RE: VPNmadness gets more support;

["Tina Bird" <tbird () precision-guesswork com>]

> And yet they are rolled out to the masses as a 'solution'.  when trust
> needs to expand verification of some level of security policy 
> compliance
> needs to be made part of the solutiuon to actually acomplish 
> anything in
> the sense of secure access/communications.  I perhaps meat 
> this out some
> in related replies and another thread on this topic, <see;  to Avishai
> Wool;;  Re: [fw-wiz] risk level associated with VPNs?>.

[Note: I am the security architect for InfoExpress, a company that sells a
kick ass policy compliance system built after years of watching their VPN
customers deal with this exact issue...]
        
The answer I give based on my job at InfoExpress and my experience is that
we've assumed as a community that the criteria we use for establishing local
access to a machine (username, password) is essentially the only criteria we
need to use to protect ourselves from remote users on VPN connections. We've
learned the hard way that that assumption is crap, just as we've learned
that even without VPNs, laptops constitute a major threat in most corporate
environments. This is why I think that systems like our CyberGatekeeper, or
Cisco's NAC when it matures a bit, or the home rolled systems we built at
Stanford during the height of the Blaster chaos, represent a fundamental
shift in security architecture, since they permit authorization and access
control decisions to be based on endpoint configuration settings and
software levels -- far more appropriate visibility and control into these
risky and often-compromised mobile systems.

I think it's silly to accuse VPN technology -- or laptops, for that matter
-- of responsibility for these issues. Paul raised the question of power
generator control systems getting Sasser or Slammer, and he raised the
appropriate answer, better segregation of critical resources from untrusted
networks. Again, the "scan and block" technologies provide a way to
segregate networks logically, but there are lots of ways to accomplish the
task. We just have to get better at making the case to upper management and
then getting the job done.

The answer I'm coming to when I look at >all< of my sys admin experience is
that like we've seen again and again, this list and elsewhere, we're really
struggling to accept and deal with the reality that all humans will tend to
make decisions that benefit them in the short term. Not just our users, but
also ourselves, our managers, the security product developers as a
whole...VPNs will continue to be deployed because they meet a real business
need, we can do far better than we've done in managing those connections,
rinse, repeat as necessary. I really wish I thought this emerging technology
would solve all the problems. My poor frantic director of marketing would be
much happier with me :-) All I can say is that it will surely help.

fascinating discussion, all...t.

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards