Paul,
This is definitely true. Usually VPN's are used to allow remote access on nodes which
are not necessarily under the same scope of control. There
is no way to ensure the security of the remote node, but the idea is that the remote
user is to be trusted with the information he is able to
access. True, if it is a laptop, information that is downloaded is subject to the
physical security of the laptop itself (being stolen for
instance), but if you are allowing VPN access to remote users you should NEVER allow
information that is truly sensitive to be downloaded. VPNs
are good to maintain electronic connectivity with email, and general file sharing
access. There are many instances where a VPN is simply replacing
dial-up or dedicated circuits. In many of these instances the other party is in
control of connected hosts.
Even with the ANX, there is some degree of uncertainty. If a trading partner with ANX
access uses a laptop to access data across the ANX, it is
just as easy for him to take it offsite and the information be compromised, even worse
yet, the ANX allows for dual-homed hosts, where a box might
be able to access both networks (the Internet and ANX), if there is a misconfiguration
or misuse the information could be comingled. The ANX
doesn't really control the trading parter or his network, and the ISP providing ANX
access can only make suggestions as to how to configure the
trading partner's network. I believe the ANXO and ISP's involvement ends at the last
IPSEC connection to the trading partner.
"Paul D. Robertson" wrote:
> On Tue, 18 Apr 2000, Michael J Lawrence wrote:
>
> >
> > VPN is a different story. VPN is a double hitter both as ROI and insurance. It's
>cheaper than a dedicated WAN circuit AND it protects data.
>
> VPNs don't offer much in the way of insurance. The ROI only works if both
> endpoints have the same management, security and operations policies
> (e.g. network to network for two offices.) Most people are trying to
> deploy remote *node* solutions where there is no _real_ ROI and definitely
> _no_ insurance.
>
> Remote node VPNs don't protect networks, they protect information while
> it's in transit only. The fact that they place the encryption boundary on
> an untrusted and insecurable node (e.g. a Win98 box) and then require that
> it be allowed to talk in the clear to an untrusted network _should_ make
> people want to run. Why people seem to flock to VPNs as a "security
> solution" is beyond me.
>
> Face it, even the poster child for VPN access (ANX) is on a private
> network, not the Internet at large.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
