Firewall Wizards mailing list archives

RE: risk level associated with VPNs?

From: "Bruce Smith" <bruce_the_loon () worldonline co za>
Date: Sat, 5 Feb 2005 20:16:31 +0200

Good day all

Just when you think you can sit back and have a beer, someone comes
around and scares you. :)

Our VPN connections pass via the same checking systems when they connect
to our servers as the in-house clients do. Servers are isolated on their
own VLAN with ACL's in place, anti-virus and -malware on the servers that
are Windows-infected and IDS hanging around scanning for naughty boys.

The in-house machines access e-mail and web via protected services with
in-line e-mail scanning and desktop anti-virus that scan everything else.
We experimented with anti-virus on the web proxy, but that proved a useless
extra step in the tree.

Now we assume, repeat assume, the VPN machines are adequately protected
against virus, properly updated and patched and are behaving themselves.
Under those conditions, they are the same risk as the in-house machines. But
can we assume this? I think that is the major crux of the VPN question, as
well as the old dial-up user question. And since the VPN connection comes
from a machine that is likely unfirewalled and open to the Internet, we
should
not make this assumption.

We are a university with close on 20000 students, some of whom bring their
own
machine into the network. These are machines that go home and get exposed
there
and we don't have too many problems from that source. We also have had no
problems
from the VPN side as yet. There are two reasons for this that we can see.

1) The protection services inside the network are doing their job. Servers
and
desktops are protected from internal and external attack. Ports and services
are protected by ACL's on the VLAN routers and by the anti-virus where it
applies.
E-mail gateways are locked down and the only access to SMTP is via the
filtering
service. Web has to go via the proxy. Etc.

2) Our VPN users tend to be power-user level and understand security. Now
this does
bias us as an example, since most VPN users out there tend to be office
staff doing
their jobs from outside.

But you have a valid point that we have considered before. There is a
somewhat greater
risk involved with open access to the internal network via VPN. Instead of a
VPN DMZ
solution, it may be easier to explicitly protect vital services with
permanent block
lines in the firewall config. Remember that security is the balance between
protection
and isolation. Something has to get it.

Regards

Bruce

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Avishai Wool
Sent: Friday, February 04, 2005 12:55 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] risk level associated with VPNs?


Dear all,

While doing firewall policy analyses for customers,
I very often come across rules that allow 
  any ip traffic
  from anywhere outside the primeter 
  into big portions of the inside networks
but over a VPN link (i.e., encrypted & authenticated).

let's put aside the question of whether the authentication is
sufficient, and assume that nobody is cracking the passwords.
I tend to trust the encryption and believe that noone can snoop
the traffic in flight.

My claim is that these rules are very risky and a wonderful 
vector for all kinds of malware. All those home 
computers, laptops on the road etc, are much more at risk 
of infection than inside computers are. Plus the VPN has the
nice side-effect that filters can't see though the encryption
and control (or even log) where the connection is going
and what it is doing.

Left to my own devices, I would recommend terminating the VPNs 
in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
between the DMZ and the inside, and I would flag these raw VPN connections
as risky, maybe even very risky.

However, customers uniformly disagree with this argument, and tell me that 
"traffic coming over a VPN is not perceived as a risk so shut up
about it."

Thoughts anyone?
Any credible war stories about malware/abuse traveling over VPNs?
Or are the customers right and I'm being paranoid? 
 (please don't respond that "the customer is always right" :-)

Thanks,
  Avishai

=====
Avishai Wool, Ph.D.,                    
http://www.algosec.com               http://www.eng.tau.ac.il/~yash
yash () acm org     Tel: +972-3-640-6316  Fax: +972-3-640-7095

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

risk level associated with VPNs? Avishai Wool (Feb 05)
- Re: risk level associated with VPNs? Marcus J. Ranum (Feb 06)
- RE: risk level associated with VPNs? Bruce Smith (Feb 06)
- Re: risk level associated with VPNs? R. DuFresne (Feb 06)
- Re: risk level associated with VPNs? Paul D. Robertson (Feb 06)
- Re: risk level associated with VPNs? hermit921 (Feb 11)
- <Possible follow-ups>
- RE: risk level associated with VPNs? rlmieth (Feb 06)
  - Re: risk level associated with VPNs? Shimon Silberschlag (Feb 11)
- RE: risk level associated with VPNs? Desai, Ashish (Feb 11)
  - RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Michael Surkan (Feb 11)
  - RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Richards, Jim (Feb 11)