-----BEGIN PGP SIGNED MESSAGE-----
One problem is that even if you only tunnel local traffic the machine is
still a potential hole.
example
joe user has back orafice running on his machine without knowing it.
joe connects to your lan via a "good" vpn
the attacker can now attack your network by controlling joe's machine.
A great vpn (as opposed to the standard "good" ones) would prevent the
connection. Yes this is a firewall type of function, but a "deny all
except from through the VPN" type of firewall should be trivial enough to
be considered part of the VPN package.
David Lang
On Wed, 7 Jul 1999, Mike Batchelor wrote:
> Date: Wed, 7 Jul 1999 15:00:04 -0700
> From: Mike Batchelor <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: RE: DSL/CableModem + dial-up = ???
>
> Forgive me if I made a technical gaffe, but I was under the impression that
> VPN clients are (or should be) designed to tunnel only locally originated
> traffic. Certainly firewall-to-firewall VPN endpoints can route traffic, but
> a client? The software I have looked at wants to charge you another license
> fee to get this capability (Gauntlet and Lucent, for example). I didn't think
> the client software was generally capable of it.
>
> Maybe I could claim that my qualifier "good VPN client" includes only software
> that doesn't allow routing. Or maybe I just stuck my foot in my mouth. :)
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Peter da Silva
> > Sent: Wednesday, July 07, 1999 5:51 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: DSL/CableModem + dial-up = ???
> >
> >
> > In article <004601bec810$013a9140$[EMAIL PROTECTED]>,
> > Mike Batchelor <[EMAIL PROTECTED]> wrote:
> > >Deepsixing the term server is actually a pretty good idea, and may
> > have a good
> > >chance of flying if you pitch a good VPN product as its replacement.
> >
> > How does a VPN product change the exposure? Either way the user's machine
> > is simultaneously on the Internet and on the company lan... whether the
> > second network connectin is through an encrypted tunnel or a DUN connection
> > to a terminal server doesn't seem to make any useful difference.
> >
> > No, from a security standpoint a VPN is exactly the same as any other dual-
> > homed setup. You'd get better security by recognising this and providing a
> > DMZ for your modem pool or the "inside" end of the VPN, with only those
> > resources your dialup users need to have access to exposed.
> >
> > --
> > In hoc signo hack, Peter da Silva <[EMAIL PROTECTED]>
> > `-_-' Ar rug tu barrog ar do mhactire inniu?
> > 'U` "Be vewy vewy quiet...I'm hunting Jedi." -- Darth Fudd
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN4P0pT7msCGEppcbAQFkGwf/SDsSjdmt/YEUjBNz03058rGb+AySNAco
TJ/WLQEbGT2GNh3sIQqWSCPW8ZwCks0HRHxAKI8uuHgOSLokkxoHiu2Y1bXgQeMY
HFLPFYs5tmKDdYdDzJ+Jng8BboGxDnyaGe34vafyiK7I88U0I3gOgoUJ98nM74SW
rnL2uYt4mb07tFE5fv7PlACJKQuq1jyBRuASmfBe87lPOqoV0e8HqnK4D3al4NRW
l5jnStQR4If9hAUXpL7QUb7ZxKRxx84mLcFKMCLGnqVvoB1MNyQAJ9YIkgc19qre
jqI1KaI01Hrb3AXGRn8gPHdpngg+yv1Qcpo5LPC8vuKkIMs29M3XVQ==
=LJWf
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
