[55342] in North American Network Operators' Group
Re: Level3 routing issues?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jan 27 15:51:55 2003
To: alex@yuriev.com
Cc: nanog@merit.edu
In-Reply-To: Your message of "Mon, 27 Jan 2003 15:33:34 EST."
<Pine.LNX.4.10.10301271531090.30768-100000@s1.yuriev.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 27 Jan 2003 15:49:58 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1059294728P
Content-Type: text/plain; charset=us-ascii
On Mon, 27 Jan 2003 15:33:34 EST, alex@yuriev.com said:
>
> > > This is not correct. VPN simply extends security policy to a different
> > > location. A VPN user must make sure that local security policy prevents
> > > other traffic from entering VPN connection.
> >
> > Given that the head of one of our three-letter-agencies managed to get
> > this sort of thing wrong, what makes you think that Joe Middle-Manager
> > who's more concerned about fixing a spreadsheet will get it correct?
>
> Because it is not that difficult. A security policy of a little office is
> very different from a security policy of a three letter agency. In fact,
> fixing a spreadsheet could be mode difficult than implementing a security
> policy for an office with 5 computers that are connected to the Internet.
Ahh... but in the case of SQLSlapper, you have a packet coming in to the
PC.. That traffic doesn't get restricted by your hypothetical security
policy, since it's not entering the VPN, and the outbound traffic isn't
either, because it's locally generated.
This also means that your security policy needs to be fixed so Outlook is not
permitted to connect to any other mail servers - because otherwise the user can
check their AOL account, pick up a Nimda, and whomp it into the VPN.
In fact, if you're talking to the VPN and allow any non-VPN connections
*at any time* (even when the VPN isn't active), you have a vulnerability - think
about downloading a file that has a virus that doesn't have a signature from
the vendors yet (like the first 75,000 copies of Nimda that his our mail
server). Wanna bet that when that VPN connects, there's some shares available
for the virus to attack? ;)
It's not as easy as it looks.
--==_Exmh_1059294728P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+NZt2cC3lWbTT17ARAlaKAKCun0QapG12PyCk0DjAw5nTfTpAoQCfZZZ5
ePzUs73Rw4i7zT3nKRPQPw0=
=2og0
-----END PGP SIGNATURE-----
--==_Exmh_1059294728P--
