Firewall Wizards mailing list archives
Re: risk level associated with VPNs?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sun, 6 Feb 2005 09:55:10 -0500 (EST)
On Thu, 3 Feb 2005, Avishai Wool wrote:
My claim is that these rules are very risky and a wonderful vector for all kinds of malware. All those home
Like most things, the answer is "it depends"- for node to network VPNs, I think you've pretty much got it right- for network to network VPNs, it really depends on the organization's IT infrastructure. If the trust level, protection level, and administrative level is the same as the primary site, then there's not much difference between the other site and another floor in the bullding. As soon as we get to "company doesn't own the system," "the system isn't always behind the firewall," "Someone else has admin rights," or any other significant difference, then the risk goes up.
Left to my own devices, I would recommend terminating the VPNs in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc) between the DMZ and the inside, and I would flag these raw VPN connections as risky, maybe even very risky.
I'm not sure I'd terminate on the DMZ, I do think that remote node VPN traffic should have a different trust model, but I also think it requires a different access model- and I'd rather compartment it somewhere else for inspection/protection than the same place I get traffic with more restrictive access.
Any credible war stories about malware/abuse traveling over VPNs?
Microsoft's break in where they lost source code? Slammer? Blaster?...
Or are the customers right and I'm being paranoid?
Nope, as usual, "it's ours" automagically means "we trust it implicitly!"
(please don't respond that "the customer is always right" :-)
Face the customer and execute a left face. Now the customer is always right. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- risk level associated with VPNs? Avishai Wool (Feb 05)
- Re: risk level associated with VPNs? Marcus J. Ranum (Feb 06)
- RE: risk level associated with VPNs? Bruce Smith (Feb 06)
- Re: risk level associated with VPNs? R. DuFresne (Feb 06)
- Re: risk level associated with VPNs? Paul D. Robertson (Feb 06)
- Re: risk level associated with VPNs? hermit921 (Feb 11)
- <Possible follow-ups>
- RE: risk level associated with VPNs? rlmieth (Feb 06)
- Re: risk level associated with VPNs? Shimon Silberschlag (Feb 11)
- RE: risk level associated with VPNs? Desai, Ashish (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Michael Surkan (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Richards, Jim (Feb 11)