Can opvn make a network vulnerability?

[thecowmilk]

Hello guys, I have been told that ovpn makes a bad network security as both networks are exposed in the both ends which means, if I can access remote's network then it means that remote could access my internet too? Which kind of doesn't makes sense but I'm here to be proved wrong or right about this.

In the sense that the remote location can also detect other devices in my original network.

Thanks.

[deanwebb]

Is this OpenVPN or some other product?

Either way, rolling your own VPN means if you make a mistake, then, yes, you've got your whole network open to the Internet. Different mistakes can leave your VPN totally decryptable, which is the same result as the first mistake with the bonus that all your traffic is readable to the party that broke your decryption.

[Dieselboy]

1. Every application that you use poses a risk in some way or another.

2. Opening up a firewall port to an application again poses a risk in some way because your security is usually as good as the applications security.

3. To establish a VPN, the VPN server needs to be waiting for that incoming request. If the VPN server has a known or unknown vulnerability, then it could be utilised.

4. No network is 100% secure but engineers add multiple layers to mitigate risks.

An exception to point 2 could be that there are other layers adding additional protections, such as Layer 7 firewalling or netflow analytics like Secure Network Analytics which can monitor the flows on the wire, perform software smarts on this data and do some action if an anomaly is detected.

It's also key to think about risks from different perspectives such as;
- the VPN server side, allowing unsolicited traffic inbound to begin the VPN connection process
- the client side, where a VPN client is starting the VPN themselves, their OS patch level, their applications patch level and any antivirus product running on there to mitigate OS system vulnerabilities
- the traffic being encrypted/decrypted and transiting an untrusted network (usually the internet) and the security of that encryption and features used (or not used)


For context, I had a (friendly) argument with a developer where his argument was that it was fine to leave SSH open to the whole world for his remote access into systems that he was managing. My argument was that this was not ideal because a) anyone on the internet could open up a connection to the application (ssh in this case) and get a log in prompt, and b) security is only as good as the credentials required to allow the SSH application to permit access AND only as good as the SSH applications programming to enforce that security. IE any unknown vulnerabilities within the software. Such vulnerabilities could allow an attacker to bypass the login and access the system through a vulnerable SSH for example. My suggestion for mitigations on this were to lock down SSH access to his source IP address, so that only he could get an SSH login prompt. But even better, if this could be hidden behind a proxy of some kind which first forces authentication and authorisation through username, password, 2-factor authentication and possibly posture based on requirements of his system such as antivirus is running, OS is patched and so on.