From: Robert Hagen (rdh@stealthllama.org)
Date: Tue Jun 19 2007 - 10:16:36 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sohail,
As you've pointed out, the risks are much greater than authentication
and access control. Each endpoint is a potential exposure. User
workstations (particular personally owned computers) are often
unpatched, unprotected, and exposed to a constant barrage of
intrusion attempts over broadband connections. In order to secure
the VPN connection, you have to secure that endpoint.
Network admission control is a nice fit here. There are many
different desktop agents that can be used to verify the integrity of
its host computer before being allowed through the VPN. It can be
customized to check for patches, a working anti-virus agent, and any
other conditions you deem necessary. Many of these NAC solution will
even provide a mechanism to automatically remediate hosts that fail
their integrity checks or put them in a network quarantine where help-
desk or IT support personnel can work with the user to correct their
configuration.
Another consideration would be to disable "split-tunneling" on your
VPN solution. If split-tunneling is enabled, the host can
simultaneously route traffic to their local network (and the
Internet) as well as through the VPN tunnel. This effectively
extends your network perimeter to that host. Are you willing to make
that host a perimeter firewall? Probably not. If a user needs to
connect to the VPN, that should be the only network access they have
for the duration of that VPN session.
This combination of endpoint security and network segregation has
worked well for me. I'm sure there are other considerations out
there that may help as well. Hopefully this helps to address your
concerns.
Regards,
- -Bob-
On Jun 18, 2007, at 9:08 AM, Sohail Sarwar wrote:
> Hi there,
>
> I just wanted to put this out there. How secure is VPN.
> Meaning, if my users take home the client and install it on their
> desktop at home, and connect to the corporate network and production
> network, wheat are we really looking at. Are they secure or not.
>
> Two factor authentication would only help the authentication
> purpose and to protect the user name and password ?
>
> How about restricting them to access, and how about worrying
> about their home computer that can be effected.
>
> Has anyone been through this. Any one give home users a list of
> requirements that they must have before vpn can be offered to them ?
>
> Should there be some type of desktop policy installed on their
> home computer, just to protect the company network ? Any help and
> guidance would be great
>
> Regards,
> Sohail
>
> ----------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ----------------------------------------------------------------------
> --
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFGd+VEH/ts2mEf2fMRAuyLAKDeuC6+3nOweKd117Cikqe/SOYg6ACg15UK
YELat7w0cKiehUKEEbmxU80=
=lXyq
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:52 EDT