Firewall Wizards mailing list archives

Re: risk level associated with VPNs?

From: "Paul D. Robertson" <paul () compuwar net>
Date: Sun, 6 Feb 2005 09:55:10 -0500 (EST)

On Thu, 3 Feb 2005, Avishai Wool wrote:

My claim is that these rules are very risky and a wonderful
vector for all kinds of malware. All those home


Like most things, the answer is "it depends"- for node to network VPNs, I
think you've pretty much got it right- for network to network VPNs, it
really depends on the organization's IT infrastructure.  If the trust
level, protection level, and administrative level is the same as the
primary site, then there's not much difference between the other site and
another floor in the bullding.

As soon as we get to "company doesn't own the system," "the system isn't
always behind the firewall," "Someone else has admin rights," or any other
significant difference, then the risk goes up.

Left to my own devices, I would recommend terminating the VPNs
in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
between the DMZ and the inside, and I would flag these raw VPN connections
as risky, maybe even very risky.


I'm not sure I'd terminate on the DMZ, I do think that remote node VPN
traffic should have a different trust model, but I also think it requires
a different access model- and I'd rather compartment it somewhere else for
inspection/protection than the same place I get traffic with more
restrictive access.

Any credible war stories about malware/abuse traveling over VPNs?


Microsoft's break in where they lost source code?  Slammer?  Blaster?...

Or are the customers right and I'm being paranoid?


Nope, as usual, "it's ours" automagically means "we trust it implicitly!"

 (please don't respond that "the customer is always right" :-)


Face the customer and execute a left face.  Now the customer is
always right.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

risk level associated with VPNs? Avishai Wool (Feb 05)
- Re: risk level associated with VPNs? Marcus J. Ranum (Feb 06)
- RE: risk level associated with VPNs? Bruce Smith (Feb 06)
- Re: risk level associated with VPNs? R. DuFresne (Feb 06)
- Re: risk level associated with VPNs? Paul D. Robertson (Feb 06)
- Re: risk level associated with VPNs? hermit921 (Feb 11)
- <Possible follow-ups>
- RE: risk level associated with VPNs? rlmieth (Feb 06)
  - Re: risk level associated with VPNs? Shimon Silberschlag (Feb 11)
- RE: risk level associated with VPNs? Desai, Ashish (Feb 11)
  - RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Michael Surkan (Feb 11)
  - RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Richards, Jim (Feb 11)