Ok, I was confused with the original SecurityCatalyst post that VPNs were not security devices, but I saw this again from cdman over at Hype-Free along with the statement that NAT is also not a security measure.
Perhaps I am missing something, but is that correct? I may not consider NATs first purpose to be a security purpose, but it certainly does help. Would I rather have (or feel more secure) using a NAT device or by direct one-to-one mapping to a publicly routable IP? Would I rather have people make remote connections over the Internet alone or with VPN? These answers seem fairly obvious to me, and so do the reasons for those answers.
I understand that a VPN does not give absolute security. I also understand NAT only goes so far and its real purpose was to avoid the problem with the “limited” address space of ipv4.
The frustration in these really do offer some security, whether by design or by coincidence. We try very hard to tell people and organizations to do secure things, but to say a VPN is not a security device? Talk about confusing everyone, including the techs.
I am going to separate the two issues at hand. Firstly, I agree with you on face value that NAT is better than no-NAT. However, you will now find in Linksys and perhaps other vendor’s router/AP equipment a “firewall rule” section. Obviously, they feel that such functionality is necessary to enhance the basic security of NAT.
As for the VPN issue, let me try to clarify. The point of firewalls and perimeter architecture is to define a zone where, inside the network is trusted, and outside it is not. To evolve out of the primordial soup and get away from POTS dialup, there needed to be a method to use the Internet for remote access. The VPN provides this remote access. When encryption is used (remember, with IPSec its not required) the information is protected as is the connection handshake.
The issue arises when the security measures stop with creating the VPN tunnel. I wouldn’t let a remote user connect directly to my network from Starbucks, so why would I allow that same connection through a VPN?. The VPN is only a tunnel. We still need to observe and control what comes through it. Similarly, our security measurs don’t stop when we open port 80 in the firewall to allow access to a website. We install IDS, we design tiered architectures, and we harden the web server.
I guess the crux of the matter is consistency. The VPN is the back door of the shop. It needs a camera, locks, and an alarm just as much as the front door does.
I agree with David. Neither are designed as security measures so much as ways to obscure. They do provide some security and are better than nothing.
With the VPN it is a tunnel that both good and bad traffic can cross. So even though it can hide from others what you are passing, it can also hide from you what others are passing.
I think in principle we do agree, and I took a slight extreme in my post. 🙂 This is one of those “discussions” that can occur in IT that needs a good deal of, “whoa, let’s define our terms first” so that we’re not getting all passionate and ensconced while arguing the same things, hehe.
I will say, though, that it is amazingly confusing to less technical people when we say VPNs add to security but they’re not security devices. That’s the kind of “headspin” that can cause people to throw their hands in the air and give up.