[kwlug-disc] firewall question

[unsolicited]

Raul Suarez wrote, On 02/17/2009 6:45 PM:
> --- On Tue, 2/17/09, unsolicited <unsolicited at swiz.ca> wrote:
> 
>> From: unsolicited <unsolicited at swiz.ca>
>> e.g. Suppose you set up VPN for a laptop user. And the
>> laptop gets stolen. The issues around the technology become
>> much bigger than the technology itself.
> 
> The thief would need to know the password for the remote box

Assuming there is one.

Could be, and probably is, just a certificate.

And if they yank the hard drive out and over-ride permissions ...

This is what I meant by my earlier comment about the (VPN) technology 
being the least of your concerns.

To work around some vulnerabilities, now you encrypt your laptop hard 
drive, or teach or enforce password aging and complexity, and staff up 
to take the additional support calls that will result when they forget 
either password.

So many times technology gets thrown in as the magic bullet, 
neglecting the more significant problem that you're probably more 
likely to be damaged from within than without.

It's hard enough to secure an enterprise without remote users. Best 
practices and all that, always more that can be done, and never enough 
hours in the day. For an attack that will probably never come, but 
since it's a 'bet the business' risk, there's no such thing as too 
much security. Checked your logs today - would you know if you've been 
hacked? Tested your backup?

Remote users just multiply the complexity by a more than exponential 
amount. If the first line of defence is physical security, that just 
got thrown out the window.

I'm not suggesting the value isn't worth it, just that it's hard to 
convince people to not minimize or forget the increased time and 
effort required on the human end.

Job security, I suppose.