Re: [fw-wiz] risk level associated with VPNs?

From: hermit921 (hermit921_at_yahoo.com)
Date: 02/07/05

  • Next message: James Grayson: "[fw-wiz] VPN Tunnel Stalling"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 07 Feb 2005 12:28:31 -0800
    
    

    My view has been that if the remote system is controlled by the business,
    with the same protection as the local systems, I don't care (much) where
    the VPN terminates. But when the remote system has less protection, I
    don't care if the VPN client software makes sure the current connection is
    "safe" or not. That computer has been exposed to malware a local system
    has not. To be on the safe side, I recommend terminating VPN's in the
    DMZ. I can easily set the DMZ rules to allow complete internal access if I
    want to. When someone changes the policies for remote systems later, I
    don't have to worry about changing the VPN endpoint at all, just the
    firewall rules.

    hermit921

    At 02:55 PM 2/3/2005, Avishai Wool wrote:
    >Dear all,
    >
    >While doing firewall policy analyses for customers,
    >I very often come across rules that allow
    > any ip traffic
    > from anywhere outside the primeter
    > into big portions of the inside networks
    >but over a VPN link (i.e., encrypted & authenticated).
    >
    >let's put aside the question of whether the authentication is
    >sufficient, and assume that nobody is cracking the passwords.
    >I tend to trust the encryption and believe that noone can snoop
    >the traffic in flight.
    >
    >My claim is that these rules are very risky and a wonderful
    >vector for all kinds of malware. All those home
    >computers, laptops on the road etc, are much more at risk
    >of infection than inside computers are. Plus the VPN has the
    >nice side-effect that filters can't see though the encryption
    >and control (or even log) where the connection is going
    >and what it is doing.
    >
    >Left to my own devices, I would recommend terminating the VPNs
    >in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
    >between the DMZ and the inside, and I would flag these raw VPN connections
    >as risky, maybe even very risky.
    >
    >However, customers uniformly disagree with this argument, and tell me that
    >"traffic coming over a VPN is not perceived as a risk so shut up
    >about it."
    >
    >Thoughts anyone?
    >Any credible war stories about malware/abuse traveling over VPNs?
    >Or are the customers right and I'm being paranoid?
    > (please don't respond that "the customer is always right" :-)
    >
    >Thanks,
    > Avishai
    >
    >=====
    >Avishai Wool, Ph.D.,
    >http://www.algosec.com http://www.eng.tau.ac.il/~yash
    >yash@acm.org Tel: +972-3-640-6316 Fax: +972-3-640-7095
    >
    >__________________________________________________
    >Do You Yahoo!?
    >Tired of spam? Yahoo! Mail has the best spam protection around
    >http://mail.yahoo.com
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: James Grayson: "[fw-wiz] VPN Tunnel Stalling"