Firewall Wizards mailing list archives

Re: Why VPNs aren't magic silver bullet solutions

From: Mikael Olsson <mikael.olsson () enternet se>
Date: Wed, 30 Aug 2000 11:19:08 +0200



marty wrote:


Mikael Olsson wrote:

VPNs are _very_ useful, if used right. As I said, they're
the equivalent of a heavily guarded point-to-point line.


but, coming back to my point, where is the pros/cons that will help
you decide between application level security and a VPN ??
(assuming two sites connected by pipes you have no control over)


Jeffrey Gieser listed a couple of very good pros for VPNs.

The deciding factor is, to me, the ability to filter what
gets passed in the VPN. If you can terminate your VPN endpoint
at a place where you can subsequently filter the plaintext 
traffic, you can easily establish a full VPN connection, but
only allow (for instance) port 25 for inbound mail. This 
assumes that the filter can tell for sure that the traffic
actually came from the VPN rather than from some other place
(such as the Internet at large).
If you can do this, there's no reason to NOT choose a VPN.

The problem scenario I was describing was making use of a full
unrestricted VPN, something that is usually bad for a number
of reasons.

VPNs, modem pools and other types of private networks should all
be regarded as a point of entry into the local network and
accordingly have traffic filtering applied to them. These filters 
will likely not be the same as the filters applied to internet
connectivity, they'll likely be less restrictive, but they should 
be filtered all the same.

The principle of "least privilege" is always a very sound
one in the world of computer security.

Regards,
Mikael Olsson

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Why VPNs aren't magic silver bullet solutions Mikael Olsson (Aug 28)
- Re: Why VPNs aren't magic silver bullet solutions marty (Aug 29)
  - Re: Why VPNs aren't magic silver bullet solutions Mikael Olsson (Aug 29)
    - Re: Why VPNs aren't magic silver bullet solutions marty (Aug 29)
    - Re: Why VPNs aren't magic silver bullet solutions Mikael Olsson (Aug 30)
    - Re: Why VPNs aren't magic silver bullet solutions Volker Tanger (Aug 30)
- <Possible follow-ups>
- Re: Why VPNs aren't magic silver bullet solutions Jeffery . Gieser (Aug 30)