|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: VPN clients and security models
at Tuesday, January 28, 2003 4:52 PM, [email protected] <[email protected]> was seen to say: > Your VPN connection dropped you back into your site. If it is site's > security model that all mail comes in and goes out via some mail > server that filters out email viruses, and via VPN you are virtually > in a footprint of that site, then why are you not using the site mail > server or why is the VPN client lets you not use it? If it does not > enforce the site's security policy, then it is a BAD VPN client. Email is different, unfortunately. Almost unavoidably, if you use Exchange and Outlook (and managment will often refuse to drop their expensive and security-vunerable addiction to that tool), you are going to get infections at some point. AV libraries are (unfortunately) largely reactive, and often are up to a day behind an outbreak (if the attackers plan the release well to maximise the time it takes to get people working on a library update) Once a VPN client is infected though, it has more opportunities to gain access to a "raw" internet connection than a lan host would. The same goes for an infected CDR or floppy - if it *knows* it is on a vpn machine, it can find ways to get raw access that would be impossible for a lan machine to even attempt. Consider a VPN machine a LAN machine with a modem hanging off it already configured for an ISP - nobody in their right mind would allow that to be *issued* as a standard setup, but if you have to have that setup, you are going to have to work bloody hard to keep it secure - made worse if the laptop is in a salesperson's home where they can convince themselves it is "only fair" or "everyone does it" when they (or their offspring) bypass security settings to get into kazaa... or worse yet, where they download the client onto their broadband-connected machine to connect with because "that dialup is too slow" 1. Should it happen? no 2. do we slap them down for it when we find out? yes 3. Should we assume that it won't happen because they know about (1) and (2)? this is the real world.
|