Not necessarily. While it's true that some VPN software (Checkpoint FW-1,
Microsoft's PPTP client) is basically a replacement for RAS and has the same
security problems that RAS has, there are products out there that do a
better job. I'm especially upset with Checkpoint, since they're supposedly
a security company, but on to constructive info ...
Nortel's Contivity Extranet client has a feature that basically re-routes
all traffic from and to the client through the secure tunnel. This means
that when you are sitting at the client and do a traceroute, you'll see that
the packets first go through the corporate network (and therefore the
firewall) before hitting the Internet. From the Internet, you will not be
able to reach the ISP assigned IP address of the client, because it'll be
blocked.
VPNet is supposed to be able to do the same thing, but I haven't demo'ed the
client yet. I've heard lots of good things about it.
The main differences: VPNet is supposed to have a lot of performance
advantages over the Nortel solution, at least on the low-end, and has a
better cost/performance ratio. Then again, the systems serve different
purposes. The Nortel solution is a secure RAS replacement -- when you come
in on the VPN, you actually get an IP address on the same subnet as the
corporate network. This means easier implementation. Also, the device can
be managed via a built-in Web server (very nicely done). VPNet requires
that you have separate a separate subnet on each end of the tunnel. This
makes implementation a bit more difficult, especially if you're a small
company that doesn't use dynamic routing.
Jen
Peter da Silva <[EMAIL PROTECTED]> wrote in message
news:<7lvig1$[EMAIL PROTECTED]>...
> In article <004601bec810$013a9140$[EMAIL PROTECTED]>,
> Mike Batchelor <[EMAIL PROTECTED]> wrote:
> >Deepsixing the term server is actually a pretty good idea, and may have a
good
> >chance of flying if you pitch a good VPN product as its replacement.
>
> How does a VPN product change the exposure? Either way the user's machine
> is simultaneously on the Internet and on the company lan... whether the
> second network connectin is through an encrypted tunnel or a DUN
connection
> to a terminal server doesn't seem to make any useful difference.
>
> No, from a security standpoint a VPN is exactly the same as any other
dual-
> homed setup. You'd get better security by recognising this and providing a
> DMZ for your modem pool or the "inside" end of the VPN, with only those
> resources your dialup users need to have access to exposed.
>
> --
> In hoc signo hack, Peter da Silva <[EMAIL PROTECTED]>
> `-_-' Ar rug t� barr�g ar do mhact�re inniu?
> 'U` "Be vewy vewy quiet...I'm hunting Jedi." -- Darth Fudd
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
