Re: [SAGE] VPN solutions

[Eric Sorenson <eric@explosive.net>]

On Sun, 7 Nov 2004, Richard Johnson wrote:

> Consider that user machines are, in reality, most often unmaintained (no
> sysadmin in charge, meaning not locked down, no patches, etc.).  On MS
> Windows, the users will open "interesting" attachments no matter how savvy
> they are in other parts of their life.  On Linux, the users will run
> insecure services without even knowing that they're vulnerable to a direct
> network attack.  Adding injury to insult, they'll be on cable modems
> without any firewalling.  It is thus nearly guaranteed that many of them
> will end up compromised.

I agree that unpatched windows machines are a huge problem. I also agree
that nobody's machine should be plugged into the Internet without a firewall
(separate hardware or host-based) turned on. But I think if you can fix these
problems, you've mitigated the risk associated with split tunneling to an
acceptable level, and I think the benefits are worth accepting that risk.
Your milage will vary, depending on the requirements of your environment.

> I hope it's now clearer now why I consider allowing regular user machines
> to have access to LAN and VPN at the same time to be a colossally bad idea.

Yes, you have. But I'm curious how you handle the problem of people who want
to use Internet resources while connected. Just tell 'em "no way, disconnect
first"? I'd have a hard time making that policy stick, especially if (as you
said) some people get exclusions. Although I imagine if we had started out
that way, it would be easier than switching users who'd already gotten used
to split-tunnel convenience.

-- 

 - Eric Sorenson - Explosive Networking - http://eric.explosive.net -