On 9 Mar 00, at 15:00, [EMAIL PROTECTED] wrote:
> Greetings:
>
> [EMAIL PROTECTED] said:
>
> > > VPNs put the encryption boundary on an untrused host (that may not be
> > > owned or configured by the company) that is forced to connect to an
> > > untrustable network in the clear to initiate its session. That
> > > completely
> > > negates the phrase "complete lockdown" in my book.
>
> > Hmm, I guess you're configuring VPN differently than I am. Our VPN
> > Server is part of our firewall (PIX), but the certificate servers that
> > grant access to the network are on the inside of the firewall. The
> > encryption boundary is at the DMZ, and access beyond that is granted
> > only if the right certificates are present, verified through a 3rd
> > party CA.
>
> No, you and Paul are looking at different ends of the VPN tunnel.
>
> The untrusted host that he refers to is the end in the home office, which may
> not be a company owned box, and which is almost certainly less well secured
> than the end point at the enterprise.
>
> By extending trust out to the home office, you have effectively reduced the
> strength of that trust web to the security level of the home office.
Texas A&M now allows VPN connections from off campus by
students, staff, and faculty. This prompted the following statement
on tamu.networks about the issue:
: The biggest issue that we see is that users are going to have to
: be a lot more careful about the security of the remote machine
: that they are using to access campus. If they inadvertantly give
: access to someone else through the VPN tunnel and problems
: result, the user who authenticated the tunnel will be the one who
: is ultimately responsible.
--------------------
Eric Johnson
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
