NetSec Letter #14, 23 November 2001
Do We Really Need VPNs?

Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/

The year 2001 will be remembered as the year of the VPN (Virtual Private Network). Okay... what do I know? I predicted this in 1998 and 1999 ( http://www.avolio.com/articles/VPNques.html). I wasn't alone, but that doesn't make me less wrong in my prediction. More recently, I've been co-teaching (with Dave Piscitello and Joel Snyder) two VPN classes in the U.S. at Networld+Interop, and it certainly seems like remote access VPNs have taken off. But there seems to be some disagreement as to how useful they are.

In the May 2001 >Information Security Magazine, Peter Tippet's column ( http://www.infosecuritymag.com/articles/may01/columns_executive_view.shtml) is entitled "The Crypto Myth: If you assume SSL is essential to Internet security, guess again."

In TISC Insight Volume 2, Issue 18 ( http://tisc.corecom.com/newsletters/218.html), security consultant Mandy Andress, in a column called "Personal Firewalls" wrote, "The most cost-effective solution available today is a remote access Virtual Private Network (VPN), which is why they are gaining popularity in record numbers. A VPN solves the problem of how to protect sensitive information as it travels across a public network..."

Why the disconnect? Are encrypted connections important, or aren't they? That's what we're looking at this month.

Where Are We Vulnerable?

In order to determine if we need VPNs (and by extension, any encrypted connections), we have to decide if we're vulnerable to any attack without them. Yes, unencrypted network connections are vulnerable to attack, but what are the risks? How easy or likely is it that someone can sniff our network traffic? If we break this analysis down further, we have to answer that question for the different environments over which the packets flow: the Internet backbone, the segment from the ISP to a remote office, the segment from an ISP to the home or remote user, and the corporate LAN. In the risk analysis, Tippet suggests we determine the risk by combining the threat value--how likely is it and how often have we seen such attacks, our vulnerability--how likely is a successful attack, and event cost--how much will a successful attack cost us? Let's do the risk analysis.

Threat. Is it possible? Sure. Do known attacks exist? There are plenty of them. How often does such an attack occur? It depends. (This is a very significant answer in security, ranking right up there with "I don't know." Seriously.)

Vulnerability. How likely is it? It depends. What is the probability of a successful attack? It depends. (Uh-oh.)

Event cost. How much will a successful attack cost us? You guessed it... it depends.

It depends on what? It depends on many things. It depends on who we are for one thing. Are we the CIA, Avolio Consulting, Inc., or Joe Random User? It depends on what we are trying to protect. Are we protecting state secrets, identities of covert operators on overseas assignment, or a personal credit card number? It depends on whom we're up against. Is our potential adversary a foreign government, a corporate competitor, or is it the high school kid down the block? It also depends on what it is worth to them. Are we protecting plans to a $3B missile program, product plans worth $1M in sales, or a $100 MP3 player purchase?

If we're protecting Joe Random User's charge card number, the threat is fairly low. Such attacks just haven't really happened (remember, I'm not talking about grabbing credit card numbers from a poorly secured server). The vulnerability may be low, or it may be high. Sniffing packets off the Internet backbone is hard. Sniffing them off the cable in your neighborhood is easy for that neighborhood teenager. Grabbing them from your network at work is trivial. But for Joe Random User, the cost is low. The charge card company won't hold him liable for the fraud, or at least for no more than $50 (and not even that for some cards for Internet purchases), though Joe might find it a hassle to replace the card with another.

If you are protecting battle plans for Operation Enduring Freedom (okay, you don't use the Internet, but for example), the vulnerability still might be near zero over the Internet backbone, but it is greater on the other parts of the network I mentioned. And the cost of losing the data might be catastrophically high.

Do We Bother?

Does Joe Random User bother to use encryption? Not if it costs him more than $50 he doesn't. But it costs him nothing. His browser comes with crypto built right in. So of course he uses it. And he might even be so paranoid as to never do anything confidential unless he sees that little locked lock icon. But this is really the wrong question. To support Joe's paranoia, the Internet "store front" has to spend money on certificates. Server software, and the like. So, Joe is paying for it, albeit in a way that is not obvious, and does not hurt. If he is really paranoid, he needs to remember that there is no little icon to tell him if his charge card number can be stolen from the web server.

Do we bother to use VPNs if we are protecting battle plans? Sure. Do we bother for corporate data? It depends. The easist place to sniff packets is off the corporate network. Do you need to encrypt that traffic inside your network? It depends on the nature of the traffic. It is next easiest to pull from a common cable connection used by your teleworkers and the kid down the block or from the LAN on a high-speed connection in a hotel. Remote client VPNs are a good bet there. Ask the same questions, and do the math. And put the protection where it will do the most good. ##

Promotions, Self and Otherwise

Last month's column ( http://www.avolio.com/columns/13.html) addressed network security lessons to learn in light of September 11 (and how many other dates are there that one can just use without any further description). Since publishing that column I have flown coast-to-coast on United Airlines. I had my eyeglass screwdriver confiscated. "Too sharp." (The very polite -- I am not being sarcastic -- young man with the automatic rifle told me I could go back out to the ticket counter and have United mail it to me, but I didn't bother.) My brass-barreled ballpoint pen one could probably jam through someone's skull? No problem. There are still no metal knives in first class. In fact, the restaurant I lunched at in Denver International had only plastic knives also; the other utensils were metal. I talked about this with a United pilot who was in the seat next to me on my flight, and he agreed that the forks are more formidable weapons. (I hope no one heard us.)

I just put a column I wrote for WatchGuard on my web site. It is called, "Secrets of Security Policy Development Revealed!" At the risk of hurting my consulting business, I reveal secrets heretofore known only to the "Arch Mages" of Internet Security. Find it at http://www.avolio.com/columns/SecPolSecrets.html.

A column I wrote for them on biometrics somehow slipped by my notice. It is from a year or more ago, called, "Biometrics: Coming of Age." It is still relevant and timely. I'm not sure what that says about biometrics (yes, I am). It is at http://www.avolio.com/columns/biometrics.html.

Finally, an old item pertinent to the above discussion is from a Q&A I did for CSI's Alert newsletter. "Some Important VPN Questions Answered," http://www.avolio.com/articles/VPNques.html.