North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Level3 routing issues?
On Mon, 27 Jan 2003 15:33:34 EST, [email protected] said: > > > > This is not correct. VPN simply extends security policy to a different > > > location. A VPN user must make sure that local security policy prevents > > > other traffic from entering VPN connection. > > > > Given that the head of one of our three-letter-agencies managed to get > > this sort of thing wrong, what makes you think that Joe Middle-Manager > > who's more concerned about fixing a spreadsheet will get it correct? > > Because it is not that difficult. A security policy of a little office is > very different from a security policy of a three letter agency. In fact, > fixing a spreadsheet could be mode difficult than implementing a security > policy for an office with 5 computers that are connected to the Internet. Ahh... but in the case of SQLSlapper, you have a packet coming in to the PC.. That traffic doesn't get restricted by your hypothetical security policy, since it's not entering the VPN, and the outbound traffic isn't either, because it's locally generated. This also means that your security policy needs to be fixed so Outlook is not permitted to connect to any other mail servers - because otherwise the user can check their AOL account, pick up a Nimda, and whomp it into the VPN. In fact, if you're talking to the VPN and allow any non-VPN connections *at any time* (even when the VPN isn't active), you have a vulnerability - think about downloading a file that has a virus that doesn't have a signature from the vendors yet (like the first 75,000 copies of Nimda that his our mail server). Wanna bet that when that VPN connects, there's some shares available for the virus to attack? ;) It's not as easy as it looks.