Re: risk level associated with VPNs?

["Marcus J. Ranum" <mjr () ranum com>]

Avishai Wool wrote:
> My claim is that these rules are very risky and a wonderful 
> vector for all kinds of malware.

"Risky" is too kind a word. "Stupid" is more accurate.

I could probably dig up one of my old DAT backups from 1990
with old presentations on VPNs (except I was calling them
"Virtual Network Perimeter" in those days before the marketing
took over) - I recall having a slide that basically said VNPs
should be treated as a trust boundary in spite of their
convenience. I.e.: only permit minimal service-sets to restricted
destinations.

People persist in using even security products at their lowest
"setting" and then they are shocked and amazed to discover
that they're not spectacularly effective. :(  Frankly, I find it
baffling, because historically security was a problem domain
that attracted people with strong analytical skills. Perhaps
what we're seeing is the results of the shift in the clue-density
curve that started around the time AOL connected to the Internet...

> However, customers uniformly disagree with this argument, and tell me that 
> "traffic coming over a VPN is not perceived as a risk so shut up
> about it."

They are fools.

mjr.  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards