VPN's from a Security perspective.

David Gillett dgillett at NIKU.COM
Thu Jan 6 19:43:02 EST 2000


> 1. How secure am I (remote client) and my fellow workers from the other
> companies site? Am I putting a great deal of trust in them? Can anyone at
the
> other company tunnel back (or spoof the tunnel) into my segment?

  It depends.  The more common question is "How much does my client expose
the other site?", and the prevailing answer has been for the VPN client to
force all application traffic to flow through the tunnel.  And in your case,
that would effectively isolate anything at upper protocol levels on your
machine from the rest of the LAN that you're on.  [The lowest levels must,
of course, still function in order to carry the tunnel.]

> 2.  What are the best ways to protect the client in this case? (i.e.
Install
> personal firewall, segment machine from others, require network disconnect
prior
> to VPN connection).

  On those clients which allow non-tunnel traffic while the tunnel is in
place, you should be able to turn this off -- and in fact the folks at the
other end of the tunnel are likely to request that you do so!

> 3. If I install a VPN box on my site and set up a site to site VPN tunnel
with
> the other company, will this architecture allow for improved security?

  No; from the perspective of these concerns, it will expose your entire
network to theirs and vice versa.  Site-to-site is an alternative to WAN
technologies; it is a much better fit for linking separate sites of a single
organization than for linking across organization perimeters.

David Gillett
Enterprise Server Manager, Niku Corp.
(650) 701-2702

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list