Dan Bale wrote:

Beyond that, about all I'd be interested in is whether you have a good
reason for VPN. I imagine most reasons are something like "the boss says
so".

Actually, I wonder how many of us have good reason for using it?
(...besides the one I gave.)


The boss said so.  But didn't the boss say so because VPN, set up properly,
is more secure?  (More secure than what?)  I'm starting to have to tread
carefully now, cuz I'm getting into someone else's area of responsibility.

Dan:

"More secure"... well, more secure against what?

Are you in a situation where your communications are likely to be tapped by someone who can make a difference to your company? Are you, for example, at an end-point within a hostile network or are your communications forced through a hostile network segment? See, encryption really only matters if the conversation can be monitored by someone who can take advantage of it.

Who's monitoring your traffic? I suspect the chances are pretty close to zero that _anyone_ outside of your target LAN can see anything at all that you do, much less enough packets to construct any resemblence of a conversation.

Perhaps there's a risk at your ISP that you're concerned about? Why not start by calling them and asking them what their policy is? Certainly once they start routing your packets towards the Internet backbone, you're getting into the category of the feds doing the monitoring, but I'd be surprised if they do. And if someone at your ISP is in fact doing it, you're probably at significantly more risk over your non-VPN traffic -- perhaps even at higher risk of losing control over your own PC.

But IMO, that's paranoid.

Yes, VPN will encrypt your traffic. And while doing so, it technically becomes a superb conduit right through your target network firewall. If anything does get installed on your PC, some kind of virus for example, it now has an excellent route to travel. (Since you're using a Cisco client, I assume you have a Cisco VPN appliance at the other end, possibly a different IP address than the non-VPN router. Otherwise, you'd probably just use the Microsoft VPN client. Go search through the mailing lists at http://securityfocus.com/archive on pen-tests, firewalls, etc., for all the opinions on whether routing, firewalling, VPNing, etc., ought to be combined into single appliances.)

The risk is much less that traffic can route through your PC between two networks; I wouldn't worry about that any more than I'd worry about someone at your ISP. Routing isn't the problem. Something installed on your PC is the bigger potential problem; no routing involved there -- it talks direct. You probably have programs already installed on your PC that are examples of how it's done -- iSeries Access functions do it all the time. If your normal Internet connection ever results in a hostile executeable getting installed on your PC, well, there you go.

Of course, if you _don't_ use VPN, then your normal target network firewall can see everything. This helps greatly when it needs to know whether to block something or not.

All of this is pretty extreme. Assuming decently working firewalls, active anti-virus, competent security patches at the various points, you know -- normal standard stuff we all _know_ ought to be done, problems are unlikely.

Adding VPN increases security from various forms of sniffing but also opens a hole through which traffic might pass undetected. Why use VPN at all if traffic content itself doesn't actually need to be secure?

And then, there are a couple various problems with VPN itself... like it or not, few protocols are perfect.

I suspect you're getting the gist of it.

Security isn't an absolute item. It's always a tradeoff. For a business, the tradeoffs ought to be measureable essentially in dollars. If a risk is more expensive than a cure, you go for the cure.

Enough rambling; I'm _not_ a VPN expert by any means. I hope I hit enough generalities to get discussion farther along.

Tom Liotta



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.