[email protected] (Finch, Steve) writes: > Most VPNs do not encrypt the connection from endpoint to endpoint, which > is what is PCI requires. The VPN would need to start on the mainframe > and go all the way to the PC. Most VPN run on a appliance (server), a > hop away from the mainframe. The "last hop' blows' the PCI
original VPN introduced in gateway committee meeting at Fall '94 IETF (internet standards) meeting was gateway-to-gateway (or at least router-to-router) encryption; basically support for something like branch office to tunnel (encrypted) "intranet" connection through the internet (eliminating requiring dedicated line). Later VPN technology was introduced for individual PCs ... to tunnel (encrypted) remote (home, travelling, road warrier, etc) corporate work through the internet. This eliminated corporations requiring their own private dial-up modem pools (caveat, some corporations opened up remote internet access ... w/o actually requiring encrypted traffic through through the internet). One of the early versions of this was in the mid-90s regarding online (dialup) home banking moving to the internet ... a big justification was eliminating large racks of dialup modems at the financial institutions supporting proprietary dial-up operations (also eliminating lots of trouble calls from clients regarding the mechanics of PC operating system and drivers supporting serial port modems). Some of these "PC" implementations were not quite end-to-end ... encryption originating at the PC through the internet to some network box at the institutional end, which handles decryption ... before forwarding to destination mainframe/server. A well known attack vector, even by the late 90s, for remote PC VPNs (even when encrypted end-to-end) ... were PC zombies ... since they had to have a valid internet connection in order to create the VPN (encrypted) "tunnel" ... a zombie infection on the PC could act as gateway ... forwarding attack traffic coming in via the internet connection and back out through the VPN tunnel, into the corporate intranet. Some number of VPN software products (for remote PCs) tend to also be packaged with software that attempts to counter such exploits (especially those PC VPN products targeted at the corporate business market). -- 40+yrs virtualization experience (since Jan68), online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
