Re: [fw-wiz] risk level associated with VPNs?
From: hermit921 (hermit921_at_yahoo.com)
To: email@example.com Date: Mon, 07 Feb 2005 12:28:31 -0800
My view has been that if the remote system is controlled by the business,
with the same protection as the local systems, I don't care (much) where
the VPN terminates. But when the remote system has less protection, I
don't care if the VPN client software makes sure the current connection is
"safe" or not. That computer has been exposed to malware a local system
has not. To be on the safe side, I recommend terminating VPN's in the
DMZ. I can easily set the DMZ rules to allow complete internal access if I
want to. When someone changes the policies for remote systems later, I
don't have to worry about changing the VPN endpoint at all, just the
At 02:55 PM 2/3/2005, Avishai Wool wrote:
>While doing firewall policy analyses for customers,
>I very often come across rules that allow
> any ip traffic
> from anywhere outside the primeter
> into big portions of the inside networks
>but over a VPN link (i.e., encrypted & authenticated).
>let's put aside the question of whether the authentication is
>sufficient, and assume that nobody is cracking the passwords.
>I tend to trust the encryption and believe that noone can snoop
>the traffic in flight.
>My claim is that these rules are very risky and a wonderful
>vector for all kinds of malware. All those home
>computers, laptops on the road etc, are much more at risk
>of infection than inside computers are. Plus the VPN has the
>nice side-effect that filters can't see though the encryption
>and control (or even log) where the connection is going
>and what it is doing.
>Left to my own devices, I would recommend terminating the VPNs
>in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
>between the DMZ and the inside, and I would flag these raw VPN connections
>as risky, maybe even very risky.
>However, customers uniformly disagree with this argument, and tell me that
>"traffic coming over a VPN is not perceived as a risk so shut up
>Any credible war stories about malware/abuse traveling over VPNs?
>Or are the customers right and I'm being paranoid?
> (please don't respond that "the customer is always right" :-)
>Avishai Wool, Ph.D.,
>firstname.lastname@example.org Tel: +972-3-640-6316 Fax: +972-3-640-7095
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>firewall-wizards mailing list
firewall-wizards mailing list