Jump to content

Recommended Posts

I've been having a discussion with several people at work regarding VPNs and firewalls. They contend that because one is using a VPN on a broadband connection, that a firewall is not needed. I, being the paranoid kind, say that as long as you are connected to a broadband connection, there's always a chance someone could get in if there is not a firewall there.

 

What say ye, security guru's?

Link to post
Share on other sites

From my limited knowledge, a VPN connection protects your information between your applications and the VPN server itself. It does not provide complete end-to-end security. Not having a firewall between your broadband connection and your computer leaves that computer open to other types of access that may then be able to access the VPN connection.

Link to post
Share on other sites

We use VPN at work and I have it here. What happens in our case, and I'm by no means an expert so I don't know if it is in every setup, is that I am hooked to the internet just like any DSL subscriber in my town. At work our entire network is set up on the private IP addresses beginning with 10.10 so they don't map to the outside world. When I want to hook up to a computer at work I start up VPN and it creates a "tunnel" back to our network and does the ip tronslations and everything through, for lack of a better term, a gateway.

 

I can still get garbage from the internet via DSL. I can still transfer virus infested files to my work computer. And when I activate VPN, the scumware on my machine will say "Hey, there's a new computer on the network - 10.10.20.32 - let's go visit it."

 

So in all I'd say your coworkers are not correct just based on observation of how ours works.

Link to post
Share on other sites

Sorry, but I'll have to disagree :)

 

Just because you are on two different networks doesn't mean one can "see" the other. I believe they separate and the VPN is secure from prying eyes.

 

See if this helps a little.

 

h_tp://computer.howstuffworks.com/vpn.htm

Link to post
Share on other sites

I was basing my information partly on http://www.cites.uiuc.edu/vpn/security.html. If you have no firewall, what prevents someone gaining access to your computer and then accessing VPN?

 

And from your link Bob;

 

You should already have a good firewall in place before you implement a VPN, but a firewall can also be used to terminate the VPN sessions.
Link to post
Share on other sites

EVERYONE should have a firewall...:)

 

But lets say someone did not. They somehow get by all the warnings, they shut off the one supplied by XP and ignore all the information supplied by the techs at their job and get a VPN running. They also have cable or DSL hooked up. I believe this will be two separate networks and one will not be able to talk with the other without some sort of bridge or software link.

 

Its like NAT, where you have an IP assigned by the ISP for your nic and your router (or software) reassigns a new IP for your network. They say NAT is a good first layer of security since its not easy to determine the IP's on the other side. Yes I did NOT say it wasn't possible, just difficult :)

 

Now I have not setup a VPN at home. I leave my work at the office, I did my share of 24 hour oncalls for 30 years and I am enjoying MY TIME now. So I don't have first hand experience with it, just a general idea on what I've read about it. So I could of course be way off base...but it maybe a little of both.

 

It maybe secure to a degree...just not perfect and there could be a long complicated process that will allow someone to break thru and get into a VPN.

 

Just adding my two cents to the otherside since everyone was saying it was not secure.

Link to post
Share on other sites

Bob,

 

For your average script kiddie I can't agree more. One should be quite safe on the VPN side. I like to take the approach that nothing is secure enough and one should have all the security they can. At least to the point that it is harder to get past the security than it is to use it.

Link to post
Share on other sites

Bob, you are absolutely right in that Joe Scum sitting out in Internet world won't be able to see my desktop computer while I'm on.

 

He could, however, infect me with a backdoor (bridging software) through which he can issue commands or a worm that will pounce on my work system the next time I hook up.

Link to post
Share on other sites

Ok, the way I see it happening is like this. 2 programs are needed, a key logger and a backdoor/remote access program. With the key logger they can get access to the VPN username and password. With a BO type program they can start up the VPN client software and gain access to the network.

 

This is a remote possibility. Now, will a firewall stop this from happening? Maybe, maybe not. These programs can be installed via either email or a rogue web site and bypass the firewall completely. Once installed they could either turn the firewall off or open the ports for outgoing activity.

 

So is a VPN secure...no. Is it secure enough for the average joe? Yes, I believe so because the average joe is not going to have access to anything worth the trouble and hard work involved to break into a VPN. They probably just use it to read their emails or transfer a spreadsheet or a proposal in MS Word back to the office. Their access to critical data on a VPN network will be limited.

 

Someone would rather try to attack the CEO's and VP's of a company to see what information they could gain there. And these are the individuals who will have their security departments setup their Laptops to stop those prying eyes. And gaining access to them will be a whole lot harder than your average joe.

Link to post
Share on other sites
So is a VPN secure...no. Is it secure enough for the average joe? Yes, I believe so because the average joe is not going to have access to anything worth the trouble and hard work involved to break into a VPN.

 

This I can agree on.

 

Steve, if you are on a .gov network then there should be no question that a firewall is needed. Heck, even me on a .rob network has one.

Link to post
Share on other sites

Yeah, I know! But try to convince others of that! What really got me wondering was when the VPN "help desk" told me that I need to remove any firewall program I have running when I use it. I "politely" told them that there was no way under the sun I was gonna do that.

Link to post
Share on other sites
when the VPN "help desk" told me that I need to remove any firewall program I have running when I use it.

 

Thats not good. Sounds like a lazy techs "quickfix" to connection problems. Instead of walking the users thru the steps necessary to open ports and allowing program access, they take the easy route and just turn the cause of the problem off.

 

I wonder if the Security department knows this?

Link to post
Share on other sites

I would LOVE to tell them this, but I'm just the low man on the totem pole and as such, I'm not "supposed" to know this much! :huh: I have already passed this up my chain, but who knows where it went after that.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...