Re: Opinions on VPN?

[Rick Smith <rick_smith () securecomputing com>]

At 06:26 PM 4/17/99 -0700, Jan B. Koum wrote:

>       Just wanted to find out what other people opinion on 'VPN' as a
> general idea? IMHO, the person who came up with the VPN idea should be
> shot, because in most cased all VPN do is create entry points into your
> network (in most cased right past the firewall and some times in the
> hear of your network). 

If the VPN is replacing a WAN constructed of private circuits, then I agree
with Ryan Russell that the security difference is a wash. It doesn't make
things worse and it almost certainly reduces costs.

The key problem is that a new VPN increases the size of the user community
witin the security perimeter, and that increases the risk of an insider
attack (which is never zero, by the way).

I like the notion of putting firewall protections between sites, even
within a VPN, but that can take some inspired system administration so it
doesn't interfere with ongoing work. Arguably, if the site already has its
payroll, accounts receivable, operations, and engineering groups on the
same undifferentiated network, then it's already got lots of risks, VPNs
notwithstanding. Many companies lock up the payroll department,
workstations and all, after working hours. They need to do the same with
its LAN/backbone connection. A few do.

>       Am I alone in the opinion that VPN mostly suck or is it just
> because I tend to run into a lot of misconfigured cisco routers which
> do encrypt data, but also route packets from others into your net :(

In other words, they do crypto between VPN peer sites and also allow
plaintext exchange with non-VPN sites, like for Web surfing and e-mail
traffic. Most sites need vanilla Internet access these days, so I assume
you're not complaining about that. So perhaps the problem is that they need
more firewalling than the Cisco provides.

Rick.
smith () securecomputing com