IPsec tunneling: Exploring the security risks

Unfortunately, I can't give you the pat "No" answer that you probably want to hear. There is a security risk inherent in creating any type of VPN tunnel. The real question you need to ask is, "What's the best way to achieve the business objectives in a manner consistent with your organization's security policy?" The answer very well could be an IPsec tunnel, but there are concerns with that approach.

First, what is the other "secure network" that you plan to connect your clients to? Is it operated by the state? Setting up a VPN connection from systems on your network to a network outside of your control could expose the organization to significant security risks, especially if you do not use split tunneling, which enables users to access both remote VPN resources as well as those on a local or public network. By forcing all traffic from those systems through the remote network, the administrators of that remote network have the ability to eavesdrop on all communications from the VPN clients, not just those bound for the destination network.

Second, consider the reasoning behind your IT group's reluctance to open firewall ports. Are there security concerns with the application you're using? It's important that you take the time to understand its position and ensure that whatever approach you decide upon meets the security/business balance described earlier.

From the tone of your question, I'm guessing you might have an adversarial relationship with the security folks within your organization. That's unhealthy for both parties. If possible, try to build bridges into the IT group and use those relationships to help develop a compromise that meets everyone's needs. Remember, business and security professionals are all on the same team, trying to achieve the same mission. They do, however, have different perspectives on what's best for the organization. Put yourself in your counterparts' shoes and try to understand that they're attempting to manage the risk to the business.

Finally, does the state offer an alternative approach for uploading your assessments? Nowadays, it's common for most of these applications to use a standard HTTPS interface that runs over port 443. Almost every firewall configuration out there allows internal users to access Internet sites on this port. Finding such an alternative could eliminate your security woes and simplify your environment.

Rate this Tip To rate tips, you must be a member of SearchMidmarketSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Integrating security into networks Four things to remember about server virtualization security concerns Five network security issues to avoid How to rework your network infrastructure for security Streamlining your network security infrastructure Network-based integrity monitoring keeps website hacks in check How to make data loss prevention tools affordable and manageable for midmarket PCI DSS requirement: Building and maintaining a secure network Network security begins with device discovery and assessment NAC Basics: Laying the groundwork Understand the differences in network access control solutions RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.