Re: Opinions on VPN?

["Paul M. Cardon" <pmarc () cmg fcnbd com>]

""Ryan Russell" <Ryan.Russell () sybase com>" thus spake unto me:
: > Just wanted to find out what other people opinion on 'VPN' as a
: >general idea? IMHO, the person who came up with the VPN idea should be
: >shot, because in most cased all VPN do is create entry points into your
: >network (in most cased right past the firewall and some times in the
: >hear of your network).
:
: Depends... if you've outlawed remote-access entirely, then VPNs
: shouldn't be allowed either (remote-access VPNs, at least.)
: If you allow people to use modems to get into your network,
: then a VPN may be an improvement in security.

The basic rule I like to follow for VPNs is that a VPN alone is only used to  
provide a secured connection between two "networks" that are managed by the  
same entity and that implement the same security policy.  This includes  
knowledge of all other ingress/egress points on the remote network and how  
they are protected as well as physical security implementation.  In other  
words, a VPN is only used by itself if a logical remote extension of an  
existing environment is being created using an untrusted network as  
transport.  If the remote endpoint is another organization, home user, etc.  
then filtering/proxies are deployed to make sure that only appropriate  
traffic is permitted to enter our network from the VPN.

Remember, this is all a function of the policy requirements of your  
organization which may be different from mine.

-paul