Firewall Wizards mailing list archives
Re: risk level associated with VPNs?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 05 Feb 2005 10:48:14 -0500
Avishai Wool wrote:
My claim is that these rules are very risky and a wonderful vector for all kinds of malware.
"Risky" is too kind a word. "Stupid" is more accurate. I could probably dig up one of my old DAT backups from 1990 with old presentations on VPNs (except I was calling them "Virtual Network Perimeter" in those days before the marketing took over) - I recall having a slide that basically said VNPs should be treated as a trust boundary in spite of their convenience. I.e.: only permit minimal service-sets to restricted destinations. People persist in using even security products at their lowest "setting" and then they are shocked and amazed to discover that they're not spectacularly effective. :( Frankly, I find it baffling, because historically security was a problem domain that attracted people with strong analytical skills. Perhaps what we're seeing is the results of the shift in the clue-density curve that started around the time AOL connected to the Internet...
However, customers uniformly disagree with this argument, and tell me that "traffic coming over a VPN is not perceived as a risk so shut up about it."
They are fools. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- risk level associated with VPNs? Avishai Wool (Feb 05)
- Re: risk level associated with VPNs? Marcus J. Ranum (Feb 06)
- RE: risk level associated with VPNs? Bruce Smith (Feb 06)
- Re: risk level associated with VPNs? R. DuFresne (Feb 06)
- Re: risk level associated with VPNs? Paul D. Robertson (Feb 06)
- Re: risk level associated with VPNs? hermit921 (Feb 11)
- <Possible follow-ups>
- RE: risk level associated with VPNs? rlmieth (Feb 06)
- Re: risk level associated with VPNs? Shimon Silberschlag (Feb 11)
- RE: risk level associated with VPNs? Desai, Ashish (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Michael Surkan (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
(Thread continues...)