[kwlug-disc] firewall question
unsolicited at swiz.ca
Wed Feb 18 00:03:51 EST 2009
Raul Suarez wrote, On 02/17/2009 6:45 PM:
> --- On Tue, 2/17/09, unsolicited <unsolicited at swiz.ca> wrote:
>> From: unsolicited <unsolicited at swiz.ca>
>> e.g. Suppose you set up VPN for a laptop user. And the
>> laptop gets stolen. The issues around the technology become
>> much bigger than the technology itself.
> The thief would need to know the password for the remote box
Assuming there is one.
Could be, and probably is, just a certificate.
And if they yank the hard drive out and over-ride permissions ...
This is what I meant by my earlier comment about the (VPN) technology
being the least of your concerns.
To work around some vulnerabilities, now you encrypt your laptop hard
drive, or teach or enforce password aging and complexity, and staff up
to take the additional support calls that will result when they forget
So many times technology gets thrown in as the magic bullet,
neglecting the more significant problem that you're probably more
likely to be damaged from within than without.
It's hard enough to secure an enterprise without remote users. Best
practices and all that, always more that can be done, and never enough
hours in the day. For an attack that will probably never come, but
since it's a 'bet the business' risk, there's no such thing as too
much security. Checked your logs today - would you know if you've been
hacked? Tested your backup?
Remote users just multiply the complexity by a more than exponential
amount. If the first line of defence is physical security, that just
got thrown out the window.
I'm not suggesting the value isn't worth it, just that it's hard to
convince people to not minimize or forget the increased time and
effort required on the human end.
Job security, I suppose.
More information about the kwlug-disc_kwlug.org