[55392] in North American Network Operators' Group
Re: VPN clients and security models
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jan 28 12:42:20 2003
To: alex@yuriev.com
Cc: "Email List: nanog" <nanog@nanog.org>
In-Reply-To: Your message of "Tue, 28 Jan 2003 11:52:39 EST."
<Pine.LNX.4.10.10301281146250.616-100000@s1.yuriev.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 28 Jan 2003 12:41:56 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1570865988P
Content-Type: text/plain; charset=us-ascii
On Tue, 28 Jan 2003 11:52:39 EST, alex@yuriev.com said:
> Welcome to the world of formal security models. If in theory a VPN is
> nothing more than a tool of extending the security policy of a site to a
> remote location, then it does not matter what kind of things you try to
> achieve with it, it *wont* work for anything other than extending a security
> model of a site to a remote location. Can one try to use it for something
> else? Sure, one can. It may even work for a little bit, as long as it does
> not contradict that security model.
Right. In the *formal* sense, this is correct.
But that's not how things work out in the Real World. As I pointed out
before, you have *USERS* involved, and they'll do stupid things like try
to connect their laptop to the internet. And as I also pointed out,
if the head of a TLA screws up and Gets This Wrong, why should we expect
untrained, non-security-aware users to Get It Right?
The problem is exacerbated by the fact that these mobile laptops are usually
*NOT* configured like a kiosk, where the user is unable to make any changes.
> that site, then why are you not using the site mail server or why is the VPN
> client lets you not use it? If it does not enforce the site's security
> policy, then it is a BAD VPN client.
And when the VPN client isn't even running, what stops the user from changing
the mail software config to fetch his mail from some other server like AOL or
MSN or whatever?
Remember - users do NOT care about security. Users care about finishing
whatever task THEY are busy with, which is almost never security.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_1570865988P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+NsDkcC3lWbTT17ARAqz2AKDIJluv9RO/eObUrYxl/+ds+oao5gCeKzaQ
AyRcpyAdSaqc6f9w5+82Lfo=
=Zbeo
-----END PGP SIGNATURE-----
--==_Exmh_1570865988P--
