RE: Worms, Air Gaps and Responsibility

["R. DuFresne" <dufresne () sysinfo com>]

On Wed, 5 May 2004, Karl Mueller wrote:

> Maybe one reason is this the trend to route mission critical info over the
> Internet (albeit over VPN tunnels). We'd like to say that you MUST use
> private lines for really secure information, but money tends to talk in
> these situations. Since a lot of networks span multiple sites, and WAN
> prices don't scale well, buisnesses are turning to the Internet and VPNs as
> a way to make their sites well-connected without the cost of a full-mesh FRS
> or private-line network. Of course a well-configured VPN router will block
> all traffic that does not come through the tunnel, this is still not an 'air
> gap' since you're still physically connected to the Internet. In this case,
> one small config error on your firewall/VPN endpoint opens up your entire
> network to the Internet.

And the present state of VPN madness does not, often mitigate much risk,
trojan packets once a system is hit will flow over the VPN as well as any
open/unencryted route.  Far too often VPN's are the lazy-mans way if
implementing segregation/seperation.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards