Re: VPN endpoints

["Paul D. Robertson" <paul () compuwar net>]

On Sun, 29 Aug 2004, Rodel Collado Urani wrote:

> hello,

Hi,

> VPN is secure by default and it uses several encryption algorithm to
> satisfy the endpoint security every administrator and endusers is looking
> for. As long as it is within the VPN jurisdiction (i mean the client

This is a common misconception.  VPNs are not secure by default,
implementation and architecture have a lot to do with security for VPNs,
simply adding encryption doesn't add security, it adds a bunch of
disciplines that need to be considered, like key handling and active
enforcement of an encryption boundary.

Key management is *especially* important- in LAN to LAN VPNs, it's easy to
keep key control limited to those who are trained to handle it well, in
node-to-LAN VPNs, the keys are under physical and often logical control of
your dumbest user.

> and server who are accessing the service) the communication cannot be
> easily be compromised (it may take long to get that) because the data
> are encrypted while traversing the unsecured public internet. Also consider
> what types of service or protocols are you going to employ there are
> like L2TP, PPTP from Microsoft, IPSec VPNs and the new one which is the
> SSL VPN where its elimates hassles on part of the Security Admin (whoever
> is in-charge in your organization) to configure the vpn client because
> lots of internet browsers has now have their own SSL embedded in it.

The "hassle" of configuring things is often what separates a safe network
from one which is easily compromised by an attacker with the same default
configuration as a legitimate user.  It also often makes a social
engineering vector more difficult to obtain.

> The question must be like this, is the security still remains if the
> message or data transmitted is still secure when it goes out of the VPN
> server? Like when you transfer it to your PC or any machine that is already
> out of the VPN jurisdiction. Absolutely NOT! unless you have implemented
> an OpenSecurity Infrastructure (OSI) that will totally secure by encrypting
> all data transmitting in (your LAN) and out (that is the use of VPN)
> of your network.

Adding more encryption doesn't add more security automatically.  Adding
more nodes in the group that must have keys _increases_ your risk in most
situations.

> Actually, I coined OSI ;-) as an implementation of distinct security
> techniques and several processes particularly in protecting the inter-

Well, stop overloading already used abbreviations.  It's a bad practice.

> network. Meaning adept in the disposal of security components such us
> encryption, PKI, openPGP, software/hardware firewall, antivirus software
> that will make sure it will guarantee the protection of your data wherever
> it goes. ;-)

If the data "goes" somewhere, you can't guarantee its protection, you can
only reduce the risk of compromise.  Adding components without a sound
architecture doesn't decrease risk.  Adding complex software often
increases risk.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards