Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: risk level associated with VPNs?

Re: risk level associated with VPNs?

From: hermit921 <hermit921_at_yahoo.com>
Date: Mon, 07 Feb 2005 12:28:31 -0800

My view has been that if the remote system is controlled by the business,
with the same protection as the local systems, I don't care (much) where
the VPN terminates. But when the remote system has less protection, I
don't care if the VPN client software makes sure the current connection is
"safe" or not. That computer has been exposed to malware a local system
has not. To be on the safe side, I recommend terminating VPN's in the
DMZ. I can easily set the DMZ rules to allow complete internal access if I
want to. When someone changes the policies for remote systems later, I
don't have to worry about changing the VPN endpoint at all, just the
firewall rules.

hermit921

At 02:55 PM 2/3/2005, Avishai Wool wrote:
>Dear all,
>
>While doing firewall policy analyses for customers,
>I very often come across rules that allow
> any ip traffic
> from anywhere outside the primeter
> into big portions of the inside networks
>but over a VPN link (i.e., encrypted & authenticated).
>
>let's put aside the question of whether the authentication is
>sufficient, and assume that nobody is cracking the passwords.
>I tend to trust the encryption and believe that noone can snoop
>the traffic in flight.
>
>My claim is that these rules are very risky and a wonderful
>vector for all kinds of malware. All those home
>computers, laptops on the road etc, are much more at risk
>of infection than inside computers are. Plus the VPN has the
>nice side-effect that filters can't see though the encryption
>and control (or even log) where the connection is going
>and what it is doing.
>
>Left to my own devices, I would recommend terminating the VPNs
>in a DMZ, and putting all the usual controls (anti-virus/mail filter/etc)
>between the DMZ and the inside, and I would flag these raw VPN connections
>as risky, maybe even very risky.
>
>However, customers uniformly disagree with this argument, and tell me that
>"traffic coming over a VPN is not perceived as a risk so shut up
>about it."
>
>Thoughts anyone?
>Any credible war stories about malware/abuse traveling over VPNs?
>Or are the customers right and I'm being paranoid?
> (please don't respond that "the customer is always right" :-)
>
>Thanks,
> Avishai
>
>=====
>Avishai Wool, Ph.D.,
>http://www.algosec.com http://www.eng.tau.ac.il/~yash
>yash_at_acm.org Tel: +972-3-640-6316 Fax: +972-3-640-7095
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards_at_honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 12 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos