In a message dated: 02 Aug 2002 08:38:52 EDT
"Kenneth E. Lussier" said:
>I think that we could probably come up with thousands of different ways
>to compromise the security of an internal network. What about actually
>securing it? One of the easiest things that I have seen done was
>impliment an IPSec-based LAN. The setup was simple.
>
>From the outside in:
>
>router -> firewall -> FreeS/WAN gateway -> encrypted traffic to LAN.
>
>Each machine on the LAN had it's own keypair that was registered with
>the gateway, so when a desktop was fired up, it would authenticate
>itself to the gateway, and it was then free to communicate with anyone.
>Anyone that was able to sniff the traffic just got encrypted streams. If
>you could get a system onto the network, it would be useless unless the
>gateway was compromised to accept a bogus key.
In theory, this is a great idea. However, keep in mind that:
Security = 1/productivity
In many corporate situations, especially engineering environments,
the implementation of a VPN would get in the way of development.
For instance, my current environment is co-located between the US and
Belgium. The folks in Belgium require direct access to our lab here,
and vice-versa. Additionally, both groups require direct access to
central corporate servers. A lot of what's going on requires high
performance connectivity with as little latency introduced as
possible. Placing a VPN client on some of these systems would
automatically get in the way of a lot of the testing that is done.
As a result, there aren't even virus scanners on a lot of the systems
in the labs. And, since the labs need direct access to corporate
servers, the labs often become breeding grounds for virii.
A proposal was made to VPN off all the labs, which would prevent a virus
from escaping since the virus couldn't authenticate with the VPN,
however, it was determined that there are no VPN servers at this time
which will not slow down a GigE connection, which is required for a
lot of the stuff going on here.
(of course, since we only have a 2MB connection to Belgium, I don't
see why the GigE thingy is a requirement for *our* situation :)
Also, as Ben pointed out, just because all the traffic between hosts
is now encrypted, that doesn't prevent someone from using a box to
internally probe your network looking for ways out.
Once you're in, you're in, and if you can use that internal system to
create a conduit you can get into from the outside, all bets are off!
--
Seeya,
Paul
--
It may look like I'm just sitting here doing nothing,
but I'm really actively waiting for all my problems to go away.
If you're not having fun, you're not doing it right!
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************
