Firewall Wizards mailing list archives
Re: Application requires VPN - How are these handled?
From: Paul Robertson <proberts () patriot net>
Date: Tue, 1 Apr 2003 17:13:05 -0500 (EST)
On Tue, 1 Apr 2003, Mikael Olsson wrote:
Someone else wrote:[$bigco won't allow lan-to-lan tunnels. grumble.]I'd just like to point out here that, as far as security is concerned, this is basically a kick in the face.
Security is about denying things, so it's normal that people who do security have policies that deny things... I've been saying more and more that these things should simply be a matter of ensuring that there's a minumum ammount of dilligence on the other end, and a maximum ammount of insurance. That is, if some {vendor, partner, employer...} is making me provide connectivity, then they should show me that my risk is being underwritten by them. At that point, we're into business decisions and risk analysis- couple that with a formal assurance program (audit...[1]) and there's little room for argument. (Granted, I spent a chunk of time on our insurance stuff recently, and after discussions with our insurance company and the underwriters, I'm a lot happier about this than I used to be and it's fresh in my mind...)
I can however tell you that it measurably worsens _your_ security. If someone has access to _their_ LAN, they have an open tunnel to the inside of your network that you have no control over what so ever.
Seriously, in a normal business environment, insurance needs to be part of the assurance process. I've looked at insurance over time, and I find that insurers are much happier about covering a lot more electronic stuff than they used to be.
Assume that you do work for two large companies. A and B. They both mandate single-box VPN clients. As previously mentioned, you have no control over what enters your network through the VPN connection. Now, assume that A and B are fierce competitors. Here's a scenario: - A attacks your workstation; there's nothing stopping them - From that workstation, the leap is very short to the next one, which happens to have a tunnel to company B - A can attack B, using the workstations on your LAN as a springboard Now, assume that these were LAN-to-LAN tunnels instead, with proper security controls in place. Here's what'd happen:
If you can add "proper security controls" to a LAN situation, you should be able to add them to a host situation, or you're really comparing apples and kumquats. At the least, that workstation can be extant to whatever "proper security controls" are in place.
- A attempts to attack workstations or servers on your LAN. - Your firewall repels them; they have no business connecting to your LAN whatsoever, so you don't allow any of it. Of course, there's also the whole issue with A or B becoming compromised and the problem spreading to your network, or someone at A and B simply deciding to royally screw you over, but that's a different thought exercise and does not involve any problem for _them_, so that argument only works if they care about _you_.
It might provide some very sticky situations if they're competitors and the transferrance works through the middle to the other one, especially in highly regulated industries. Paul [1] Disclaimer: TruSecure provides security assurance/certification processes as a large part of our business, so I'm likely to be completely biased and jaded, so I've tried to focus more on insurance. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Application requires VPN - How are these handled? Michele Jordan (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
- tunnel vs open a hole Anton A. Chuvakin (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)