Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: VPN clients and security models

  • From: David Howe
  • Date: Tue Jan 28 12:57:51 2003

at Tuesday, January 28, 2003 4:52 PM, alex@yuriev.com <alex@yuriev.com>
was seen to say:
> Your VPN connection dropped you back into your site. If it is site's
> security model that all mail comes in and goes out via some mail
> server that filters out email viruses, and via VPN you are virtually
> in a footprint of that site, then why are you not using the site mail
> server or why is the VPN client lets you not use it? If it does not
> enforce the site's security policy, then it is a BAD VPN client.
Email is different, unfortunately.
Almost unavoidably, if you use Exchange and Outlook (and managment will
often refuse to drop their expensive and security-vunerable addiction to
that tool), you are going to get infections at some point.  AV libraries
are (unfortunately) largely reactive, and often are up to a day behind
an outbreak (if the attackers plan the release well to maximise the time
it takes to get people working on a library update)
Once a VPN client is infected though, it has more opportunities to gain
access to a "raw" internet connection than a lan host would. The same
goes for an infected CDR or floppy - if it *knows* it is on a vpn
machine, it can find ways to get raw access that would be impossible for
a lan machine to even attempt.  Consider a VPN machine a LAN machine
with a modem hanging off it already configured for an ISP - nobody in
their right mind would allow that to be *issued* as a standard setup,
but if you have to have that setup, you are going to have to work bloody
hard to keep it secure - made worse if the laptop is in a salesperson's
home where they can convince themselves it is "only fair" or "everyone
does it" when they (or their offspring) bypass security settings to get
into kazaa... or worse yet, where they download the client onto their
broadband-connected machine to connect with because "that dialup is too
slow"
1. Should it happen?
no

2. do we slap them down for it when we find out?
yes

3. Should we assume that it won't happen because they know about (1) and
(2)?
this is the real world.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.