index_13
Auerbach Publications
© 2001 CRC Press LLC
08/01
openly between systems, applications, and users; a VPN simply aug-
ments the process and protects it during transmission over the Internet.
The process is seamless and transparent, and it accommodates the traffic
and application needs. The result is that data is being shared and utilized
by shadowy internal representations of the remote systems.
ACCESS POINTS
Having internal services wholly available to systems residing on internal
networks is expected. The internal network is typically a controlled, pro-
tected, and monitored environment with security policies and proce-
dures in place. As services and data are accessed internally, the
exposure, or threat to that communication is somewhat known and ac-
cepted at some level. Most organizations are aware of security threats on
internal networks, but have assumed a level of risk directly proportionate
to the value or impact of loss if they were to be attacked. Much of this is
attributed to simple population control; they assume greater risk to inter-
nal resources because there are fewer people internally than on the In-
ternet, interaction is usually required (hence a network), and each
system can be monitored if desired. Basically, while some statistics tell us
that internal networks are a growing source of attacks to corporate data,
organizations feel confident that they can control what lies within their
walls. Even organizations that do not have security policies and may con-
sider themselves vulnerable will always assume that there is room to
grow and implement security measures as they see fit. Nevertheless, the
Internet represents a much greater threat in the eyes of many organiza-
tions, and this may be a reality for some organizations; each is different.
The fundamental point is that the Internet is an unknown and will always
be a threat, whereas certain measures can be taken or the risk can be
accepted more readily on an internal network. In any case, internal
networks are used to share information and collaborate to support or
grow a business, and it is that open interaction people want from home
over the Internet.
VPN technology is a total contradiction of the assumed posture and
reach of control. The internal network, where applications, services, and
data reside, is considered safe by virtue of firewalls, procedures, and pro-
cesses overseen by administrators focused on maintaining security in
some form or another. However, the nature of VPN negates the basic
postulation of corporate security and the understood security attitude. At-
tackers that may have been thwarted by hardened corporate firewalls
may find remote VPN clients much easier targets that may provide the
same results.
On the whole, administrators are constantly applying security patches,
updating processes, and performing general security maintenance on crit-
ical systems to protect them from vulnerabilities. Meanwhile, these vul-