Firewalls: Re: Use of VPNs ??

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Use of VPNs ??
From:	"Paul D. Robertson" <proberts @ clark . net>
Date:	Fri, 24 Oct 1997 21:47:39 -0400 (EDT)
To:	Dick_Wall @ stratus . com
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<H000006f0257b55e @ MHS>

On Fri, 24 Oct 1997 Dick_Wall @
 stratus .
 com wrote:

>   An economical alternative seems to be to allow these telecommuters to
> access the corporate network via their local ISPs or cable providers. 
> Assuming we use a secure mechanism to authenticate the user, and encrypt
> the data, what other risks do I face?
> 
>   The thought that worries me .. is that although I might have a secure
> path between the telecommmuter's computer and the corporate LAN, I have
> no way to ensure the security between the telecommuter's computer, and
> the rest of the ISP community.  There seems to be the very real
> possibility for a third party, to access the telecommuter's system, and
> from there, pass though the secure connection into the corporation.

With both dial-up and cable or wireless modems in-house, you're really 
leaving the burden of security up to the user.  It would be fairly 
trivial for me to open a clear path into a corporate network with VPN 
access.  VPNs only really work for securing data.  If the home user has 
any program running in-the-clear data streams at the same time, there's a 
fairly serious attack vector into the network laying there.  More so if 
the worker's progeny is sitting on a home network with clear access and a 
penchant for mischief.  Masquerading from the home machine routed to and 
from the misconfigured, or malicious machine upstairs in and out of your 
network over an encrypted channel?  It would concern me for sure.

Also, there are ownership issues which may turn into legal liabilities 
if the company doesn't own the hardware, software, and services to run 
the machine.  Our lawgeeks weren't too concerned with that issue for 
direct dial, but I think when we get there, it'll come down to the AUP 
from hell.

>   Are people "really" allowing corporate access via VPN connections
> across an ISP's network?  If so, do they generally allow all corporate
> access or do they typically restrict it to email access?
> 
>   What is the real world, safely doing?

Fighting the issues bit-by-bit (pun intended).  Personally, I'm against 
non-direct dial access, and I like *that* restricted.  Especially from 
Internet access back out.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Follow-Ups:

Re: Use of VPNs ??
From: Vin McLellan <vin @ shore . net>

References:

Use of VPNs ??
From: Dick_Wall @ stratus . com

Indexed By Date	Previous:	Re: Sanity Check my Java/Security Stance? From: Peter da Silva <peter @ baileynm . com>
Indexed By Date	Next:	Re: Unlimited Users Firewalls From: "Craig I. Hagan" <hagan @ cih . com>
Indexed By Thread	Previous:	Use of VPNs ?? From: Dick_Wall @ stratus . com
Indexed By Thread	Next:	Re: Use of VPNs ?? From: Vin McLellan <vin @ shore . net>