Dan Bale wrote:
Beyond that, about all I'd be interested in is whether you have a good
reason for VPN. I imagine most reasons are something like "the boss says
so".
Actually, I wonder how many of us have good reason for using it?
(...besides the one I gave.)
The boss said so. But didn't the boss say so because VPN, set up properly,
is more secure? (More secure than what?) I'm starting to have to tread
carefully now, cuz I'm getting into someone else's area of responsibility.
Dan:
"More secure"... well, more secure against what?
Are you in a situation where your communications are likely to be tapped
by someone who can make a difference to your company? Are you, for
example, at an end-point within a hostile network or are your
communications forced through a hostile network segment? See, encryption
really only matters if the conversation can be monitored by someone who
can take advantage of it.
Who's monitoring your traffic? I suspect the chances are pretty close to
zero that _anyone_ outside of your target LAN can see anything at all
that you do, much less enough packets to construct any resemblence of a
conversation.
Perhaps there's a risk at your ISP that you're concerned about? Why not
start by calling them and asking them what their policy is? Certainly
once they start routing your packets towards the Internet backbone,
you're getting into the category of the feds doing the monitoring, but
I'd be surprised if they do. And if someone at your ISP is in fact doing
it, you're probably at significantly more risk over your non-VPN traffic
-- perhaps even at higher risk of losing control over your own PC.
But IMO, that's paranoid.
Yes, VPN will encrypt your traffic. And while doing so, it technically
becomes a superb conduit right through your target network firewall. If
anything does get installed on your PC, some kind of virus for example,
it now has an excellent route to travel. (Since you're using a Cisco
client, I assume you have a Cisco VPN appliance at the other end,
possibly a different IP address than the non-VPN router. Otherwise,
you'd probably just use the Microsoft VPN client. Go search through the
mailing lists at http://securityfocus.com/archive on pen-tests,
firewalls, etc., for all the opinions on whether routing, firewalling,
VPNing, etc., ought to be combined into single appliances.)
The risk is much less that traffic can route through your PC between two
networks; I wouldn't worry about that any more than I'd worry about
someone at your ISP. Routing isn't the problem. Something installed on
your PC is the bigger potential problem; no routing involved there -- it
talks direct. You probably have programs already installed on your PC
that are examples of how it's done -- iSeries Access functions do it all
the time. If your normal Internet connection ever results in a hostile
executeable getting installed on your PC, well, there you go.
Of course, if you _don't_ use VPN, then your normal target network
firewall can see everything. This helps greatly when it needs to know
whether to block something or not.
All of this is pretty extreme. Assuming decently working firewalls,
active anti-virus, competent security patches at the various points, you
know -- normal standard stuff we all _know_ ought to be done, problems
are unlikely.
Adding VPN increases security from various forms of sniffing but also
opens a hole through which traffic might pass undetected. Why use VPN at
all if traffic content itself doesn't actually need to be secure?
And then, there are a couple various problems with VPN itself... like it
or not, few protocols are perfect.
I suspect you're getting the gist of it.
Security isn't an absolute item. It's always a tradeoff. For a business,
the tradeoffs ought to be measureable essentially in dollars. If a risk
is more expensive than a cure, you go for the cure.
Enough rambling; I'm _not_ a VPN expert by any means. I hope I hit
enough generalities to get discussion farther along.
Tom Liotta
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.