Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Shared drives through a firewall

from [James (njan) Eaton-Lee] Network Security [Permanent Link]
Subject: Re: Shared drives through a firewall
Date: Thu, 22 Mar 2007 20:30:20 +0000
Bryan Ponnwitz wrote: 
If you're worried about connection security, just use a VPN.  Or better
yet, if the servers are both Win2K or better, use IPSec.  IPSec is
Microsoft's recommended solution for extending domain communications to
another LAN across the Internet.  I've read the KB article on it, but
don't have time to look for it right now.

IPSec/VPN mitigates some of the security issues pertaining to this scenario, but it doesn't solve all of the issues, and it raises some of its own.

The OP mentioned performance issues - VPNs certainly don't resolve this issue, and would almost certainly make it worse, especially on a bad/latent connection. Depending upon who the users of this infrastructure are and how it's implemented, there are the obvious VPN NAT/reliability concerns too.

A badly implemented VPN, or one implemented with equipment not capable of packet filtering on VPN traffic (as is common in environments in which people consider such nasty things as opening SMB traffic up to the internet) would allow clients - albeit authenticated clients - access to the entire internal network. Again, depending upon the identity of the users of this infrastructure are, this might be highly undesirable.

A VPN or IPSec solution is also going to be harder to support, and potentially make you very unpopular with whoever supports third party clients when users don't have the rights necessary to configure a VPN, install certificates, or setup IPSec (SMB/HTTP/FTP all work as a limited user).

They're also very likely to be affected by outbound firewalling on third party LANs, too...

In short: I'm not saying that VPNs can't help, you just need to use them carefully; they're not a panacea, and they're far from ideal for a range of scenarios!

 - James

--
  James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

  "The universe is run by the complex interweaving of three
  elements: Energy, matter, and enlightened self-interest." - G'Kar

 https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Administrivia: Farewell, mfossi
Next by Date:  Re: Shared drives through a firewall, James (njan) Eaton-Lee
Previous by Thread:  RE: Shared drives through a firewall, Bryan Ponnwitz
Next by Thread:  RE: Shared drives through a firewall, Bryan Ponnwitz
Indexes:  [Date] [Thread] [Top] [All Lists]