Firewall Wizards mailing list archives
Re: Application requires VPN - How are these handled?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 02 Apr 2003 00:38:26 +0200
Paul Robertson wrote:
On Tue, 1 Apr 2003, Mikael Olsson wrote:Assume that you do work for two large companies. A and B. They both mandate single-box VPN clients. As previously mentioned, you have no control over what enters your network through the VPN connection. Now, assume that A and B are fierce competitors. Here's a scenario: - A attacks your workstation; there's nothing stopping them - From that workstation, the leap is very short to the next one, which happens to have a tunnel to company B - A can attack B, using the workstations on your LAN as a springboard Now, assume that these were LAN-to-LAN tunnels instead, with proper security controls in place. Here's what'd happen:If you can add "proper security controls" to a LAN situation, you should be able to add them to a host situation, or you're really comparing apples and kumquats. At the least, that workstation can be extant to whatever "proper security controls" are in place.
Ah, you're definitely right for the theoretical situation. What I'm arguing against, is what I believe is happening in this particular case: "Here's a copy of securemote, preconfigured by us. Slap it on to a workstation. You're not allowed to tinker with it." Now, is $bigco likely to provide insurance to the poor bastard stuck with the new electronic highway to a workstation inside their LAN? Not very likely. Is $bigco likely to provide a agreement that the poor contractor has to sign, making them liable for any foulness that can get into $bigco's network? Maybe. If so, will the contractor just accept it, smiling? Bet on it. I'm just trying to show that $bigco is basically being stupid by hard-headedly requiring single-host clients. I see how it makes sense if they know nothing about the party they're allowing access to, or know for a fact that their security is substandard, but, to my mind, both parties could benefit from reviewing the situation and, in cases where it makes sense, allow the VPN tunnel to terminate somewhere where the firewall gets to examine the traffic. And, yes, I can see why $bigco would want to put in a clause saying "put wireless units on your LAN and we'll sue/cut the connection". I'm all for it :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Application requires VPN - How are these handled? Michele Jordan (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
- tunnel vs open a hole Anton A. Chuvakin (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)