If you tell enough stories, perhaps the moral will show up.


The ten-year-old administrator -- your partner in securing your network

Everyone wants SSL VPNs. Apparently they eliminate the risk from malware on the remote workstation -- "It's just a browser window! What can go wrong?"

The question deserves an answer. Here are several:

  1. Hardware or software keylogger can compromise passwords used to access systems within the VPN
  2. Software keylogger can steal one-time passwords and use them in real-time to gain access from an unauthorised site
  3. Configured incorrectly, you can deliver local drives to the Citrix session or vice versa
  4. You can end up with confidential data cached on the insecure remote machine
  5. You have to support a remote machine you know nothing about. Don't bother trying to contact the site admin -- he's at school. He's ten. He really likes animated cursors and he's willing to press "OK" as many times as as it takes to get them.

The SSL VPN is still the lesser risk, if the alternative means giving alien machines IP addresses on your network. And this isn't technology you can ignore: it's too useful to pick up your email from a home PC. So you have to set tiers:

  1. Specially built apps can be delivered to absolutely any browser that can rock up to an external address on port 443. Webmail is the classic. OWA is not as terrible as it used to be. Authentication is by a typed one-time password from a token. It's nothing to do with a VPN, but it is SSL, and it might make the users happy all by itself.
  2. Home machines that can install a client that can do basic validation are allowed to see the VPN. The Cisco client can check a Windows machine for surprises in the GINA, XP firewall on, SUS on, and it can create an encrypted desktop cache. Authentication is via the token.
  3. Your own build machines which have current AV and patching are allowed to map drives and use local copies of data. Authentication is via a certificate on the same USB smartcard that unlocks the disk encryption....

And the old IPSEC VPN? That's moved over to a need-to-use basis only. We spent all that money, and now only the admins use it!

No comments: