Re: How to Protect Campus Sensitive Servers

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 04 Feb 2010 09:27:13 EST, Pete Hickey said:
> On Thu, Feb 04, 2010 at 09:00:45AM -0500, schilling wrote:
>
> > We propose a one central Information Technology Services(ITS) VPN
> > profile which could have access to all the resources, all employee in
> > ITS will have access to this VPN group.  Then In all the servers, host
> > based user/group authentication/authorization will decide whether a
> > user can login or what to do.
>
> Defense in depth, as they say.  This is putting all your eggs in one
> basket, by only depending on the host.  As time goes on and things grow,
> this type of thing does not scale well.

Note that the original poster indicated that they are already able to scale
the "each server does the final authentication" part well enough.

Even having one big VPN pool for several hundred people accessing several
dozen servers is still one heck of an improvement over all the servers being
exposed to the entire Internet so people can get to them.  And at some point,
you have to remember that security is trade-offs.

Once you get to *one* VPN, do you really get *that* much additional protection
from having several dozen VPNs, each with one server and a dozen users in it?
Remember that if user A gets compromised, the attacker can access any server A
has credentials for. But the attacker can't access servers that user B has
access without B's credentials.  Of course, if the attacker gets B's
credentials, it no longer matters if A and B are in one VPN or separate VPNs,
because the attacker can use B's credentials to use B's VPN and access B's
server.

Compare and contrast to the chances that somebody in your NOC or security
group will accidentally fat-finger a config and DoS one of the VPNs. At some
point of complexity, your security model ends up in Pogo mode:

"We have met the enemy and he is us".

Attachment: _bin
Description: