Adam:

Understood. That's why I added the parenthetical comment about the Cisco VPN in particular and the reference to the SecurityFocus forums. Rather than cover the entire subject, which I'm not qualified to do, I hope those interested will follow along their own research paths.

Note that the native VPN support under OS/400 adheres more to Microsoft VPN concepts rather than, say, Cisco. In such a case, there is no necessary VPN/firewall appliance involved.

And as the SecurityFocus forums can highlight, the combining of multiple technologies such as VPN and firewalls might or might not be a good idea depending on a number of factors.

Tom Liotta


Adam Lang wrote:
I want to correct you on something Tom, because I feel that, not necessarily
bad information, but misleading information.  VPN should not be a security
issue in regards to being a conduit through your firewall.  Why you may ask?
Because your VPN endpoint should have firewall rules enabled.  Whether it is
a CISCO VPN or a Linux box running CIPE.  The VPN endpoint should be running
firewall rules so that AS SOON AS THE TRAFFIC IS UNENCRYPTED it is analyzed
to determine if it should be blocked or not.

As an example, I run CISCO PIX at work and my external firewall is my VPN.
So, I do have access-lists enabled for that interface.  I also have a custom
built CIPE VPN server on linux sitting in the DMZ.  Now, if I wanted to, I
could use IPTABLES on the linux box to handle the firewalling, but instead I
use the firewall rules of the firewall segmenting my DMZ from the internal
network.  So technically, someone on the CIPE VPN can hit other DMZ
machines, but with the people I have at the other end of that one, I
downplayed the risk factor.  But if I was concerned about it, I would
IPTABLE the CIPE server to stop bad traffic at it's source.

Again, if implemented properly, VPN should not open any security holes
through your firewall.

I feel the trick to security and firewalling is looking at your network for
chokepoints. Data typically funnels down to certain areas. Use them for
analyzing bad traffic.
----- Original Message ----- From: "Tom Liotta" <qsrvbas@xxxxxxxxxxxx>
Newsgroups: midrange.public.pctech
To: <pctech@xxxxxxxxxxxx>
Sent: Friday, August 06, 2004 12:35 AM
Subject: Re: [PCTECH] Re: VPN questions




Dan:

"More secure"... well, more secure against what?

Are you in a situation where your communications are likely to be tapped
by someone who can make a difference to your company? Are you, for
example, at an end-point within a hostile network or are your
communications forced through a hostile network segment? See, encryption
really only matters if the conversation can be monitored by someone who
can take advantage of it.

Who's monitoring your traffic? I suspect the chances are pretty close to
zero that _anyone_ outside of your target LAN can see anything at all
that you do, much less enough packets to construct any resemblence of a
conversation.

Perhaps there's a risk at your ISP that you're concerned about? Why not
start by calling them and asking them what their policy is? Certainly
once they start routing your packets towards the Internet backbone,
you're getting into the category of the feds doing the monitoring, but
I'd be surprised if they do. And if someone at your ISP is in fact doing
it, you're probably at significantly more risk over your non-VPN traffic
-- perhaps even at higher risk of losing control over your own PC.

But IMO, that's paranoid.

Yes, VPN will encrypt your traffic. And while doing so, it technically
becomes a superb conduit right through your target network firewall. If
anything does get installed on your PC, some kind of virus for example,
it now has an excellent route to travel. (Since you're using a Cisco
client, I assume you have a Cisco VPN appliance at the other end,
possibly a different IP address than the non-VPN router. Otherwise,
you'd probably just use the Microsoft VPN client. Go search through the
mailing lists at http://securityfocus.com/archive on pen-tests,
firewalls, etc., for all the opinions on whether routing, firewalling,
VPNing, etc., ought to be combined into single appliances.)

The risk is much less that traffic can route through your PC between two
networks; I wouldn't worry about that any more than I'd worry about
someone at your ISP. Routing isn't the problem. Something installed on
your PC is the bigger potential problem; no routing involved there -- it
talks direct. You probably have programs already installed on your PC
that are examples of how it's done -- iSeries Access functions do it all
the time. If your normal Internet connection ever results in a hostile
executeable getting installed on your PC, well, there you go.

Of course, if you _don't_ use VPN, then your normal target network
firewall can see everything. This helps greatly when it needs to know
whether to block something or not.

All of this is pretty extreme. Assuming decently working firewalls,
active anti-virus, competent security patches at the various points, you
know -- normal standard stuff we all _know_ ought to be done, problems
are unlikely.

Adding VPN increases security from various forms of sniffing but also
opens a hole through which traffic might pass undetected. Why use VPN at
all if traffic content itself doesn't actually need to be secure?

And then, there are a couple various problems with VPN itself... like it
or not, few protocols are perfect.

I suspect you're getting the gist of it.

Security isn't an absolute item. It's always a tradeoff. For a business,
the tradeoffs ought to be measureable essentially in dollars. If a risk
is more expensive than a cure, you go for the cure.

Enough rambling; I'm _not_ a VPN expert by any means. I hope I hit
enough generalities to get discussion farther along.

Tom Liotta




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.