index_14
Auerbach Publications
© 2001 CRC Press LLC
08/01
nerabilities remain on end-user systems, whose users are much less likely
to maintain their system with the same integrity. In the event that an ad-
vanced user were to introduce a comprehensive protection plan, many
remote systems do not run enterprise-class operating systems and are in-
herently insecure. Microsofts Windows 95 and 98 platforms are currently
installed on the majority of personal or end-user class systems and are
well-known for limited security capabilities and overall robustness.
Therefore, fundamental flaws weaken any applied security in the system.
The collision of the attributes that contribute to a common VPN imple-
mentation result in the cancellation of applied security infrastructure at
the corporate site. Nearly every aspect of Internet facing protection is in-
validated the minute a user connects to corporate with a VPN. A single
point of protection applies only if the protected network does not inter-
act with the volatile environment being evaded.
ENVELOPE OF SECURITY
To fully grasp this immense exposure, envision a corporate network seg-
mented from the Internet by an arsenal of firewalls and intrusion detec-
tion systems, and suppose even that armed guards protect the building
housing a private community of systems. Assume that the data on the
network is shared and accessed in the open while on the internal net-
work. Each system participating is protected and controlled equally by
the establishment.
Now, take one of the systems to an uncontrolled remote location and
build a point-to-point connection with modems. The remote computer is
still isolated and not connected to any untrusted systems other than the
phone system. The communication itself is relatively anonymous and its
interception would be complicated, if discovered. However, as we see in
VPNs, encryption can be applied to the protocol over the phone system
for added protection.
Next, take the same system at the remote location and connect it to the
Internet and establish a VPN to the corporate network. Now the system is
exposed to influences well beyond the control realized when the comput-
er was at the corporate office; still, the same access is being permitted.
In the foregoing three examples, degradation in security occurs as the
computer is removed from a controlled environment to a remote location
and dial-up access is provided. The risks range from the system being
stolen to the remote chance of the transmission being captured while
communicating over the telephone network, but the overall security of
the system and the information remains relatively protected. However,
when the remote computer is placed on the Internet, the exposure to
threats and the risk of operation is increased exponentially.
In the beginning of the example, the systems reside in an envelope of
protection, isolated from unauthorized influences by layers of protec-