Nick Murphy wrote: >I have a client who is demanding VPN access over a public wireless network >while they are traveling (T-Mobil hot spots, etc.). This will require the >installation of a software VPN client on the laptop. After warning them of >the potential risks they still demand that they have this available, but >they are allowing me to put together a "as secure as can be" solution. > "Risks"?! This is best practice. There is nothing inherently insecure about wireless networks, as long as you assume that the bad guy is always listening. VPN protocols (the good ones at least: IPSec, and less transparently, SSH and SSL) can withstand that. "Risk" is assuming that WEP is any stronger than a moistend Kleenex :-) The main actual risk factor here is in allowing a Windows user to have any kind of remote access through your firewall, even if it is done with a direct dialup connection using a highly secure call-back modem. The common failure mode is that the dufus ^W windows user will go surfing the Web, download some trojan or virus of some kind, and then infect the internal LAN when they connect. This risk happens even with no remote access to the LAN at all. Dufus goes out surfing the web while on the road, gets infected, and then carries the trojan back inside the LAN and infects your network from the inside. This actually happened to IBM, who had Code Red ranging across their internal network for *months* after it had been more or less stamped out in the wild. So your real risk factor is letting dufus Windows users out of the room. The VPN (or most any other form of reasonable remote access) is a small risk factor compared to that. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Mon Jun 02 2003 - 22:11:38 PDT