Firewall Wizards mailing list archives
RE: risk level associated with VPNs?
From: "Richards, Jim" <jim.richards () dot state wi us>
Date: Mon, 7 Feb 2005 08:21:46 -0600
IMHO, I have had that exact scenario wreak havoc on the network I managed in Europe. With blaster and other such maware looming, I secured my VPN connections by locking down the filter tightly. Unfortunately my colleague in the US did not do so, and I failed to lock down the site to site VPN connection, thus at around 8:00 am US time, someone VPN's in, introduced the virus to the US LAN, which promptly came through the tunnel to Europe, and made for a very unpleasant afternoon/evening for me. The approach I take is now to be very aggressive on locking down the perimeter of each site under my control, to protect them from each other, as when laptops go offsite, I can no longer protect them as well as I would like, and when they return, there is a chance that something nasty might have been installed. This also protects against the non-company-owned PCs in use on the VPN which I do not (nor would want to have to) support. Jim Richards Computer Security Officer Wisconsin Dept of Transportation -----Original Message----- From: Avishai Wool [mailto:avishai_w () yahoo com] Sent: Thursday, February 03, 2005 4:55 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] risk level associated with VPNs? Dear all, While doing firewall policy analyses for customers, I very often come across rules that allow any ip traffic from anywhere outside the primeter into big portions of the inside networks but over a VPN link (i.e., encrypted & authenticated). let's put aside the question of whether the authentication is sufficient, and assume that nobody is cracking the passwords. I tend to trust the encryption and believe that noone can snoop the traffic in flight. My claim is that these rules are very risky and a wonderful vector for all kinds of malware. All those home computers, laptops on the road etc, are much more at risk of infection than inside computers are. Plus the VPN has the nice side-effect that filters can't see though the encryption and control (or even log) where the connection is going and what it is doing. Left to my own devices, I would recommend terminating the VPNs in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc) between the DMZ and the inside, and I would flag these raw VPN connections as risky, maybe even very risky. However, customers uniformly disagree with this argument, and tell me that "traffic coming over a VPN is not perceived as a risk so shut up about it." Thoughts anyone? Any credible war stories about malware/abuse traveling over VPNs? Or are the customers right and I'm being paranoid? (please don't respond that "the customer is always right" :-) Thanks, Avishai ===== Avishai Wool, Ph.D., http://www.algosec.com http://www.eng.tau.ac.il/~yash yash () acm org Tel: +972-3-640-6316 Fax: +972-3-640-7095 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: risk level associated with VPNs?, (continued)
- RE: risk level associated with VPNs? Bruce Smith (Feb 06)
- Re: risk level associated with VPNs? R. DuFresne (Feb 06)
- Re: risk level associated with VPNs? Paul D. Robertson (Feb 06)
- Re: risk level associated with VPNs? hermit921 (Feb 11)
- RE: risk level associated with VPNs? rlmieth (Feb 06)
- Re: risk level associated with VPNs? Shimon Silberschlag (Feb 11)
- RE: risk level associated with VPNs? Desai, Ashish (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Michael Surkan (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Richards, Jim (Feb 11)