On Tue, Dec 23, 2008 at 12:17 PM, Bill Monicher <[email protected]> wrote: > From what I've seen VPNs provide MORE secure than any other option,
Say it with me now: "Security is a process, not a product." (Bruce Scheiner) VPN's don't provide security. Neither does SSH, or SSL, or any other acronym. They can be used as part of a security strategy, but you can't just sprinkle some encryption on something and say you're secure. Any of them can result in a security exposure if used poorly. Typically and generically, the term "VPN" means a network link between two controlled networks, transported over the public Internet, with some kind of encryption and authentication to defend against hijacking and snooping. An unrestricted VPN between two systems with different security postures is a security exposure, as it's a hole punched through your security perimiter. Depending on what one is trying to do, putting a firewall on the VPN link may be an effective countermeasure. SFTP or some kind of HTTP-over-SSL thing might provide the ability to more tightly restrict what the client end can access, or make it easier to enact such restrictions. Thus, a tightly restricted web interface might be more secure than a wide open VPN. Or the other way around. VPN, SFTP, HTTP-over-SSL can all be vulnerable to various attacks, especially if one uses passwords for authentication and ignores host authentication. Password guessing, man-in-the-middle, DNS hijacking, etc. "There is no such thing as security -- only managed risk." (Unknown) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
