Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Application requires VPN - How are these handled?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 01 Apr 2003 20:02:51 +0200


Michele Jordan wrote:


[I don't want to put a VPN client machine on my network]


Funny, I posted about this matter on another mailing list not
24 hours ago. Here's a copy:


Someone else wrote:

[$bigco won't allow lan-to-lan tunnels. grumble.]


I'd just like to point out here that, as far as security is
concerned, this is basically a kick in the face.

The assumption here is that your security is much worse than their 
security. Whether or not this is _true_ is more than I can say,
but, nevertheless, that's the assumption.

By only allowing access from one or a few workstations, they assume
that their security improves measurably. (It most likely doesn't; 
if someone is free to muck about on your LAN, said someone can get 
control over said workstations and use the tunnel freely).
I can however tell you that it measurably worsens _your_ security.
If someone has access to _their_ LAN, they have an open tunnel
to the inside of your network that you have no control over 
what so ever.

Actually, one could convincingly argue that they worsen their
own security stance by mandating single-box clients.

Assume that you do work for two large companies. A and B.
They both mandate single-box VPN clients.

As previously mentioned, you have no control over what enters your
network through the VPN connection. Now, assume that A and B are
fierce competitors.  Here's a scenario:
- A attacks your workstation; there's nothing stopping them
- From that workstation, the leap is very short to the next one,
  which happens to have a tunnel to company B
- A can attack B, using the workstations on your LAN as 
  a springboard

Now, assume that these were LAN-to-LAN tunnels instead, with 
proper security controls in place. Here's what'd happen:
- A attempts to attack workstations or servers on your LAN.
- Your firewall repels them; they have no business connecting to
  your LAN whatsoever, so you don't allow any of it.


Of course, there's also the whole issue with A or B becoming
compromised and the problem spreading to your network, or someone
at A and B simply deciding to royally screw you over, but that's
a different thought exercise and does not involve any problem 
for _them_, so that argument only works if they care about _you_.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]