Re: [fw-wiz] risk level associated with VPNs?
From: hermit921 (hermit921_at_yahoo.com)
Date: 02/07/05
- Previous message: Desai, Ashish: "RE: [fw-wiz] risk level associated with VPNs?"
- In reply to: Avishai Wool: "[fw-wiz] risk level associated with VPNs?"
- Next in thread: Michael Surkan: "RE: [fw-wiz] risk level associated with VPNs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Mon, 07 Feb 2005 12:28:31 -0800
My view has been that if the remote system is controlled by the business,
with the same protection as the local systems, I don't care (much) where
the VPN terminates. But when the remote system has less protection, I
don't care if the VPN client software makes sure the current connection is
"safe" or not. That computer has been exposed to malware a local system
has not. To be on the safe side, I recommend terminating VPN's in the
DMZ. I can easily set the DMZ rules to allow complete internal access if I
want to. When someone changes the policies for remote systems later, I
don't have to worry about changing the VPN endpoint at all, just the
firewall rules.
hermit921
At 02:55 PM 2/3/2005, Avishai Wool wrote:
>Dear all,
>
>While doing firewall policy analyses for customers,
>I very often come across rules that allow
> any ip traffic
> from anywhere outside the primeter
> into big portions of the inside networks
>but over a VPN link (i.e., encrypted & authenticated).
>
>let's put aside the question of whether the authentication is
>sufficient, and assume that nobody is cracking the passwords.
>I tend to trust the encryption and believe that noone can snoop
>the traffic in flight.
>
>My claim is that these rules are very risky and a wonderful
>vector for all kinds of malware. All those home
>computers, laptops on the road etc, are much more at risk
>of infection than inside computers are. Plus the VPN has the
>nice side-effect that filters can't see though the encryption
>and control (or even log) where the connection is going
>and what it is doing.
>
>Left to my own devices, I would recommend terminating the VPNs
>in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
>between the DMZ and the inside, and I would flag these raw VPN connections
>as risky, maybe even very risky.
>
>However, customers uniformly disagree with this argument, and tell me that
>"traffic coming over a VPN is not perceived as a risk so shut up
>about it."
>
>Thoughts anyone?
>Any credible war stories about malware/abuse traveling over VPNs?
>Or are the customers right and I'm being paranoid?
> (please don't respond that "the customer is always right" :-)
>
>Thanks,
> Avishai
>
>=====
>Avishai Wool, Ph.D.,
>http://www.algosec.com http://www.eng.tau.ac.il/~yash
>yash@acm.org Tel: +972-3-640-6316 Fax: +972-3-640-7095
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Desai, Ashish: "RE: [fw-wiz] risk level associated with VPNs?"
- In reply to: Avishai Wool: "[fw-wiz] risk level associated with VPNs?"
- Next in thread: Michael Surkan: "RE: [fw-wiz] risk level associated with VPNs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
