Firewall Wizards mailing list archives
RE: VPNmadness gets more support;
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Fri, 11 Feb 2005 19:23:46 -0800
And yet they are rolled out to the masses as a 'solution'. when trust needs to expand verification of some level of security policy compliance needs to be made part of the solutiuon to actually acomplish anything in the sense of secure access/communications. I perhaps meat this out some in related replies and another thread on this topic, <see; to Avishai Wool;; Re: [fw-wiz] risk level associated with VPNs?>.
[Note: I am the security architect for InfoExpress, a company that sells a kick ass policy compliance system built after years of watching their VPN customers deal with this exact issue...] The answer I give based on my job at InfoExpress and my experience is that we've assumed as a community that the criteria we use for establishing local access to a machine (username, password) is essentially the only criteria we need to use to protect ourselves from remote users on VPN connections. We've learned the hard way that that assumption is crap, just as we've learned that even without VPNs, laptops constitute a major threat in most corporate environments. This is why I think that systems like our CyberGatekeeper, or Cisco's NAC when it matures a bit, or the home rolled systems we built at Stanford during the height of the Blaster chaos, represent a fundamental shift in security architecture, since they permit authorization and access control decisions to be based on endpoint configuration settings and software levels -- far more appropriate visibility and control into these risky and often-compromised mobile systems. I think it's silly to accuse VPN technology -- or laptops, for that matter -- of responsibility for these issues. Paul raised the question of power generator control systems getting Sasser or Slammer, and he raised the appropriate answer, better segregation of critical resources from untrusted networks. Again, the "scan and block" technologies provide a way to segregate networks logically, but there are lots of ways to accomplish the task. We just have to get better at making the case to upper management and then getting the job done. The answer I'm coming to when I look at >all< of my sys admin experience is that like we've seen again and again, this list and elsewhere, we're really struggling to accept and deal with the reality that all humans will tend to make decisions that benefit them in the short term. Not just our users, but also ourselves, our managers, the security product developers as a whole...VPNs will continue to be deployed because they meet a real business need, we can do far better than we've done in managing those connections, rinse, repeat as necessary. I really wish I thought this emerging technology would solve all the problems. My poor frantic director of marketing would be much happier with me :-) All I can say is that it will surely help. fascinating discussion, all...t. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPNmadness gets more support; R. DuFresne (Feb 03)
- Re: VPNmadness gets more support; Kevin Sheldrake (Feb 05)
- Re: VPNmadness gets more support; R. DuFresne (Feb 05)
- Re: VPNmadness gets more support; Dave Piscitello (Feb 11)
- Re: VPNmadness gets more support; R. DuFresne (Feb 11)
- RE: VPNmadness gets more support; Tina Bird (Feb 12)
- A few sql 2000 related questions Mike LeBlanc (Feb 12)
- RE: A few sql 2000 related questions Paul Melson (Feb 14)
- Re: VPNmadness gets more support; R. DuFresne (Feb 11)
- Re: VPNmadness gets more support; Kevin Sheldrake (Feb 05)
- Re: VPNmadness gets more support; Paul D. Robertson (Feb 11)
- Re: VPNmadness gets more support; Frederick M Avolio (Feb 12)
- Re: VPNmadness gets more support; Steven M. Bellovin (Feb 14)
- Re: VPNmadness gets more support; ArkanoiD (Feb 14)
- Re: VPNmadness gets more support; Marcus J. Ranum (Feb 14)
- Re: VPNmadness gets more support; George Capehart (Feb 12)
- Re: VPNmadness gets more support; Paul D. Robertson (Feb 19)