it is always fun to watch customers' eyes glaze over as you talk to them about exactly this kind of stuff. it is far easier for management to fire their CTO for a security breach than it is to enforce policy violated by their big producers and powerful cronies in the management suite.
alas, the problem is indeed insoluble. for obvious reasons, VPN's are growing like crazy. I probably talk to two or three customers a week who want to set one up. hell, I wish my employer would set one up, because ISDN RAS is such a pain. one interesting solution I heard was to require two partitions on the hard drive. One partition boots to the VPN, the other to normal use. completely separate OS installations on both, so that if the non VPN partition is compromised, it still does not effect the other. anyone heard of this or doing it now? any comments? Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Wednesday, December 05, 2001 7:00 AM To: [EMAIL PROTECTED] Subject: RE: Re[6]: VPN is a Backdoor !!! [7:27725] Right, but this again assumes that the user is not going to do something silly like, oh, use their own ISP some of the time because you are blocking and/or logging all the "interesting" sites on the Internet they want to use. They connect through a local ISP, go to the chat rooms, get some new software and presto, their machine has a nasty virus/worm/trojan. That nicely designed, expensive VPN cannot stop this. I understand perfectly that there are VPN technologies that can pretty sucessfully ensure that an uncompromised machine stays uncompromised, _just as long as the user does what they are supposed to do_. (i.e. only connect to the Internet through the methods you have setup) However, I say again the problem is that users behave in silly, erratic and unsafe ways and this is the problem that VPN's cannot solve in and of themselves. You can mitigate this through policies, procedures and various lockdown mechanisms on the machines used to access your VPN, but the issue is still going to be there. (what one person designs, another person can circumvent) Securing the endpoints is difficult because of the humans that use them. Getting the VPN built is the easy part. Getting humans to use it "correctly" is where the problems arise. -Kent -----Original Message----- From: SentinuS [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 05, 2001 1:44 AM To: Kent Hundley Cc: [EMAIL PROTECTED] Subject: Re[6]: VPN is a Backdoor !!! [7:27725] I try to explain what I mean : You have a mobile user who uses your VPN. You have an L2TP or Layer 3 transport agreement some of the ISPs (exp : AT&T) Now if your user call ISP which has an agreement with you, this user transported to you. And you authenticate again (if you want) than give him/her an IP. At this point they don't have any internet connection. After authenticate (or not) your mobile user, you give some restrictions to their. ( they can use some of your servers or not; they can access internet via you or not, etc.) Now if you give them "internet connection access permit", they have to access internet over your main gateway. This mean; if any hacker want to put Backdoor ob your mobile users via the internet, they must bypass your main gateway. If they can bypass your main gateway, there is another problem, but this is not a VPN problem. Monday, December 03, 2001, 8:29:59 PM, you wrote: KH> Not sure what you mean by this. The VPN technology used is irrelevant. If KH> I have a home user who uses their laptop to access the Internet, there are KH> various ways that machine could become compromised. If that user then KH> attaches to the VPN, I have a machine on my VPN that is compromised. It KH> doesn't matter what the method of VPN is (L2TP with IPsec, PPTP, etc), it's KH> not going to keep a compromised machine from continuing to be compromised. KH> All the VPN can do is keep a non-compromised machine from becoming KH> compromised through the VPN. If the machine is compromised before it KH> connects to the VPN, no amount of VPN technology is going to help. KH> This issue is not solvable through VPN technology because it isn't a VPN KH> problem. It's an end-station access control problem. At the end of the KH> day, if your users are allowed to completely control their own machines, the KH> liklihood that someones machine will be compromised approaches 1.0. (in KH> other words, certainty) This risk can be mitigated through various software KH> and poliices, but it cannot be eliminated. KH> -Kent --- cut here --- Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28250&t=27725 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
