VPN WAN

Ryan Russell ryan at SECURITYFOCUS.COM
Wed Apr 12 16:15:52 EDT 2000 

On Wed, 12 Apr 2000, Neil Ratzlaff wrote:

> This NT WAN is not a replacement for anything, it will be totally new.

I should have used the word "alternative"... it's an alternative to buying
a frame WAN.

> As
> near as I can tell, the different offices plan to use the Cisco VPN only
> for communication between the various NT servers, but not for anything
> else.  I interpreted this to mean any other internet access is unrestricted
> and would go direct, not through the WAN.  I assume Cisco can apply VPN
> based on specified destination IP addresses and ignore anything else.
>

Then you're screwed.  The remote sites (presumably) don't have a firewall
and/or don't know how to administer one.  When they get broken into, the
attacker has a clear path to all the other sites on your VPN WAN.

> This whole idea wouldn't bother me as much if I could keep it all outside
> my firewall, but I doubt I can manage that.  The VPN on my end would
> terminate just outside the firewall, so at least it isn't a tunnel through
> that.  I could put any NT systems here on a DMZ and block the M$ service
> ports, but I think that means no one here could pretend all those disks and
> printers out there are local on their machines, which appears to be the
> point of all this.

That makes no sense... If you're going to block the VPN w/the firewall,
why put it in in the first place?  I presume you mean you're going to
firewall everything except NBT?  First off.. if you fail to block even
that (and I don't mean *you're* at fault... I mean stupid management
making you do stupid things) then there will be a neverending cycle
of: "now allow HTTP, now allow telnet", etc..  Second, NBT is a *huge*
hole.  I could do anything I wanted to a network by exploiting a NBT
trust.  Not to mention that NBT is damn hard to firewall.

>
> If someone can point me to a URL that explains why this is bad, I would
> appreciate it.  I also welcome examples of the risks.  For instance, what
> problems can occur when a user in one place mounts a remote disk on a
> compromised machine as local?

It's such a fundamentally flawed (insecure) architecture, that I don't
know you'll find any specific papers... it's like asking for info on why
not having a firewall is bad.

>
> I doubt that any of the sites involved (except mine) have any type of
> network security now, so they really don't care about it yet.
>

All the more reason to keep them off your net.

Sorry to take such a strong tone.. this is one of those things that if
it's allowed, you might as well give up any security efforts.

					Ryan

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list