RE: [fw-wiz] risk level associated with VPNs?

From: Paul D. Robertson (
Date: 02/12/05

  • Next message: "RE: [fw-wiz] i-cap proposals"
    To: Michael Surkan <>
    Date: Fri, 11 Feb 2005 19:38:51 -0500 (EST)

    On Sun, 6 Feb 2005, Michael Surkan wrote:

    > Perhaps one solution to reduce VPN risk levels is simply not to use them
    > in the first place. A lot of organizations are now making the
    > applications their users need available over the directly over the
    > internet with web browsers (e.g. e-mail).

    Depending on the threat level, that can be more disasterous...

    > Isn't it preferable to give users access to e-mail, or other common
    > apps, by web-proxy and only give VPN accounts to a handful of
    > administrators? Taken to its extreme, maybe tunneling IP traffic over
    > VPNs can be done away with altogether.

    No, it's preferable to restrict VPN access to certain systems/applications
    and concentrate the "do it right" bits on the VPN's exposure. The
    alternative is having *every* application written correctly to resist
    attack, and we all know how successful that isn't.

    > Is this a goal administrators should strive for?

    No, administrators should strive to reduce their risk. Just because worm
    infested desktops are a major issue doesn't mean you should open all of
    your applications to anonymous attack!

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact."
    firewall-wizards mailing list

  • Next message: "RE: [fw-wiz] i-cap proposals"