Firewall Wizards mailing list archives
Re: VPN endpoints
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 30 Aug 2004 08:17:42 -0400 (EDT)
On Sun, 29 Aug 2004, Rodel Collado Urani wrote:
hello,
Hi,
VPN is secure by default and it uses several encryption algorithm to satisfy the endpoint security every administrator and endusers is looking for. As long as it is within the VPN jurisdiction (i mean the client
This is a common misconception. VPNs are not secure by default, implementation and architecture have a lot to do with security for VPNs, simply adding encryption doesn't add security, it adds a bunch of disciplines that need to be considered, like key handling and active enforcement of an encryption boundary. Key management is *especially* important- in LAN to LAN VPNs, it's easy to keep key control limited to those who are trained to handle it well, in node-to-LAN VPNs, the keys are under physical and often logical control of your dumbest user.
and server who are accessing the service) the communication cannot be easily be compromised (it may take long to get that) because the data are encrypted while traversing the unsecured public internet. Also consider what types of service or protocols are you going to employ there are like L2TP, PPTP from Microsoft, IPSec VPNs and the new one which is the SSL VPN where its elimates hassles on part of the Security Admin (whoever is in-charge in your organization) to configure the vpn client because lots of internet browsers has now have their own SSL embedded in it.
The "hassle" of configuring things is often what separates a safe network from one which is easily compromised by an attacker with the same default configuration as a legitimate user. It also often makes a social engineering vector more difficult to obtain.
The question must be like this, is the security still remains if the message or data transmitted is still secure when it goes out of the VPN server? Like when you transfer it to your PC or any machine that is already out of the VPN jurisdiction. Absolutely NOT! unless you have implemented an OpenSecurity Infrastructure (OSI) that will totally secure by encrypting all data transmitting in (your LAN) and out (that is the use of VPN) of your network.
Adding more encryption doesn't add more security automatically. Adding more nodes in the group that must have keys _increases_ your risk in most situations.
Actually, I coined OSI ;-) as an implementation of distinct security techniques and several processes particularly in protecting the inter-
Well, stop overloading already used abbreviations. It's a bad practice.
network. Meaning adept in the disposal of security components such us encryption, PKI, openPGP, software/hardware firewall, antivirus software that will make sure it will guarantee the protection of your data wherever it goes. ;-)
If the data "goes" somewhere, you can't guarantee its protection, you can only reduce the risk of compromise. Adding components without a sound architecture doesn't decrease risk. Adding complex software often increases risk. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN endpoints anyluser (Aug 26)
- <Possible follow-ups>
- VPN endpoints Adam Graham (Aug 26)
- RE: VPN endpoints Fetch, Brandon (Aug 26)
- RE: VPN endpoints Smith, Aaron (Aug 26)
- RE: VPN endpoints Melson, Paul (Aug 26)
- Re: VPN endpoints Rodel Collado Urani (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 30)
- Re: VPN endpoints Kevin Sheldrake (Aug 30)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 30)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Paul D. Robertson (Aug 31)
- Re: VPN endpoints Devdas Bhagat (Aug 30)
- Re: VPN endpoints Marcus J. Ranum (Aug 31)