On 7 Jun 2001, at 19:23, Carl E. Mankinen wrote: > > And this is different from an on-site user, visiting the web > >through the corporate firewall, exactly HOW? i.e. I do not see how > >this risk is exacerbated if the client connection comes across a VPN > >tunnel rather than just a length of Cat5. > > Presumably, when their VPN software at home is not blocking all access > to their box and they are free to do anything they like, they are likely > to become compromised, and then when they use their VPN to get into your > corporate network it is a security problem. One reason why all VPN clients > that I have are extremely locked down in what they can do. In fact, they > can only access a number of bastions and do not participate on the internal > network AT ALL. > > The VPN in this case is really just helping to crypt company confidential > information that might be read via OWA etc. (uses SSL, bad example...) > > The difference in someone browsing the net from home vs. at work is the > level of controls that are in place to limit their activities and to > monitor what is being done. Our browsing capability from the inside > is severely limited...get lots of complaints about it all the time. > > TALK TO THE HAND. hehe. ... and in the scenario I'm offering/used to, home users connected via VPN are subject to no less than the same controls[*]. The fact that there is a VPN tunnel present is orthogonal to and unrelated to the threat posed by allowing trusted machines to browse the web -- whatever degree of threat we happen to assign to that activity. [*] ... while they are connected to the VPN. > > [Consider also the case of the travelling employee who, after a > >stint on the road, plugs his laptop into the internal net. No amount > >of filtering at the tunnel endpoint is going to address this > >analogous real-world case where a machine is sometimes connected to > >the internal net, and sometimes not.] > > Our laptops are not allowed to plug into a wired ethernet port. > They use a wireless NIC instead and the wireless access points are > all in one VLAN (pretty difficult otherwise with multiple floors) > and they are all placed on a leg of a firewall and pretty locked down. > > There are other controls in place to prevent someone from just using > their workstation patch... Security routinely involves trade-offs between safety, service, and cost. You've apparently found an organization where service is optional, > Our browsing capability from the inside is severely limited...get > lots of complaints about it all the time. where users are kept under some kind of surveillance (or the equivalent), > Our laptops are not allowed to plug into a wired ethernet port. > There are other controls in place to prevent someone from just > using their workstation patch... and where cost is not much of an object. Dare I humbly suggest that this particular set of priorities is one to two standard deviations out from where more-typical organizations tend to operate most of the time? To put it in CFO-speak: "If all our remote users can get to is a couple of bastion hosts, why spend money on a VPN *at all*? Maybe instead I should be spending it on someon who can (will) find a way to provide more access than that for our remote users??" David Gillett - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]