While doing firewall policy analyses for customers, I very often come across rules that allow any ip traffic from anywhere outside the primeter into big portions of the inside networks but over a VPN link (i.e., encrypted & authenticated).
Let’s put aside the question of whether the authentication is sufficient, and assume that nobody is cracking the passwords.I tend to trust the encryption and believe that no one can snoop the traffic in flight.
My claim is that these rules are very risky and a wonderful vector for all kinds of malware. All those home computers, laptops on the road etc, are much more at risk of infection than inside computers are. Plus the VPN has the nice side-effect that filters can’t see though the encryption and control (or even log) where the connection is going and what it is doing.
Left to my own devices, I would recommend terminating the VPNs in a DMZ, and putting all the usual controls (anti-virus, mail filter, etc.) between the DMZ and the inside, and I would flag these raw VPN connections as risky, maybe even very risky.
However, customers uniformly disagree with this argument, and tell me that “traffic coming over a VPN is not perceived as a risk so shut up about it.”
Thoughts anyone? Any credible war stories about malware/abuse traveling over VPNs? Or are the customers right and I’m being paranoid?
Receive notifications of new posts by email.