---

---

Auerbach Publications © 2001 CRC Press LLC 08/01 created by the security measures. Therefore, to get to the information, an attacker would have to penetrate, circumvent, or otherwise manipulate operational conditions to obtain the data or the means to access if more directly (see Exhibit 6). With the advent of VPNs, the remote system is permitted a protected connection with the corporate data, inside the enclave of known risks and threats. It is assumed that the VPN protects the communication and stretches the security outward from the corporate to the remote location. Unfortunately, this assumption has overlooked an essential component of VPNs — the Internet. Now, as shown in Exhibit 7, an attacker can ac- cess corporate data on a system completely exposed and in control of a common user — not under the protection of technology or experience found at the corporate site. EXHIBIT 6 — Attacker Must Attempt Access to Corporate Data Directly, the Most Difficult Path Internet Network Modem Phone System Internet Access Device Modem Firewall Remote User Established Security Envelope Attacker Internet-Based Attacks on Corporate Information Extended Security Envelope (Reduced Slightly) Added Risk Associated with Connection at Corporate Site Access to Internal Network and Data Isolated Point-to-Point Connection