[55339] in North American Network Operators' Group
Re: Level3 routing issues?
daemon@ATHENA.MIT.EDU (alex@yuriev.com)
Mon Jan 27 15:24:18 2003
Date: Mon, 27 Jan 2003 15:18:05 -0500 (EST)
From: alex@yuriev.com
To: Simon Lockhart <simonl@rd.bbc.co.uk>
Cc: nanog@merit.edu
In-Reply-To: <20030127201014.GP29526@rd.bbc.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
> On Mon Jan 27, 2003 at 03:03:09PM -0500, alex@yuriev.com wrote:
> > > Alex, although technically correct, its not practical. How many end users
> > > vpn in from home from say a public ip on their dsl modem leaving
> > > themselves open to attack but now also having this connection back to the
> > > "Secure" inside network. Has anyone heard of any confirmed cases of this
> > > yet?
> > So then they are using a wrong tool. Using a wrong security tool tends to
> > bite one in the <censored>.
>
> So what's the right tool? Yes, dial or dsl directly into corporate network
> is my preferred option, but doesn't fit the corporate plan for the future.
Use a client that will push down corporate policy to the client.
> > Yes, I have seen attacks mounted via VPNs. Work like charm.
>
> As I suspected, but I keep being told that these problems were in old style
> VPN clients, and stuff is much better these days. I remain unconvinced.
VPN client creates a fake IP interface. If that interface deos not get the
policy of a corporate network, you have an open enterance. Some of the
clients (such as the ones CheckPoint has) do that. Others dont.
Alex
