message: James Grayson: "[fw-wiz] VPN Tunnel Stalling"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 07 Feb 2005 12:28:31 -0800
    
    

    My view has been that if the remote system is controlled by the business,
    with the same protection as the local systems, I don't care (much) where
    the VPN terminates. But when the remote system has less protection, I
    don't care if the VPN client software makes sure the current connection is
    "safe" or not. That computer has been exposed to malware a local system
    has not. To be on the safe side, I recommend terminating VPN's in the
    DMZ. I can easily set the DMZ rules to allow complete internal access if I
    want to. When someone changes the policies for remote systems later, I
    don't have to worry about changing the VPN endpoint at all, just the
    firewall rules.

    hermit921

    At 02:55 PM 2/3/2005, Avishai Wool wrote:
    >Dear all,
    >
    >While doing firewall policy analyses for customers,
    >I very often come across rules that allow
    > any ip traffic
    > from anywhere outside the primeter
    > into big portions of the inside networks
    >but over a VPN link (i.e., encrypted & authenticated).
    >
    >let's put aside the question of whether the authentication is
    >sufficient, and assume that nobody is cracking the passwords.
    >I tend to trust the encryption and believe that noone can snoop
    >the traffic in flight.
    >
    >My claim is that these rules are very risky and a wonderful
    >vector for all kinds of malware. All those home
    >computers, laptops on the road etc, are much more at risk
    >of infection than inside computers are. Plus the VPN has the
    >nice side-effect that filters can't see though the encryption
    >and control (or even log) where the connection is going
    >and what it is doing.
    >
    >Left to my own devices, I would recommend terminating the VPNs
    >in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
    >between the DMZ and the inside, and I would flag these raw VPN connections
    >as risky, maybe even very risky.
    >
    >However, customers uniformly disagree with this argument, and tell me that
    >"traffic coming over a VPN is not perceived as a risk so shut up
    >about it."
    >
    >Thoughts anyone?
    >Any credible war stories about malware/abuse traveling over VPNs?
    >Or are the customers right and I'm being paranoid?
    > (please don't respond that "the customer is always right" :-)
    >
    >Thanks,
    > Avishai
    >
    >=====
    >Avishai Wool, Ph.D.,
    >http://www.algosec.com http://www.eng.tau.ac.il/~yash
    >yash@acm.org Tel: +972-3-640-6316 Fax: +972-3-640-7095
    >
    >__________________________________________________
    >Do You Yahoo!?
    >Tired of spam? Yahoo! Mail has the best spam protection around
    >http://mail.yahoo.com
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: James Grayson: "[fw-wiz] VPN Tunnel Stalling"

    Relevant Pages

    • RE: [fw-wiz] risk level associated with VPNs?
      ... Our VPN connections pass via the same checking systems when they connect ... Now we assume, repeat assume, the VPN machines are adequately protected ... The protection services inside the network are doing their job. ...
      (Firewall-Wizards)
    • Re: Protecting an open VPN connection from a local home LAN
      ... lower case, 1 upper case, one special character and one number. ... I took a screen capture and then locked out the VPN. ... > I have taken an old PC (Win98) and turned it into a VPN gateway to my LAN. ... > Do you think this is unwarranted protection, not enough protection, or ...
      (alt.computer.security)
    • Re: sFTP compared with FTP via VPN
      ... FTP via VPN: ... o Good protection for the portion of the network actually ...
      (comp.security.unix)
    • Re: Protecting an open VPN connection from a local home LAN
      ... >> my VPN listening service. ... I have set up the Win98 box ... >> Do you think this is unwarranted protection, not enough protection, ... even with a respectable software firewall. ...
      (alt.computer.security)
    • Spit Tunnel RRAS
      ... i've inherited a remote system with W2K RRAS. ... I can VPN using Windows ... client without a problem but I can't access the internet while logged in. ... Is this possible with W2K RRAS? ...
      (microsoft.public.win2000.general)