By David Stern
The Federal Reserve building in NYC is a fortress; literally. There are layers of physical security mechanisms inside and out to keep people away from where they aren’t supposed to be. If you ever go to a meeting there, you will find that you cannot wander too far before hitting a nicely ornamented gate and security guard. It’s no surprise that the pizza guy can’t just waltz in the back door. However, in most companies, the proverbial “pizza guy” is given a badge and institutionalized through the use of VPN. A security professional will tell you that VPN is a remote access technology that has as much to do with security as your 28.8K modem. VPN allows remote systems to connect into the network from anywhere on the Internet. In most cases, the only access prerequisites are a username and password. The same rules apply to VPN as any other remote connection. VPN access devices must be considered semi-trusted and placed in a DMZ. Their traffic and their logs must be monitored for dangerous activity. Modern VPN devices have security features such as proxying, access lists, and IDS built in. However, to meet segregation of duties requirements, the typical LAN folks cannot control them. As with any other technology, VPNs can be made secure, but they certainly are not security devices.
This FFF is part of a new (hopefully) weekly series where the different contributors and guests will be sharing quick Friday Fast Facts – specifically so YOU CAN TAKE THEM AND USE THEM AT WORK. Include these in newsletters, quick email updates or even status reports. Please cite the author (David Stern) and the Security Catalyst Community (www.santarmj.staging.wpengine.com) when you spread the word.