Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: risk level associated with VPNs?

From: hermit921 <hermit921 () yahoo com>
Date: Mon, 07 Feb 2005 12:28:31 -0800
My view has been that if the remote system is controlled by the business, with the same protection as the local systems, I don't care (much) where the VPN terminates. But when the remote system has less protection, I don't care if the VPN client software makes sure the current connection is "safe" or not. That computer has been exposed to malware a local system has not. To be on the safe side, I recommend terminating VPN's in the DMZ. I can easily set the DMZ rules to allow complete internal access if I want to. When someone changes the policies for remote systems later, I don't have to worry about changing the VPN endpoint at all, just the firewall rules. 

hermit921


At 02:55 PM 2/3/2005, Avishai Wool wrote:

Dear all,

While doing firewall policy analyses for customers,
I very often come across rules that allow
  any ip traffic
  from anywhere outside the primeter
  into big portions of the inside networks
but over a VPN link (i.e., encrypted & authenticated).

let's put aside the question of whether the authentication is
sufficient, and assume that nobody is cracking the passwords.
I tend to trust the encryption and believe that noone can snoop
the traffic in flight.

My claim is that these rules are very risky and a wonderful
vector for all kinds of malware. All those home
computers, laptops on the road etc, are much more at risk
of infection than inside computers are. Plus the VPN has the
nice side-effect that filters can't see though the encryption
and control (or even log) where the connection is going
and what it is doing.

Left to my own devices, I would recommend terminating the VPNs
in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
between the DMZ and the inside, and I would flag these raw VPN connections
as risky, maybe even very risky.

However, customers uniformly disagree with this argument, and tell me that
"traffic coming over a VPN is not perceived as a risk so shut up
about it."

Thoughts anyone?
Any credible war stories about malware/abuse traveling over VPNs?
Or are the customers right and I'm being paranoid?
 (please don't respond that "the customer is always right" :-)

Thanks,
  Avishai

=====
Avishai Wool, Ph.D.,
http://www.algosec.com               http://www.eng.tau.ac.il/~yash
yash () acm org     Tel: +972-3-640-6316  Fax: +972-3-640-7095

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: