North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Level3 routing issues?

  • From: Valdis.Kletnieks
  • Date: Mon Jan 27 15:53:39 2003

On Mon, 27 Jan 2003 15:33:34 EST, [email protected]  said:
> 
> > > This is not correct. VPN simply extends security policy to a different
> > > location. A VPN user must make sure that local security policy prevents
> > > other traffic from entering VPN connection.
> > 
> > Given that the head of one of our three-letter-agencies managed to get
> > this sort of thing wrong,  what makes you think that Joe Middle-Manager
> > who's more concerned about fixing a spreadsheet will get it correct?
> 
> Because it is not that difficult. A security policy of a little office is
> very different from a security policy of a three letter agency. In fact,
> fixing a spreadsheet could be mode difficult than implementing a security
> policy for an office with 5 computers that are connected to the Internet.

Ahh... but in the case of SQLSlapper, you have a packet coming in to the
PC.. That traffic doesn't get restricted by your hypothetical security
policy, since it's not entering the VPN, and the outbound traffic isn't
either, because it's locally generated.

This also means that your security policy needs to be fixed so Outlook is not
permitted to connect to any other mail servers - because otherwise the user can
check their AOL account, pick up a Nimda, and whomp it into the VPN.

In fact, if you're talking to the VPN and allow any non-VPN connections
*at any time* (even when the VPN isn't active), you have a vulnerability - think
about downloading a file that has a virus that doesn't have a signature from
the vendors yet (like the first 75,000 copies of Nimda that his our mail
server).  Wanna bet that when that VPN connects, there's some shares available
for the virus to attack? ;)

It's not as easy as it looks.

Attachment: pgp00018.pgp
Description: PGP signature