[VOIPSEC] VPNs and VoIP (was: Re: VoIP Attack : How feasible)

[Michael Slavitch]

Indeed, if you had access to enough data to do a comprehensive
analysis of an entire network, not just choice network access points,
you'd see that road-warrior or home worker traffic is often the
majority form of VPN traffic unless there is an utter lock down in the
enterprise with strict co-ordination between networking and IT
departments.

My experience showed that the latter is not as common as is thought by experts.

I did such an analysis at a previous employer when I had access to 4TB
of SNMP traffic polling data from hundreds of network sites, running
over several years.  The result was consistant in most networks, even
large financial firms.

The analysis revealed two kinds of network, I'll summarize them as
'strict' and 'fractal'.

In 'strict' networks, everything was tightly managed from a single
authority. In those networks you are entirely correct, but those
networks were the minority in our samples, < 10%, mostly government
and military or institutional, such as health and educational.

But in around 80% of networks the behavior was something I'd call
'fractal', where there was the assumption of central management or
control but the reality was that the network was made up of a bunch of
small subgroups or fiefdoms each with a certain level of control over
policy and access, usually unknown and unseen from the top. These
networks were ad-hoc in fact if not in theory.

In these 'fractal' networks 80% of the VPN traffic over time was
road-warriors, 20% over time was  made up of 'engineered' IPSEC VPN's,
and the network engineers not only didn't believe it to be true they
didn't believe it to be possible. They had no control over the Windows
boxes due to the silo nature of most companies.  Much of the traffic
went right back out over the Internet, forming tunnels between Windows
boxes using Windows servers as routers.  The reason this became the
case was that it was easier for IT people to set up their own VPN's
and their own rules rather than co-operate with the networking
department. Many networking departments didn't even realize that they
had branch office networks, let alone connections to them.  These
branch offices went and bought their stuff at Best Buy.  In fact the
4TB dataset showed that most network managers undercounted the number
of nodes in their enterprise by about 30-40%, they didn't believe that
there were hundereds or even thousands of unmanaged hubs, personal
printers, personal network access points, notebooks, or the like out
there.

The Windows guys however had a more accurate count of PC's and network
printers because each grabbed a Windows licence.  They tended to lie
too to keep their licence costs down, hence they agreed with the
networking guys to keep their budgeting in line.

Commercial firms, especially ones that have large sales teams, tend to
cluster around the ad-hoc model.  I had one network engineer who
didn't even realize that the entire sales force was using
salesforce.com vs. the creaky custom system in the backoffice because
it wasn't even in his realm of possibilities.

M

On 7/30/06, Dustin D. Trammell <dtrammell at tippingpoint.com> wrote:
>
> I will however grant you that PPTP has taken over a lot of the
> road-warrior class of access VPN, because it's easy, supported natively
> by Windows XP, and it just works.  But I think Checkpoint, Nortel,
> Juniper, and Cisco would also strongly disagree with you that IPSec VPNs
> are just not used in a corporate environment.
>
> --
> Dustin D. Trammell
> VoIP Security Research
> TippingPoint, a division of 3Com
>
>