[lopsa-discuss] hardware VPN devices for laptops?

[Trey Harris]

In a message dated Tue, 20 Dec 2005, unix fan writes:
> Who was the masked man that suggested that?
> I thought the "pure hardware" advantage was encryption
> speed.

That's one.  Another is that you may not trust Microsoft or whatever other 
vendor produces your software VPN solution, and may not have the expertise 
or resources to vet and maintain an open-source or in-house software 
solution.

Another is that, with a software VPN, you're handing people a 
general-purpose computer; you can't guarantee that they won't violate 
policy by, say, routing their home LAN through your corporate firewall via 
the VPN (they could very well do this unintentionally!).

With a hardware VPN, it's a network device that you can control.  Since it 
has two interfaces (one to your computer, one to the internet), you can 
(and should) make it a firewall, setting up a (relatively lax) DMZ for 
every machine that connects to your VPN head.  "Don't plug anything into 
this thing except your company-issued laptop, and never plug your laptop 
into anything but this" is then an effective rule that even the most 
non-technical employee can understand.  Accompany that by "violate either 
rule and we will know and you WILL be terminated" in big red letters and 
they'll get the idea.

The firewalling works both ways, too.  With a software VPN, you never know 
whether malware is exposing your corporate network to intruders.  With a 
hardware VPN, malware may still cause problems internally on your network, 
but you can still maintain a zero-tolerance policy of exposing 
general-purpose computers directly to the internet--which you can't with a 
software VPN.

What do you do, with a software VPN, if you have to buy Wi-Fi hotspot 
access before connecting?  You trust the software firewall to protect you 
while you connect your computer directly to the wild network--if you're 
infected with malware or have an insecure OS image, game over.  With a 
hardware VPN, it can firewall your computer from the wild network, while 
it serves as a bastion for HTTP and HTTPS while you complete the purchase.

> Can you elaborate on the "reconfiguration" problem?
> I'm on my 2nd generation SecurID card (the first died
> after 5 years - battery life) and I never required
> reconfiguration that I know of (i.e., if that means
> mucking about with the destination configuration). I
> did add a destination once - no big deal.

The configuration issue is not one that I raised.  Undoubtedly a software 
VPN, properly managed, can have just as little configuration as a hardware 
VPN.  But unlike the software VPN, the window for the user to screw up the 
hardware VPN can be almost completely eliminated.  If, like Adam and 
myself, you have devices that are custom-built, you can even have the 
"restore factory parameters" button result in something that's usable, not 
a doorstop.

Some configuration will always be required, if only to set a static IP 
when DHCP is unavailable, discover and select an apropriate Wi-Fi access 
point and enter a key if required, and so on.

> I've seen the VPN hardware that Trey and some others carry about. 
> portable? yes; small? It doesn't pass the "fits in your shirt pocket" 
> test. And I have to wonder it the "reconfiguration" issue that you're 
> worried about doesn't occur there as well.

Well, mine's Velcroed to the lid of my laptop, so I've never had any 
reason to put it in any pocket.

I don't see any reason why a PCMCIA card couldn't work just as well, 
except that a) my laptop doesn't have a PCMCIA slot, and b) a truly 
paranoid laptop-security policy will disable the PCMCIA drivers... (And 
I'm not sure that you could have a bit jutting out that was both an 802.11 
antenna and a wild ethernet port, but I might be wrong.)

Trey