On 7 Jun 2001, at 19:23, Carl E. Mankinen wrote:
> > And this is different from an on-site user, visiting the web
> >through the corporate firewall, exactly HOW? i.e. I do not see how
> >this risk is exacerbated if the client connection comes across a VPN
> >tunnel rather than just a length of Cat5.
>
> Presumably, when their VPN software at home is not blocking all access
> to their box and they are free to do anything they like, they are likely
> to become compromised, and then when they use their VPN to get into your
> corporate network it is a security problem. One reason why all VPN clients
> that I have are extremely locked down in what they can do. In fact, they
> can only access a number of bastions and do not participate on the internal
> network AT ALL.
>
> The VPN in this case is really just helping to crypt company confidential
> information that might be read via OWA etc. (uses SSL, bad example...)
>
> The difference in someone browsing the net from home vs. at work is the
> level of controls that are in place to limit their activities and to
> monitor what is being done. Our browsing capability from the inside
> is severely limited...get lots of complaints about it all the time.
>
> TALK TO THE HAND. hehe.
... and in the scenario I'm offering/used to, home users connected
via VPN are subject to no less than the same controls[*]. The fact
that there is a VPN tunnel present is orthogonal to and unrelated to
the threat posed by allowing trusted machines to browse the web --
whatever degree of threat we happen to assign to that activity.
[*] ... while they are connected to the VPN.
> > [Consider also the case of the travelling employee who, after a
> >stint on the road, plugs his laptop into the internal net. No amount
> >of filtering at the tunnel endpoint is going to address this
> >analogous real-world case where a machine is sometimes connected to
> >the internal net, and sometimes not.]
>
> Our laptops are not allowed to plug into a wired ethernet port.
> They use a wireless NIC instead and the wireless access points are
> all in one VLAN (pretty difficult otherwise with multiple floors)
> and they are all placed on a leg of a firewall and pretty locked down.
>
> There are other controls in place to prevent someone from just using
> their workstation patch...
Security routinely involves trade-offs between safety, service, and
cost. You've apparently found an organization where service is
optional,
> Our browsing capability from the inside is severely limited...get
> lots of complaints about it all the time.
where users are kept under some kind of surveillance (or the
equivalent),
> Our laptops are not allowed to plug into a wired ethernet port.
> There are other controls in place to prevent someone from just
> using their workstation patch...
and where cost is not much of an object.
Dare I humbly suggest that this particular set of priorities is one
to two standard deviations out from where more-typical organizations
tend to operate most of the time?
To put it in CFO-speak: "If all our remote users can get to is a
couple of bastion hosts, why spend money on a VPN *at all*? Maybe
instead I should be spending it on someon who can (will) find a way
to provide more access than that for our remote users??"
David Gillett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
