VPN "Security" (was [Dshield] Clientless VPN and IPSEC)

Richard Ginski rginski at co.pinellas.fl.us
Tue Jan 14 13:58:49 GMT 2003

I appreciate the response and definitely appreciate the issue of firewalling according to security policy. However, we are comfortable with what's been implemented regarding IPSEC and firewalling/antivirus the IPSEC clients.

My original question was regarding "clientless VPN's" over SSL and comparing that to IPSEC. I feel clientless VPN is missing network access control (controlling access with encrypted internally assigned IP addresses at the client). I was asking if anyone else has wrestled with this issue and was able to implement technology to reach a level of comfort with clientless VPN.


>>> dshield_ls at technicalclarity.com 01/13/03 01:27PM >>>

IMHO, VPNs only offer protection against clear text communications snooping;
any appearance of offering secure access control (etc.) is an illusion.


The issues you raised are points well-taken.  However, I do not feel that
they inherently fail to offer secure (within reason) access control.  Here's
my $0.02 (if we keep this up we may hit a full $1) :)

There are two flavors of VPN-- site-to-site and client-to-site.  Your
rundown covers client-to-site pretty well, and by its very nature, it is
inherently a security risk.  A good example of an attempt to deal with many
of the issues you raised is Check Point's SecureClient (a superset of
SecuRemote).  SecureClient allows you to enforce firewalling on the "box out
there" as well as configuration control right down to registry keys.  So,
quite literally, if the box connecting up isn't configured "securely" (with
securely being defined by you) it doesn't get to talk.  Boom.  Problem
(somewhat) solved, if you can get management to go along with it at least.

In a site-to-site scenario, you can lock the VPN down to specific IP
addresses and eliminate the randomness inherent in client-to-site VPNs.  Of
course, you still have the same basic security questions about what that box
over there in Site B is doing-- but you do, nevertheless, have a modicum of
access control.

Beyond that, I completely agree that many mistreat VPNs as the "holy grail"
of security in that they think if you have one, there are no more security
issues.  This is obviously false.  However, it is not a problem unique to
VPNs as a security tool.  The simple fact is that if you grant access to
something or someone, that access can be leveraged by a third party to get

It's Espionage 101-- to get access to something you're not supposed to have
access to, abuse the otherwise legitimate access of someone else (whether it
comes through a VPN, a pilfered username and password, or a stolen digital
certificate).  Needless to say this is a bigger problem than VPN
implementation technique-- because the only solution to the issue is not to
grant access at all, which would render most corporate resources rather
useless.  Catch-22.

Russell Washington, CCSE, CCSA, NCSA
Too many doggoned letters after my name.../

Dshield mailing list
Dshield at dshield.org 
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list