Re: risk level associated with VPNs?

["R. DuFresne" <dufresne () sysinfo com>]

On Thu, 3 Feb 2005, Avishai Wool wrote:

> Dear all,
>
> While doing firewall policy analyses for customers,
> I very often come across rules that allow 
>   any ip traffic
>   from anywhere outside the primeter 
>   into big portions of the inside networks
> but over a VPN link (i.e., encrypted & authenticated).
>
> let's put aside the question of whether the authentication is
> sufficient, and assume that nobody is cracking the passwords.
> I tend to trust the encryption and believe that noone can snoop
> the traffic in flight.


But, what might be leaked by the solution?  The related thread on this has
been "Subject: Re: [fw-wiz] VPNmadness gets more support;" :

<quote>
Report: http://www.nta-monitor.com/news/vpn-flaws/index.htm

Security practices
   The majority of VPN vendors still allow their implementations to leak
information about valid usernames and do not lock out accounts after a
number of failed attempts. This does not happen on operating system login
and should not occur on VPN implementations.
</quote>



> My claim is that these rules are very risky and a wonderful 
> vector for all kinds of malware. All those home 
> computers, laptops on the road etc, are much more at risk 
> of infection than inside computers are. Plus the VPN has the
> nice side-effect that filters can't see though the encryption
> and control (or even log) where the connection is going
> and what it is doing.

Due to the fact that most VPN solutions do not provide for any kind of
policy enforcment, as I mentioned in the other related thread, I first was
seriously looking at this in Sep-OCT 2003, having come to the conclusion
that at least 75% <others even then suggested 90%+> of the VPN solutions;

"in place do not really mitigate the main risk/attack vectors" they are
intended to.

I was researching a solution that could;

a)      Validate not only a network security policy as pertains to
        interface bindings and such, but also, as opposed to or, verify;


b)  anti-virus definitions are up-to-date

c)  specific protocols/deamons are not allowed to pass

d)  elegantly intelligent application proxies <grin.  Meaning application
  proxies not just capable of passing the traffic, but, easy to setup and
  maintain, and able to provide a safe and secure use of the
  functionality they are supposed to be designed to provide.

At that time <'03> I was refered to two products others were aware of that
could provide the above; infoexpress and checkpoint.  There may have been
more, the research and experience of others having been two years or more
dated then that.  At this point in time others certainyl appear to be
reashing into the arena.  Though now I'd change or add to my criteria
<perhaps even sacrificing 'd' above for>:

d)  multi OS compatibility, on the client end, at least.


I have not found a solution at this time that is not Microsoft OS centric.
I'd like to, but have not.

> Left to my own devices, I would recommend terminating the VPNs 
> in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
> between the DMZ and the inside, and I would flag these raw VPN connections
> as risky, maybe even very risky.

I think you'll find many others here agree with this approach and some are
even able to impliment it.

> However, customers uniformly disagree with this argument, and tell me that 
> "traffic coming over a VPN is not perceived as a risk so shut up
> about it."

Tunnelvision in percieving the problems, let alone the solution runs
rampant in the IT/security industry, this viewpoint should really come as
no surprise.

> Thoughts anyone?
> Any credible war stories about malware/abuse traveling over VPNs?
> Or are the customers right and I'm being paranoid? 
>  (please don't respond that "the customer is always right" :-)

One of the persons I tapped on '03 replied like this;

<quote>
"R. DuFresne" wrote:
> ... what I'm seeing, is that perhaps 75, maybe even 90% of the
> VPN solutions in place do net really mitigate the main riask/atack
> vectors,

I'd say 90%, though I'm not as in-touch with things these days
as I used to be; I mainly see what our users are doing.

Our VPN client does come with a packet filter, and it does come
with support for distributed filtering policies. People just
don't give a damn; it's too inconvenient for most to disallow
Internet connectivity from the roaming users. _Some_ disallow
it while the VPN tunnel is up, but that of course doesn't help
one bit where self-propelled trojans and worms are concerned.
</quote>

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>










_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards