I read a very interesting blog post this morning that brought into context a conversation we were having regarding a site to site VPN connection. Before getting into the ISA Firewall and the VPN connection issue, let me boil down what was said in the blog post. The author, Jeff Dray, was recounting an early job interview when he first got into the computer business. One of the questions was "if I were to tell you to enter a certain key sequence that would delete all data in the organization, would you do it?". Jeff told his potential future boss that he would ask him to repeat the request, clarify the effects of the request, and then if he couldn't get a reasonable answer, Jeff would go over his interviewer's head. Apparently this was the right answer, since he got the job.
This was an interesting conversation because it brings to mind that there are people within an organization who may be interested in sabotaging the network in order to bring down a business. In fact, insider threats have taken over from outsider attacks as the major cause of data loss and corruption over the past five years. For this reason I think it's more important than ever for you to think about the security implications of the requests you get from your superiors, because dumb requests might be more than they seem -- they might be conscious attempts to ruin the business by compromising the network. Sort of a electronic form of arson.
Now back to our story about the site to site VPN and the ISA Firewall. Someone mentioned that his boss wanted him to set up a site to site VPN between his home network's NAT device and the ISA Firewall at the main office. This person came to the mailing list asking for technical details on how to implement this solution. What do you think of this request? Is this a pure technical problem or could there be more insidious issues that lie outside the technical problems?
My first thought was to think of the security issues of this configuration before getting into the technical issues of setting up the site to site VPN. Think about it. The boss wants to connect his unmanaged, unprotected network to the main office through a full site to site VPN. What kind of machines are on the boss' network? The kids' laptops? The media center PC? A kitchen computer? How many worms, viruses and Trojans live on his network? What will happen when the company network is completely opened up to this untrusted network?
My first thought was that the boss just didn't understand the security implications and that the person requesting the technical support should explain these issues to him. A better solution is to create a remote access client VPN connection and then use firewall access controls to control what can be done over the remote access client VPN.
What didn't occur to me at the time is the possibility that the boss knew exactly what he was doing, and was setting up our admin to take a fall for putting together a solution that would sabotage the network. In this case, I would recommend that the admin do what Jeff Dray did -- explain to the boss the security issues, repeat the security issues, determine that the boss understands the security issues and wants to go ahead with the dangerous plan, and then if he does want to go ahead with the dangerous plan, go over his head to confirm that this is company policy in spite of the exceptional risks it imposes to the company's existence.
Check out Jeff's blog post at http://blogs.techrepublic.com.com/helpdesk/?p=191&tag=nl.e036 for more insight into this issue.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)