RE: new to VPN

[John Lindal <jafl@trlokom.com>]

>>  > There's a very large difference between a general purpose OS like
>>>  Windows or Unix, and an embedded system OS.  Large, as in several
>>>  orders of magnitude.
>>
>>Unless I'm missing something fundamental, comparing the raw sizes of
>>various operating systems is misleading.  Assuming that the VPN software is
>>installed at the bottom of the network stack, just above the NIC driver,
>>then it doesn't matter how big the rest of the OS is.  The only thing that
>>matters is the tiny little bit of the OS that takes the packet off the NIC
>>and hands it to the VPN driver.
>>
>>Of course, this small part of the OS must not have any holes, the VPN
>>software must not have any holes, and the security policies must be set
>>correctly to weed out malicious or unwanted packets!
>
> I'm afraid you are missing something. Irrespectivbe of where the VPN 
> software is installed in a general purpose platform/OS environment, 
> that software can be subverted by a successful attack against any 
> part of the rest of the OS.

How can one attack the rest of the OS if the VPN component is located at
the only entry point and doesn't allow malicious packets to pass?

> Your comment suggests that if the VPN access controls are working, then
> no evil packets can evade detection and thus be used to attack the higher
> layer software. We have lots of experience that indiactes otherwise.

I think it's a matter of definitions.  In any situation where malicious
packets get through the VPN filter, I would say that the access controls
are not working correctly :)

--
Sincerely,
John Lindal
Chief Software Architect, Trlokom, Inc.
http://www.trlokom.com/