RE: VPN concentrators

[Crispin Harris <Harris_C () DeMorgan com au>]

> -----Original Message-----
> From: Ofir Arkin [mailto:ofir () sys-security com]
>
> No one even looked at a number of other critical questions:
> - Is this a Device/Client to Device VPN or both?
> - What information needs to go through that VPN?
> - Who uses the VPN? Trusted entity? Your grand mother?
> - What is that trusted entity's security?
> - Can we trust it? (of course not)

The primary thing here is in determining the type of the VPN.
(Fixed/Roaming, Office/Home, Company/Partner/Telecomuter/Other etc...) 

These questions will determine the level of paranoia involved in the
filtering of the effected traffic, how strong a firewall do I need,
Static/Stateful Filters, Proxies, content inspection....

> - What is the client software used (shame on you all not mentioning that
> - IPSEC - there are a number of issues here to remind you all.
> - Management
> - Access Controls
> - Number of users using the VPN
> - Availability issues 
> - Etc.

Then looking at the attributes of the traffic flowing over the VPN. 

Another aspect of this is that it is necessary to determine the capabilities
of the VPN concentrator - not all VPN devices are capable of inspecting and
controlling traffic.
 
(exactly...)
> By the way - a VPN is not a firewall...
> The encrypted traffic hitting the VPN must be validated after decryption
> is performed... This is the reason why, sometimes, a VPN+Firewall in one
> box (e.g. checkpoint) will be a good solution, or a
> firewall-VPN-firewall "sandwich" will be also used.

> Just my 2c.

Ditto (and agreeing...)

----------------------------------------------------

 This correspondence is for the named person's use only.  It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission.  If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender.  You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------