Firewall Wizards mailing list archives
Re: risk level associated with VPNs?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sat, 5 Feb 2005 23:01:57 -0500 (EST)
On Thu, 3 Feb 2005, Avishai Wool wrote:
Dear all, While doing firewall policy analyses for customers, I very often come across rules that allow any ip traffic from anywhere outside the primeter into big portions of the inside networks but over a VPN link (i.e., encrypted & authenticated). let's put aside the question of whether the authentication is sufficient, and assume that nobody is cracking the passwords. I tend to trust the encryption and believe that noone can snoop the traffic in flight.
But, what might be leaked by the solution? The related thread on this has been "Subject: Re: [fw-wiz] VPNmadness gets more support;" : <quote> Report: http://www.nta-monitor.com/news/vpn-flaws/index.htm Security practices The majority of VPN vendors still allow their implementations to leak information about valid usernames and do not lock out accounts after a number of failed attempts. This does not happen on operating system login and should not occur on VPN implementations. </quote>
My claim is that these rules are very risky and a wonderful vector for all kinds of malware. All those home computers, laptops on the road etc, are much more at risk of infection than inside computers are. Plus the VPN has the nice side-effect that filters can't see though the encryption and control (or even log) where the connection is going and what it is doing.
Due to the fact that most VPN solutions do not provide for any kind of policy enforcment, as I mentioned in the other related thread, I first was seriously looking at this in Sep-OCT 2003, having come to the conclusion that at least 75% <others even then suggested 90%+> of the VPN solutions; "in place do not really mitigate the main risk/attack vectors" they are intended to. I was researching a solution that could; a) Validate not only a network security policy as pertains to interface bindings and such, but also, as opposed to or, verify; b) anti-virus definitions are up-to-date c) specific protocols/deamons are not allowed to pass d) elegantly intelligent application proxies <grin. Meaning application proxies not just capable of passing the traffic, but, easy to setup and maintain, and able to provide a safe and secure use of the functionality they are supposed to be designed to provide. At that time <'03> I was refered to two products others were aware of that could provide the above; infoexpress and checkpoint. There may have been more, the research and experience of others having been two years or more dated then that. At this point in time others certainyl appear to be reashing into the arena. Though now I'd change or add to my criteria <perhaps even sacrificing 'd' above for>: d) multi OS compatibility, on the client end, at least. I have not found a solution at this time that is not Microsoft OS centric. I'd like to, but have not.
Left to my own devices, I would recommend terminating the VPNs in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc) between the DMZ and the inside, and I would flag these raw VPN connections as risky, maybe even very risky.
I think you'll find many others here agree with this approach and some are even able to impliment it.
However, customers uniformly disagree with this argument, and tell me that "traffic coming over a VPN is not perceived as a risk so shut up about it."
Tunnelvision in percieving the problems, let alone the solution runs rampant in the IT/security industry, this viewpoint should really come as no surprise.
Thoughts anyone? Any credible war stories about malware/abuse traveling over VPNs? Or are the customers right and I'm being paranoid? (please don't respond that "the customer is always right" :-)
One of the persons I tapped on '03 replied like this; <quote> "R. DuFresne" wrote:
... what I'm seeing, is that perhaps 75, maybe even 90% of the VPN solutions in place do net really mitigate the main riask/atack vectors,
I'd say 90%, though I'm not as in-touch with things these days as I used to be; I mainly see what our users are doing. Our VPN client does come with a packet filter, and it does come with support for distributed filtering policies. People just don't give a damn; it's too inconvenient for most to disallow Internet connectivity from the roaming users. _Some_ disallow it while the VPN tunnel is up, but that of course doesn't help one bit where self-propelled trojans and worms are concerned. </quote> Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com ...Love is the ultimate outlaw. It just won't adhere to rules. The most any of us can do is sign on as it's accomplice. Instead of vowing to honor and obey, maybe we should swear to aid and abet. That would mean that security is out of the question. The words "make" and "stay" become inappropriate. My love for you has no strings attached. I love you for free... -Tom Robins <Still Life With Woodpecker> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- risk level associated with VPNs? Avishai Wool (Feb 05)
- Re: risk level associated with VPNs? Marcus J. Ranum (Feb 06)
- RE: risk level associated with VPNs? Bruce Smith (Feb 06)
- Re: risk level associated with VPNs? R. DuFresne (Feb 06)
- Re: risk level associated with VPNs? Paul D. Robertson (Feb 06)
- Re: risk level associated with VPNs? hermit921 (Feb 11)
- <Possible follow-ups>
- RE: risk level associated with VPNs? rlmieth (Feb 06)
- Re: risk level associated with VPNs? Shimon Silberschlag (Feb 11)
- RE: risk level associated with VPNs? Desai, Ashish (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Michael Surkan (Feb 11)
- RE: risk level associated with VPNs? Paul D. Robertson (Feb 11)
- RE: risk level associated with VPNs? Richards, Jim (Feb 11)