[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] VPN solutions

To: Eric Sorenson <eric@explosive.net>
Subject: Re: [SAGE] VPN solutions
From: Brad Knowles <brad@stop.mail-abuse.org>
Date: Mon, 8 Nov 2004 20:57:50 +0100
Cc: Richard Johnson <rdump@river.com>, sage-members@usenix.org
In-Reply-To: <Pine.LNX.4.44.0411081132080.25718-100000@hexogen.explosive.net>
References: <Pine.LNX.4.44.0411081132080.25718-100000@hexogen.explosive.net>
Sender: owner-sage-members@usenix.org

At 11:46 AM -0800 2004-11-08, Eric Sorenson wrote:

>                                               But I think if you can fix these
>  problems, you've mitigated the risk associated with split tunneling to an
>  acceptable level, and I think the benefits are worth accepting that risk.

	I'm not convinced of that.  The most recent attacks have included 
code to turn off firewalls and other security software, and so long 
as these are things that the users are capable of enabling or 
disabling themselves, I think you always have to consider them to be 
highly suspect.

	That is, even assuming that they have a proper firewall in the 
first place, and unfortunately most firewalls assume that the attacks 
will be coming from the outside on channels which are not explicitly 
allowed, and don't check the channels which are allowed, nor do they 
prohibit outbound connections from machines that might already be 
infected.

>  Yes, you have. But I'm curious how you handle the problem of people who want
>  to use Internet resources while connected. Just tell 'em "no way, disconnect
>  first"? I'd have a hard time making that policy stick, especially if (as you
>  said) some people get exclusions. Although I imagine if we had started out
>  that way, it would be easier than switching users who'd already gotten used
>  to split-tunnel convenience.

	In that case, I'd allow them to access the Internet via the VPN, 
but they'd have to abide by the security restrictions of the VPN 
which might prevent them from getting to certain types of websites, 
etc....  If they want to have access to those sites, then they'd need 
to disconnect from the VPN first.

	Think of it like cooking Kosher, and having separate utensils, 
cookware, maybe even entire kitchens.

-- 
Brad Knowles, <brad@stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

Follow-Ups:
- Re: [SAGE] VPN solutions
  - From: Philip Brown <phil@bolthole.com>

References:
- Re: [SAGE] VPN solutions
  - From: Eric Sorenson <eric@explosive.net>

Prev by Date: Re: [SAGE] VPN solutions
Next by Date: [SAGE] Terminal Room Volunteers for LISA'04
Prev by thread: Re: [SAGE] VPN solutions
Next by thread: Re: [SAGE] VPN solutions
Index(es):
- Date
- Thread