[lopsa-discuss] hardware VPN devices for laptops?

[Trey Harris]

In a message dated Tue, 20 Dec 2005, Marius Strom writes:
> On Tue, 20 Dec 2005, Trey Harris wrote:
>> That's one.  Another is that you may not trust Microsoft or whatever other
>> vendor produces your software VPN solution, and may not have the expertise
>> or resources to vet and maintain an open-source or in-house software
>> solution.
>
> And you would trust the hardware vendor more why?  And you would have
> the expertise to open up/disassemble/vet the hardware router?

In the case of "moats", like Adam and I carry, the hardware vendor's just 
supplying you with hardware--the image it runs is created and maintained 
by you.  I think more security folks have the expertise to vet and 
maintain a total firewall image they control than have the expertise to 
vet and maintain code snippets that get inserted into the networking stack 
of Windows, Mac OS X, etc. etc.

And I meant "trust" in the sense of trust not to make mistakes, not trust 
not to attack you.  If the hardware vendor screws up, you just end up with 
a flaky or unusable box.  If the software vendor screws up, you may be 
exposing your corporate network to the world.

>> Another is that, with a software VPN, you're handing people a
>> general-purpose computer; you can't guarantee that they won't violate
>> policy by, say, routing their home LAN through your corporate firewall via
>> the VPN (they could very well do this unintentionally!).
>>
>> With a hardware VPN, it's a network device that you can control.  Since it
>> has two interfaces (one to your computer, one to the internet), you can
>> (and should) make it a firewall, setting up a (relatively lax) DMZ for
>> every machine that connects to your VPN head.  "Don't plug anything into
>> this thing except your company-issued laptop, and never plug your laptop
>> into anything but this" is then an effective rule that even the most
>> non-technical employee can understand.  Accompany that by "violate either
>> rule and we will know and you WILL be terminated" in big red letters and
>> they'll get the idea.
>
> IMHO, if the user is skilled enough to route their home LAN through the
> software VPN, they'll do similar with the hardware box and a little
> router on the backend. :)

Undoubtedly--but they definitely *won't* do it unintentionally, which they 
can easily end up doing with a software VPN if they click a few checkboxes 
in their control panel that sound good to them.

When it comes to handing a VPN of whatever flavor to every employee in a 
company, I'm much more concerned about stupidity (which you can protect 
yourself from) than maliciousness (which ultimately you can't, not 
perfectly--and in any case, a malicious employee has far more lucrative 
opportunities to create havoc than bridging his home LAN to yours).

Assuming you have good border monitoring and intrusion detection, you'll 
probably know when somebody violates policy with either a software or 
hardware VPN.  But with the software VPN, they can claim ignorance ("oh, 
I'm not supposed to click on that?  Sorry!").  With the hardware VPN, it's 
simple: "you plugged something you weren't supposed to into this port, 
didn't you?"

Yes, you can absolutely fix this with a software VPN by carefully 
maintaining your laptop OS images and giving users no administrative 
privileges.  (Putting aside the fact that they can get past such controls 
since you're handing them the computer--like I said, I'm discounting 
malicious employees.  And, in my experience, if you successfully lock down 
your laptop image, a lot of non-malicious employees *will* circumvent 
those controls by physical-access methods.  It's just not fun to use a 
machine you can't configure to your own tastes....)  But for nomadic 
employees, no admin privs is often an unworkable policy.

And I've never met a security admin who much relishes the idea of owning 
the company's OS images.  A hardware VPN lets them own the image in their 
domain, and the Windows or Mac or Linux admins can own the images in their 
domain, and security isn't compromised as a result.

>> What do you do, with a software VPN, if you have to buy Wi-Fi hotspot
>> access before connecting?  You trust the software firewall to protect you
>> while you connect your computer directly to the wild network--if you're
>> infected with malware or have an insecure OS image, game over.  With a
>> hardware VPN, it can firewall your computer from the wild network, while
>> it serves as a bastion for HTTP and HTTPS while you complete the purchase.
>
> Does the HW router in question have a wifi interface? (It seems from
> what I've read on the thread that it's got two ethernet interfaces - one
> to the computer, and one to the network)

Three interfaces, only two of which are active at any time.  One to the 
computer, and one to the wild, which may be either wireless or wired. 
The laptop/wild route is heavily firewalled until it can establish a VPN 
tunnel, then the laptop/vpn route has somewhat looser firewall policy.

Trey