North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: VPN clients and security models
- From: David Howe
- Date: Tue Jan 28 12:57:51 2003
at Tuesday, January 28, 2003 4:52 PM, email@example.com <firstname.lastname@example.org>
was seen to say:
> Your VPN connection dropped you back into your site. If it is site's
> security model that all mail comes in and goes out via some mail
> server that filters out email viruses, and via VPN you are virtually
> in a footprint of that site, then why are you not using the site mail
> server or why is the VPN client lets you not use it? If it does not
> enforce the site's security policy, then it is a BAD VPN client.
Email is different, unfortunately.
Almost unavoidably, if you use Exchange and Outlook (and managment will
often refuse to drop their expensive and security-vunerable addiction to
that tool), you are going to get infections at some point. AV libraries
are (unfortunately) largely reactive, and often are up to a day behind
an outbreak (if the attackers plan the release well to maximise the time
it takes to get people working on a library update)
Once a VPN client is infected though, it has more opportunities to gain
access to a "raw" internet connection than a lan host would. The same
goes for an infected CDR or floppy - if it *knows* it is on a vpn
machine, it can find ways to get raw access that would be impossible for
a lan machine to even attempt. Consider a VPN machine a LAN machine
with a modem hanging off it already configured for an ISP - nobody in
their right mind would allow that to be *issued* as a standard setup,
but if you have to have that setup, you are going to have to work bloody
hard to keep it secure - made worse if the laptop is in a salesperson's
home where they can convince themselves it is "only fair" or "everyone
does it" when they (or their offspring) bypass security settings to get
into kazaa... or worse yet, where they download the client onto their
broadband-connected machine to connect with because "that dialup is too
1. Should it happen?
2. do we slap them down for it when we find out?
3. Should we assume that it won't happen because they know about (1) and
this is the real world.