Re: VPNmadness gets more support;

["Steven M. Bellovin" <smb () cs columbia edu>]

In message <6.2.1.2.2.20050211212400.09d79548 () lh avolio com>, Frederick M Avoli
o writes:
> At 07:07 PM 2/11/2005, Paul D. Robertson wrote:
> > Along with blanket deployments where VPN access == full network access.
>
> We've got the same phenomenon we had in the mid-nineties (and still going 
> on) where "firewall" = "secure." No matter if it was still in the shipping 
> box (nod to Rik Farrow's real audit discovery).
>
> I'm certainly not the only one on this list who lectures about such things, 
> and always, always, always spends a few minutes talking about why 
> unrestricted connections over encrypted channels is not only stupid, but 
> completely unnecessary.
>
> Of course, for that, someone comments, "oh, he just thinks you need 
> firewalls everywhere." :-/


Like it says on the tube of toothpaste:

        [Product...] has been shown to be an effective decay-preventive
        dentifrice that can be of significant value when used as
        directed in a conscientiously applied program of oral
        hygiene and regular professional care.

Firewalls, VPNs, hardened hosts, a heterogeneous mix of systems --
they all have their place and they all have their limitations.
There are no silver bullets.  You don't get security by sprinkling
on the magic pixie dust of crypto, firewalls, or any other single
solution.  Security is a systems problem, and isn't solvable without
a systems approach.

That said, most of these components are a necessary part of a
solution.  (The ability to say "no" is another part of most
solutions....)  Can VPNs be misconfigured, misused, or installed
in the wrong places?  Sure -- and the same can be said for any
other security technology.  If a VPN is used to replace leased
lines between branch , it's likely no better and no worse than
those leased lines for most purposes.  But either exposes you to
some risks.  I'll quote myself again:

        Ideally, a community behind a firewall shouldn't include
        more than about 40 hosts.  Put another way, it's hard for
        a single firewall to protect a domain larger than that
        controlled by a single system administrator.  Beyond that,
        it becomes easier for connections and security problems to
        escape the notice of the administrator.

There are two problems wtih many VPNs: the authentication mechanism
used and the security policy at some of the endpoints.  For the
former there's not much to say -- the weaknesses of passwords have
been known for more than 25 years.  Why should they be any stronger
in this context?

Endpoint security policy is a trickier issue.  As I noted above,
it doesn't matter much if you're building too large a network via
a VPN instead of a leased line; the critical point is the scope of
the network.  Often, though, the real vulnerability comes from
random laptops and home machines.  The latter tends to represent
a budget failure -- you *can't* tell an employee (or, worse yet,
an employee's family) what to do with their own machines, but it
looks so much more cost-effective to encourage telecommuting via
such machines rather than providing locked-down company machines
to telecommuters.  And it is more cost-effective -- until you count
the cost of cleaning up the inevitable mess.  The problem is even
more serious because of the edicts from the bean-counter level that
say "thou shalt not use the company Internet connection for thine
own private purposes".  (It's even worse in government agencies,
where you'll get some congresscritter denouncing "waste".)  Never
mind that by permitting such connectivity, you're *improving* your
network security.  And yes, you have to lock down employee laptops
and/or restrict their access, because you have no effective control
over what a lonely employee in a hotel room is going to do.

Again, I'm advocating a systems solution -- you have to take into
account budget and usage patterns as well as technology.  Ignoring
such matters is a good way to fail.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards