Re: [MLUG] remote network connection

[Chris Wolfe <EMAIL:PROTECTED>]

Technical discussion aside (and there have been some very good things 
said to keep in mind about VPNs and security in general), this is the 
second time IIRC that someone has said it's basically a Very Bad Idea to 
try having a secure connection on the internet.  That's someone's 
personal opinion that they are entitled to, but I'd rather see hard 
evidence and let the facts speak for themselves.

I disagree with the concept that you can't use a VPN securely, and 
blanket statements to the contrary only help spread the FUD.  VPNs can 
be done, *are* being done, by hundreds or thousands of all types of 
businesses, but we tend to hear about the places that get cracked (and I 
have yet to see the correlation to their use of a VPN or not).  They 
obviously missed something critical and are paying the price.  Hopefully 
with the advice given here on the list and with other study, none of us 
will find ourselves in the same boat.

--Chris

Brent Deterding wrote:

>On the other hand - plenty of banks don't invest in very expensive private
>lines and use VPNs whose encryption can be trusted. We've gotten to the
>point that the encryption can be trusted to a reasonable degree (yes -
>thousands of computers working for hundreds of years could break it). I'm
>not sure but doesn't FreeS/WAN support aes256? 
> 
>Running traffic across a VPN meets due diligence - it assures
>confidentiality, integrity, and authentication. Banks need to worry more
>about someone walking in and robbing the place than someone putting
>thousands of computers against their VPN keys . . . 
> 
>NOW - this is a very important clarification to this port - that covers the
>transmission of the data only - it says NOTHING of what happens at the
>endpoints of the data and on the networks behind those endpoints once
>decrypted. Trust your firewall won't get tossed? How are logs reviewed? How
>often? What are those people's qualifications? Who designed and put up the
>firewall? GLBA (Graham Leach Bliley Art) wants due diligence on all of these
>points as well. I'm not getting into that here - I'm speaking only of the
>VPN as a communication means for data.
> 
>Overall I would agree with Shannon - but someone could conceivably grab the
>data off your private line easier than crack the encryption on your VPN. One
>would require thousands of computers while one would require a network
>engineer with access and a sniffer. 
> 
>-- Brent
>
>-----Original Message-----
>From: EMAIL:PROTECTED
>[mailto:EMAIL:PROTECTED]On Behalf Of Spurling, Shannon
>Sent: Friday, January 30, 2004 9:59 AM
>To: MLUG Members
>Subject: RE: [MLUG] remote network connection
>
>
>
>NEVER! And I mean never, place your critical business structure on the
>internet. It's fine for casual communications that you don't care if they
>get sniffed or not, but don't make your internal bridge between sites
>dependant on a tunnel across the internet. The practical problems are
>latency and reliability. The security concerns are from when you never know
>what route the tunnel is going to have to take to get from point A to point
>B, unless you have the option to use a tightly coupled single ISP that you
>trust. 
>
>A good rule of thumb is, would you discuss the information in question in
>public? Would you discuss it quietly? Would you insist the other person to
>follow you to a secure place to discuss it? Each one of these responses
>suggests a different level of secrecy and security. The first would be
>regular e-mail. The second would be the equivalent of using encryption. The
>third would be making them use your internal infrastructure. I'd say VPN's
>and SSL should be fine for external customers connecting to perform business
>within your company, but I would not depend on it for large amounts of
>communication between offices, or transfer of records.
>
>Every time I hear about a bank or company getting hacked from the internet I
>keep thinking "Why did these people hook this stuff up to the internet in
>the first place!?" If you want to keep your data safe, don't put it on the
>public network. It's common sense, just like if you don't want it stolen,
>don't leave it out on the street.
>
>  
>

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members