I regularly encounter arguments where people justify relaxed security in a design with the argument of – well the connection between systems will be protected by a VPN (Virtual Private Network) – so everything is fine.

Trying to dissuade a someone like a project manager or business end user that just trusting to just a VPN is challenging, after all private networks are safe aren’t they. So I have tried to identify a few resources – that can simply and clearly explain why this approach alone is not good. Just pointing to the principle of ‘security in depth’ is difficult to sell. So hopefully the following will help:

• http://www.sans.org/security-resources/malwarefaq/pptp-vpn.php – not the easiest for non techies to consume but it’s authoritive presentation (not to mention the fact it is the SANs Institute), the last 3 paragraphs of The Basics of Virtual Private Networks is uniquivical and clear.
• http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html#4 provides a brief explination of how man in the middle attacks work on VPNs – very clear hit by this and an attacker has access to your network
• http://www.infosecurity-magazine.com/news/ssl-vpns-pose-network-security-risks/ – good article which highlights that you dont even need to be directly attacked to be compromised