Firewall Wizards mailing list archives
Re: VPNmadness gets more support;
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Mon, 14 Feb 2005 10:16:08 -0500
In message <6.2.1.2.2.20050211212400.09d79548 () lh avolio com>, Frederick M Avoli o writes:
At 07:07 PM 2/11/2005, Paul D. Robertson wrote:Along with blanket deployments where VPN access == full network access.We've got the same phenomenon we had in the mid-nineties (and still going on) where "firewall" = "secure." No matter if it was still in the shipping box (nod to Rik Farrow's real audit discovery). I'm certainly not the only one on this list who lectures about such things, and always, always, always spends a few minutes talking about why unrestricted connections over encrypted channels is not only stupid, but completely unnecessary. Of course, for that, someone comments, "oh, he just thinks you need firewalls everywhere." :-/
Like it says on the tube of toothpaste: [Product...] has been shown to be an effective decay-preventive dentifrice that can be of significant value when used as directed in a conscientiously applied program of oral hygiene and regular professional care. Firewalls, VPNs, hardened hosts, a heterogeneous mix of systems -- they all have their place and they all have their limitations. There are no silver bullets. You don't get security by sprinkling on the magic pixie dust of crypto, firewalls, or any other single solution. Security is a systems problem, and isn't solvable without a systems approach. That said, most of these components are a necessary part of a solution. (The ability to say "no" is another part of most solutions....) Can VPNs be misconfigured, misused, or installed in the wrong places? Sure -- and the same can be said for any other security technology. If a VPN is used to replace leased lines between branch , it's likely no better and no worse than those leased lines for most purposes. But either exposes you to some risks. I'll quote myself again: Ideally, a community behind a firewall shouldn't include more than about 40 hosts. Put another way, it's hard for a single firewall to protect a domain larger than that controlled by a single system administrator. Beyond that, it becomes easier for connections and security problems to escape the notice of the administrator. There are two problems wtih many VPNs: the authentication mechanism used and the security policy at some of the endpoints. For the former there's not much to say -- the weaknesses of passwords have been known for more than 25 years. Why should they be any stronger in this context? Endpoint security policy is a trickier issue. As I noted above, it doesn't matter much if you're building too large a network via a VPN instead of a leased line; the critical point is the scope of the network. Often, though, the real vulnerability comes from random laptops and home machines. The latter tends to represent a budget failure -- you *can't* tell an employee (or, worse yet, an employee's family) what to do with their own machines, but it looks so much more cost-effective to encourage telecommuting via such machines rather than providing locked-down company machines to telecommuters. And it is more cost-effective -- until you count the cost of cleaning up the inevitable mess. The problem is even more serious because of the edicts from the bean-counter level that say "thou shalt not use the company Internet connection for thine own private purposes". (It's even worse in government agencies, where you'll get some congresscritter denouncing "waste".) Never mind that by permitting such connectivity, you're *improving* your network security. And yes, you have to lock down employee laptops and/or restrict their access, because you have no effective control over what a lonely employee in a hotel room is going to do. Again, I'm advocating a systems solution -- you have to take into account budget and usage patterns as well as technology. Ignoring such matters is a good way to fail. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPNmadness gets more support; R. DuFresne (Feb 03)
- Re: VPNmadness gets more support; Kevin Sheldrake (Feb 05)
- Re: VPNmadness gets more support; R. DuFresne (Feb 05)
- Re: VPNmadness gets more support; Dave Piscitello (Feb 11)
- Re: VPNmadness gets more support; R. DuFresne (Feb 11)
- RE: VPNmadness gets more support; Tina Bird (Feb 12)
- A few sql 2000 related questions Mike LeBlanc (Feb 12)
- RE: A few sql 2000 related questions Paul Melson (Feb 14)
- Re: VPNmadness gets more support; R. DuFresne (Feb 11)
- Re: VPNmadness gets more support; Kevin Sheldrake (Feb 05)
- Re: VPNmadness gets more support; Paul D. Robertson (Feb 11)
- Re: VPNmadness gets more support; Frederick M Avolio (Feb 12)
- Re: VPNmadness gets more support; Steven M. Bellovin (Feb 14)
- Re: VPNmadness gets more support; ArkanoiD (Feb 14)
- Re: VPNmadness gets more support; Marcus J. Ranum (Feb 14)
- Re: VPNmadness gets more support; George Capehart (Feb 12)
- Re: VPNmadness gets more support; Paul D. Robertson (Feb 19)