Bruce Schneier is a smart guy, but he also has a strong anti-Microsoft bias. That’s why it’s no surprise to see this article, in which he lambasts Microsoft for “building in security bypasses”. What’s he talking about? A quote from Microsoft’s Martin Taylor:
For example, this new feature tool we have would allow me to tunnel directly using HTTP into my corporate Exchange server without having to go through the whole VPN (virtual private network) process, bypassing the need to use a smart card. It’s such a huge time-saver, for me at least, compared to how long it takes me now.
Of course, that’s our friend RPC-over-HTTPS. I think Schneier missed the point because he misunderstands the intent of the feature, which is to allow mail-only access from remote systems. It’s true that VPNs allow for secure remote access to many different types of resource, often using multi-factor authentication. It’s also true that many VPN systems (particularly the clients) are unstable and difficult to use, particularly from locations like hotels and airports where the network provider may not be clueful. The RPC tunneling feature allows secure access to email only without a VPN. This is actually a security benefit.
Why? Think of what happens when you connect a remote computer via VPN: you’re allowing it unrestricted access to your entire corporate network. That means that when Joe Executive‘s home machine connects via VPN it has free roam of the network. That places a mighty high premium on ensuring that the remote machine is uncompromised, hence the interest in network access protection (but that’s a solution for another day). As an admin, if I have users who only need email, I’m perfectly happy for them to use RPC-over-HTTPS instead of VPN because then I know that their machines are very unlikely to be able to cause damage to other machines on my intranet, no matter how crap-infested they may be. Couple RPC tunneling with an application-layer RPC scanner (like the one in ISA Server 2004) and you’re better off than you would be with a pure VPN solution.
Some of the comments on Schneier’s post make good points about the tradeoff between usability and security, including one guy who asks why VPNs are so hard to use. That’s for another post, unfortunately.
Paul's Down-Home Page 
Weekend reading
I think you misunderstand VPNs, at least non-Microsoft ones. We have several VPNs set up which only allow users to connect to our internal web servers. They do not allow “unrestricted access to your entire corporate network” – anyone who has such a VPN in place is certainly not a security expert. Most of all, they do not allow access to our Windows authentication services or Windows-provided services – a major attack surface.
Running tunneling services over HTTP IMHO increases your attack surface compared to the VPN approach PROVIDED that your network security people know what they’re doing with the VPN.
Nice blog though.
We’re both right 🙂 What I should have said is that most VPNs allow unrestricted access. I think that’s true regardless of the VPN technology vendor; most sites that deploy VPNs don’t use segmentation or isolation like they should. That’s changing, but slowly; Microsoft and Cisco in particular are trying to push NAP as a solution to make isolation easier and more palatable.
I have a secret…