In response to my earlier post about wireless security, Stuart made the comment about using VPN to enhance security.
I’ve heard this many times, and it makes sense. I’ve also heard that it actually creates an even greater risk! The thought is, if you have a VPN connection, then you have a "trusted" pipe into your network. But, if your local Internet connection isn't safe, then have you just created a pipe from danger into the guts of your network. The question (to which I do NOT know the answer): if your notebook is on an unsafe network, how does a VPN connection make it safe?
I've heard the analogy: VPN is like a clean pipe with one end in the middle of a cesspool! Please tell me how that's wrong.
The VPN tunnel is encrypted so it is pretty secure, and there are many ways to ensure that only the clients you want connect to your network can. Aside from just using AD user-authentication, you can require your clients to have a client-side certificate that can be deployed via AD. So without a password and a certificate there's no VPN'ing in. As for ensuring safe use while on external networks, you make look into enterprise-level wireless clients that have the functionality to force your clients to make a VPN connection once a wireless connection has been established. Just some ideas...
Posted by: Stephen | May 31, 2008 at 10:18 PM
Hey Tony, you inspired a comment but it got way too long so I moved it to a blog post: http://infotech.lakeviewchurch.org/2008/05/31/free-wireless-wifi-vpn-security/ :-)
Posted by: David Szpunar | May 31, 2008 at 11:25 PM
The VPN tunnel is only going to allow access from the specific machine that initiates the tunnel, so I really don't see a security risk. Really the only way to get traffic from another machine into the tunnel would be to NAT it, and most VPN clients wouldn't allow that traffic to be passed.
Posted by: Derek Schwab | June 01, 2008 at 11:08 AM
depends on the VPN. Some let the system (the laptop at Starbucks, in this case) use both the wide-open network connection and the VPN at the same time. Bad from a security point of view.
Others force all traffic to go through the VPN, which means anything they're trying to connect to "out there" is going through your normal firewalls etc. just like your in-home on-network folks. The only difference is that this laptop lived at one time out on the dirtyNet, but that's the same as if they brought the laptop in and hooked it to your network at their desk.
Posted by: Steven Vore | June 01, 2008 at 02:33 PM
I think the problem is that even when you force all traffic down the VPN, you're STILL connected to an unsecure network. If someone is capturing packets, they'll be encrypted - that's good. However, if there is a vulnerability on the laptop (think "firewall turned off"), an attacker could still take over that machine and potentially have access down your tunnel - that's NOT good.
Posted by: Justin Moore | June 01, 2008 at 03:40 PM
The whole issue of having been in a 'dirty' environment is my concern, but Steven makes a good point -- if the machine is compromised, and then brought into the office and connected to the LAN, doesn't the same bad situation exist? (almost). Justin's comment clarifies my concern -- if you're connected to an AP that's out to get you, then it can get your notebook locally -- the VPN is happening after-the-fact, so to speak.
Thanks, all, for your comments!
Posted by: Tony Dye | June 01, 2008 at 05:44 PM