I don’t have a problem with Virtual Private Networks (or VPNs) as a technology. They serve a purpose and I do work with them a lot where I am currently employed. But, I have come to the conclusion that using them for common or casual remote access is a total hack.
For the remote computer, the VPN essentially takes that remote system and virtually places it on the office network. That’s the hack. Instead of using secure technology and SSL tunneling, you “fake” having the computer on the office network. Obviously this is sometimes required, but should remote users be using VPN just to send and recieve mail? I’m not even sure you need a VPN for file access if you have a good, secure portal that allows uploads and downloads. End users dependent on VPNs for access to their day-to-day tools are depending on a single point of failure. If the VPN doesn’t work, the user is out of commission.
I feel that a VPN should be used to connect office LANs together and as an emergency for remote users who can’t get what they want through normal secure methods.
It’s pretty silly to (for example) have to VPN in to use a ssl web interface which you log into with the same credentials you use to connect to the VPN (this is a real example from my own company).
I think a lot of sysadmins view the VPN as a simple way to reign in externally facing services and as a way to justify being lazy with security. Since none of their services are actually outward facing, they can give them the once-over and say “well this doesn’t matter since it’s internal only!” and rely on the VPN as the sole gatekeeper.
I’d imagine that this sort of attitude leads to a lot of Bad Things happening inside the corporate network, and if the VPN were compromised (or if somebody just plugged in and got physical access) the services would be much more vulnerable than they would be if they were externally facing from the get-go.