Firewall Wizards mailing list archives

Re: VPN endpoints

From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Mon, 30 Aug 2004 14:48:16 +0100

Hmm

I thought OSI was Open System Interconnection, as in 7 Layer OSI Model.

VPNs are not secure by default for two differently abstracted reasons:

1) Some VPN products default to allowing the Null encryption algorithm.So, unless you like no encryption, VPNs are not secure (although somespecific examples may be 'secure' (see 2)). Also, bear in mind theimplementation of the VPN encryption algorithms might not be textbook -how will you know?

2) 'Secure' is an undefined term. What's secure for me might not besecure for you - it all depends upon the sensitivity of the informationand the impact on the business in cases of compromise, whether that beconfidentiality, integrity or availability.

SSL VPNs are IMHO generally a bad idea. In a nutshell, this is becausemost of the benefits are in the fact that practically any client can beused, and that the authentication mechanisms are not particularlyintrusive (and often are fault-tolerant). By allowing uncontrolledclients you introduce potentially major risks; controlling the clientswould point back towards a traditional IPSec solution. The authenticationmechanisms may be compromised by a little technology and average userignorance (fake certificates, for instance); restricting theauthentication mechanisms would again point back towards traditional IPSecsolutions.


Quote:

Actually, I coined OSI ;-) as an implementation of distinct security
techniques and several processes particularly in protecting the inter-

network. Meaning adept in the disposal of security components such us
encryption, PKI, openPGP, software/hardware firewall, antivirus software

that will make sure it will guarantee the protection of your datawherever

it goes. ;-)


"adept in the disposal of security components"?  "make sure"?  "guarantee"?

Wow, it sounds like there's no need for risk assessments or systemsanalysis anymore; I better retrain as a plumber.

Kev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 24 Aug 2004 10:36:43 -0700 hermit921 <hermit921 () yahoo com>

hello,

VPN is secure by default and it uses several encryption algorithm to
satisfy the endpoint security every administrator and endusers is looking
for. As long as it is within the VPN jurisdiction (i mean the client
and server who are accessing the service) the communication cannot be
easily be compromised (it may take long to get that) because the data

are encrypted while traversing the unsecured public internet. Alsoconsider

what types of service or protocols are you going to employ there are
like L2TP, PPTP from Microsoft, IPSec VPNs and the new one which is the
SSL VPN where its elimates hassles on part of the Security Admin (whoever
is in-charge in your organization) to configure the vpn client because
lots of internet browsers has now have their own SSL embedded in it.
The question must be like this, is the security still remains if the
message or data transmitted is still secure when it goes out of the VPN

server? Like when you transfer it to your PC or any machine that isalready

out of the VPN jurisdiction. Absolutely NOT! unless you have implemented

an OpenSecurity Infrastructure (OSI) that will totally secure byencrypting

all data transmitting in (your LAN) and out (that is the use of VPN)
of your network.

Actually, I coined OSI ;-) as an implementation of distinct security
techniques and several processes particularly in protecting the inter-

network. Meaning adept in the disposal of security components such us
encryption, PKI, openPGP, software/hardware firewall, antivirus software

that will make sure it will guarantee the protection of your datawherever

it goes. ;-)

Cheers,

a.k.a Sparc

RODEL COLLADO URANI
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkEzZT8ACgkQQ7QUZrvBIZ0/eQCeOG+2Zlh8TPLb47VdH19Chg78c3YA
niVaSZrbTfztEBuJ6NuYpBEPKCEB
=imhZ
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: VPN endpoints anyluser (Aug 26)
- <Possible follow-ups>
- VPN endpoints Adam Graham (Aug 26)
- RE: VPN endpoints Fetch, Brandon (Aug 26)
- RE: VPN endpoints Smith, Aaron (Aug 26)
- RE: VPN endpoints Melson, Paul (Aug 26)
- Re: VPN endpoints Rodel Collado Urani (Aug 30)
  - Re: VPN endpoints Paul D. Robertson (Aug 30)
  - Re: VPN endpoints Kevin Sheldrake (Aug 30)
    - Re: VPN endpoints Devdas Bhagat (Aug 30)
    - Re: VPN endpoints Paul D. Robertson (Aug 30)
    - Re: VPN endpoints Devdas Bhagat (Aug 30)
    - Re: VPN endpoints Paul D. Robertson (Aug 31)
- RE: VPN endpoints MHawkins (Aug 30)
  - Re: VPN endpoints Devdas Bhagat (Aug 30)
    - Re: VPN endpoints Marcus J. Ranum (Aug 31)