Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

VPN clients and security models

  • From: alex
  • Date: Tue Jan 28 11:59:09 2003

> > This is not correct. VPN simply extends security policy to a different
> > location. A VPN user must make sure that local security policy
> > prevents other traffic from entering VPN connection.

> This is nice in theory, but in practice is simply not true. even
> assuming that the most restrictive settings are used (user may not
> install software by admin setting, has no local administration on his
> machine, IP traffic other than via the VPN is exclusive to the vpn
> client) it is *still* possible that the machine could be compromised by
> (say) an email virus who then bypasses security by any one of a dozen
> routes.

Welcome to the world of formal security models. If in theory a VPN is
nothing more than a tool of extending the security policy of a site to a
remote location, then it does not matter what kind of things you try to
achieve with it, it *wont* work for anything other than extending a security
model of a site to a remote location. Can one try to use it for something
else? Sure, one can. It may even work for a little bit, as long as it does
not contradict that security model. 

Your VPN connection dropped you back into your site. If it is site's
security model that all mail comes in and goes out via some mail server that
filters out email viruses, and via VPN you are virtually in a footprint of
that site, then why are you not using the site mail server or why is the VPN
client lets you not use it? If it does not enforce the site's security
policy, then it is a BAD VPN client.

Alex





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.