Re: Application requires VPN - How are these handled?

[Paul Robertson <proberts () patriot net>]

On Tue, 1 Apr 2003, Mikael Olsson wrote:

> Someone else wrote:
> > [$bigco won't allow lan-to-lan tunnels. grumble.]
>
> I'd just like to point out here that, as far as security is
> concerned, this is basically a kick in the face.

Security is about denying things, so it's normal that people who do 
security have policies that deny things...

I've been saying more and more that these things should simply be a matter 
of ensuring that there's a minumum ammount of dilligence on the other end, 
and a maximum ammount of insurance.

That is, if some {vendor, partner, employer...} is making me provide 
connectivity, then they should show me that my risk is being underwritten 
by them.  At that point, we're into business decisions and risk analysis- 
couple that with a formal assurance program (audit...[1]) and there's 
little room for argument.

(Granted, I spent a chunk of time on our insurance stuff recently, 
and after discussions with our insurance company and the underwriters, I'm 
a lot happier about this than I used to be and it's fresh in my mind...)

> I can however tell you that it measurably worsens _your_ security.
> If someone has access to _their_ LAN, they have an open tunnel
> to the inside of your network that you have no control over 
> what so ever.

Seriously, in a normal business environment, insurance needs to be part of 
the assurance process.  I've looked at insurance over time, and I find 
that insurers are much happier about covering a lot more electronic stuff 
than they used to be.

> Assume that you do work for two large companies. A and B.
> They both mandate single-box VPN clients.
>
> As previously mentioned, you have no control over what enters your
> network through the VPN connection. Now, assume that A and B are
> fierce competitors.  Here's a scenario:
> - A attacks your workstation; there's nothing stopping them
> - From that workstation, the leap is very short to the next one,
>   which happens to have a tunnel to company B
> - A can attack B, using the workstations on your LAN as 
>   a springboard
>
> Now, assume that these were LAN-to-LAN tunnels instead, with 
> proper security controls in place. Here's what'd happen:

If you can add "proper security controls" to a LAN situation, you should 
be able to add them to a host situation, or you're really comparing apples 
and kumquats.  At the least, that workstation can be extant to whatever 
"proper security controls" are in place.

> - A attempts to attack workstations or servers on your LAN. 
> - Your firewall repels them; they have no business connecting to
>   your LAN whatsoever, so you don't allow any of it.
>
>
> Of course, there's also the whole issue with A or B becoming
> compromised and the problem spreading to your network, or someone
> at A and B simply deciding to royally screw you over, but that's
> a different thought exercise and does not involve any problem 
> for _them_, so that argument only works if they care about _you_.

It might provide some very sticky situations if they're competitors and 
the transferrance works through the middle to the other one, especially in 
highly regulated industries.

Paul
[1] Disclaimer: TruSecure provides security assurance/certification 
processes as a large part of our business, so I'm likely to be completely 
biased and jaded, so I've tried to focus more on insurance.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards