December 15

Security Friday Fast Fact: Busting the VPN-Security Myth

By David Stern

The Federal Reserve building in NYC is a fortress; literally. There are layers of physical security mechanisms inside and out to keep people away from where they aren’t supposed to be. If you ever go to a meeting there, you will find that you cannot wander too far before hitting a nicely ornamented gate and security guard. It’s no surprise that the pizza guy can’t just waltz in the back door. However, in most companies, the proverbial “pizza guy” is given a badge and institutionalized through the use of VPN. A security professional will tell you that VPN is a remote access technology that has as much to do with security as your 28.8K modem. VPN allows remote systems to connect into the network from anywhere on the Internet. In most cases, the only access prerequisites are a username and password. The same rules apply to VPN as any other remote connection. VPN access devices must be considered semi-trusted and placed in a DMZ. Their traffic and their logs must be monitored for dangerous activity. Modern VPN devices have security features such as proxying, access lists, and IDS built in. However, to meet segregation of duties requirements, the typical LAN folks cannot control them. As with any other technology, VPNs can be made secure, but they certainly are not security devices.

This FFF is part of a new (hopefully) weekly series where the different contributors and guests will be sharing quick Friday Fast Facts – specifically so YOU CAN TAKE THEM AND USE THEM AT WORK. Include these in newsletters, quick email updates or even status reports. Please cite the author (David Stern) and the Security Catalyst Community (www.santarmj.staging.wpengine.com) when you spread the word.


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Great idea, the FFF! An excellent way to get across a quick point; focus attention on an issue; remind us of fundamental rules; or just get us to think about things in a different way.

    I’ve not really thought about VPN’s in this manner… I’ve always considered them an extension of the LAN/WAN area (not security), but certainly the access & authentication method, for me, are where I get interested.

    I don’t get what you say about segregation though… on one hand you are saying that a VPN in itself is not a security device (agree), but to meet segregation requirements (agree) LAN folks should not control them… OK, so who then? The Security Team? Maybe just a clarification. I would argue that the LAN folks still control the operation of the VPN (just like they do other ingress/egress points) but do not control the access method or access lists – that is the responsibility of the security team.

    cw

  2. Great idea, the FFF! An excellent way to get across a quick point; focus attention on an issue; remind us of fundamental rules; or just get us to think about things in a different way.

    I’ve not really thought about VPN’s in this manner… I’ve always considered them an extension of the LAN/WAN area (not security), but certainly the access & authentication method, for me, are where I get interested.

    I don’t get what you say about segregation though… on one hand you are saying that a VPN in itself is not a security device (agree), but to meet segregation requirements (agree) LAN folks should not control them… OK, so who then? The Security Team? Maybe just a clarification. I would argue that the LAN folks still control the operation of the VPN (just like they do other ingress/egress points) but do not control the access method or access lists – that is the responsibility of the security team.

    cw

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!