Firewall Wizards mailing list archives
Re: VPNmadness gets more support;
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 17 Feb 2005 11:27:08 -0500 (EST)
On Thu, 17 Feb 2005, Dave Piscitello wrote:
Date: Thu, 17 Feb 2005 07:09:50 -0500 From: Dave Piscitello <dave () corecom com> To: Paul D. Robertson <paul () compuwar net>, firewall-wizards-admin () honor icsalabs com
I'm assuming the follow-up was meant to be on-list...
I see I've missed much while I've been away. Don't connect isn't the first consideration you should make. It's a conclusion, one you should draw once you identify the risk/threat. You correctly conclude that power grids are too easily threatened and the risk too great to connect via VPNs.
It's the first network security consideration. Security works by denying access, don't connect is the first and most effective barrier- so it's best to start at the "top" and work down. If I can answer the "Do I need to connect this?" then I can start looking at the business issues if I do- but there's no point in going down that road if I don't need to.
Don't connect is not a business directive, either; in fact it flies in the face of mobility and roaming initiatives every IT security staff must contend with.
Of course it's not a business directive, it's a security directive. Just because people *want* everything connected doesn't mean that they all get a blanket pass to wire everything up to everything else. IT security staff should contend with it like everything else- through a process that starts with "is this a necessary evil?"
You can't blame the Holland Tunnel when someone uses it to drive into NYC and rob a bank. There's no admission control. Similarly, you can't blame VPN tunnels when there's no admission control.
Ah, but if there was no tunnel, then there'd be no robbery through that vector. That's the essence of it- security works by denying access. So the security process *must* *start* with evaluating the need for access at all. From there we can go to "how much more than none?" but to start anywhere else is to automatically lose valuable ground.
Having said this, I would conclude as you have Paul that even with admission control, I would probably say "don't connect anyone to a power grid network using VPN". But I would conclude differently for user access to B2B and B2C information stores.
For B2B, I'd start with the same question- because I'm not sure my users need access to B2B resources directly. For B2C, I'd again start with the same premise, then work forward from there. Because, for instance I don't want my customers on my manufacturing network- it may very well be that hooking the product extrusion system to that Web server to have the customer's order tracked quickly is something "good" from a business perspective- but it may be that building a separate RFID tracking system hooked to the shipping warehouse door means that my production plant doesn't take the exposure risk and produces the same result. Just because there's a business case for something doesn't automagically mean that that case is the right thing to do. I've shot down *lots* of "great for one department" business cases because I have a fiduciary responsibility for an entire corporation. That responsibility means that I have to evaluate the risk starting at the "should this be connected" and work down from there. Often that means "sure but in this way, not the easy, cheap and simple one. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPNmadness gets more support;, (continued)
- Re: VPNmadness gets more support; R. DuFresne (Feb 11)
- RE: VPNmadness gets more support; Tina Bird (Feb 12)
- A few sql 2000 related questions Mike LeBlanc (Feb 12)
- RE: A few sql 2000 related questions Paul Melson (Feb 14)
- Re: VPNmadness gets more support; R. DuFresne (Feb 11)
- Re: VPNmadness gets more support; Paul D. Robertson (Feb 11)
- Re: VPNmadness gets more support; Frederick M Avolio (Feb 12)
- Re: VPNmadness gets more support; Steven M. Bellovin (Feb 14)
- Re: VPNmadness gets more support; ArkanoiD (Feb 14)
- Re: VPNmadness gets more support; Marcus J. Ranum (Feb 14)
- Re: VPNmadness gets more support; George Capehart (Feb 12)
- Re: VPNmadness gets more support; Paul D. Robertson (Feb 19)