Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/
The year 2001 will be remembered as the year of the VPN (Virtual Private Network). Okay… what do I know? I predicted this in 1998 and 1999 ( http://www.avolio.com/articles/VPNques.html). I wasn’t alone, but that doesn’t make me less wrong in my prediction. More recently, I’ve been co-teaching (with Dave Piscitello and Joel Snyder) two VPN classes in the U.S. at Networld+Interop, and it certainly seems like remote access VPNs have taken off. But there seems to be some disagreement as to how useful they are.
In the May 2001
In TISC Insight Volume 2, Issue 18 (
http://tisc.corecom.com/newsletters/218.html),
security consultant
Mandy Andress, in a column called “Personal Firewalls” wrote, “The most cost-effective solution available
today is a remote access Virtual Private Network (VPN), which is why they are gaining popularity in
record numbers. A VPN solves the problem of how to protect sensitive information as it travels across a
public network…”
Why the disconnect? Are encrypted connections important, or aren’t they? That’s what we’re looking at this month.
In order to determine if we need VPNs (and by extension, any
encrypted connections), we have to decide
if we’re vulnerable to any attack without them. Yes, unencrypted network
connections are vulnerable to
attack, but what are the risks? How easy or likely is it that someone
can sniff our network traffic? If we
break this analysis down further, we have to answer that question
for the different environments over which
the packets flow: the Internet backbone, the segment from the ISP
to a remote office, the segment from an
ISP to the home or remote user, and the corporate LAN. In the
risk analysis, Tippet suggests we determine
the risk by combining the threat value–how likely is it and how often have
we seen such attacks, our
vulnerability–how likely is a successful attack, and event cost–how
much will a successful attack cost us? Let’s do the risk analysis.
Threat. Is it possible? Sure. Do known attacks exist? There are plenty of them.
How often does such an
attack occur? It depends. (This is a very significant answer in security,
ranking right up there with “I don’t know.” Seriously.)
Vulnerability. How likely is it? It depends. What is the probability of a
successful attack? It depends. (Uh-oh.)
Event cost. How much will a successful attack cost us? You guessed it…
it depends.
It depends on what? It depends on many things. It depends on who we are
for one thing. Are we the CIA,
Avolio Consulting, Inc., or Joe Random User?
It depends on what we are trying to protect. Are we
protecting state secrets, identities of covert operators on overseas
assignment, or a personal credit card
number? It depends on whom we’re up against. Is our potential adversary a
foreign government, a corporate
competitor, or is it the high school kid down the block? It also depends on
what it is worth to them. Are we
protecting plans to a $3B missile program, product plans worth $1M in sales,
or a $100 MP3 player
purchase?
If we’re protecting Joe Random User’s charge card number, the threat is fairly
low. Such attacks just haven’t
really happened (remember, I’m not talking about grabbing credit card numbers
from a poorly secured
server). The vulnerability may be low, or it may be high.
Sniffing packets off the Internet backbone is hard.
Sniffing them off the cable in your neighborhood is easy for that neighborhood
teenager. Grabbing them from your network at work is trivial. But for
Joe Random User, the cost is low. The charge card company
won’t hold him liable for the fraud, or at least for no more than $50
(and not even that for some cards for
Internet purchases), though Joe might find it a hassle to replace
the card with another.
If you are protecting battle plans for Operation Enduring Freedom
(okay, you don’t use the Internet, but for
example), the vulnerability still might be near zero over the
Internet backbone, but it is greater on the other
parts of the network I mentioned. And the cost of losing the data
might be catastrophically high.
Does Joe Random User bother to use encryption? Not if it costs him more than $50 he doesn’t. But it costs
him nothing. His browser comes with crypto built right in. So of course he uses it. And he might even be so
paranoid as to never do anything confidential unless he sees that little locked lock icon. But this is really
the wrong question. To support Joe’s paranoia, the Internet “store front” has to spend money on certificates.
Server software, and the like. So, Joe is paying for it, albeit in a way that is not obvious, and does not
hurt. If he is really paranoid, he needs to remember that there is no little icon to tell him if his charge card
number can be stolen from the web server.
Do we bother to use VPNs if we are protecting battle plans? Sure. Do we bother for corporate data? It
depends. The easist place to sniff packets is off the corporate network. Do you need to encrypt that traffic
inside your network? It depends on the nature of the traffic. It is next easiest to pull from a common cable
connection used by your teleworkers and the kid down the block or from the LAN on a high-speed
connection in a hotel. Remote client VPNs are a good bet there. Ask the same questions, and do the math.
And put the protection where it will do the most good. ##
Last month’s column
(
http://www.avolio.com/columns/13.html)
addressed network security lessons to learn
in light of September 11 (and how many other dates are there that one can
just use without any further
description). Since publishing that column I have flown coast-to-coast on
United Airlines. I had my
eyeglass screwdriver confiscated. “Too sharp.” (The very polite — I am
not being sarcastic — young man
with the automatic rifle told me I could go back out to the ticket counter
and have United mail it to me, but
I didn’t bother.) My brass-barreled ballpoint pen one could probably jam
through someone’s skull? No
problem. There are still no metal knives in first class.
In fact, the restaurant I lunched at in Denver
International had only plastic knives also; the other utensils were metal. I
talked about this with a United
pilot who was in the seat next to me on my flight, and he agreed that the forks
are more formidable
weapons. (I hope no one heard us.)
I just put a column I wrote for WatchGuard on my web site. It is called,
“Secrets of Security Policy
Development Revealed!” At the risk of hurting my consulting business, I reveal secrets heretofore known
only to the “Arch Mages” of Internet Security. Find it at
http://www.avolio.com/columns/SecPolSecrets.html.
A column I wrote for them on biometrics somehow slipped by my notice.
It is from a year or more ago,
called, “Biometrics: Coming of Age.” It is still relevant and timely.
I’m not sure what that says about
biometrics (yes, I am). It is at
http://www.avolio.com/columns/biometrics.html.
Finally, an old item pertinent to the above discussion is from a
Q&A; I did for CSI’s Alert newsletter.
“Some Important VPN Questions Answered,”
http://www.avolio.com/articles/VPNques.html.
Where Are We Vulnerable?
Do We Bother?
Promotions, Self and Otherwise