Re: IP-VPN/VoIP

[Paul Cardon <paul () moquijo com>]

Lucas Thompson wrote:
> If you're using a secure VPN then it's not really a security hole to
> allow a range of ports only across the tunnel?

Maybe it isn't a security hole in some situations, but that ultimately
depends on the security policies of the networks at each end of the
tunnel.  I work for an organization where that IS considered a hole
unless additional controls are in place.  Those controls must be
documented and measurable in order for an exception to be granted.

If the network at one end of the tunnel is simply an extension of the
network at the other end then a firewall probably isn't even necessary. 
If the endpoints belong to different organizations with very different
security policies then a firewall is one of the most important
mechanisms to manage that policy.

A primary VPN function is to preserve confidentiality.  Yes, they are
often used in conjunction with some kind of authentication, but once you
have a tunnel established that can carry arbitrary IP traffic, something
else needs to enforce the policy for what kind of traffic you wish to
allow into your network.

-paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards