From: Russell Butturini (rbutturini@tcstech.com)
Date: Thu Jun 21 2007 - 15:09:32 EDT
The answer is very simple; If they get caught, they're fired! :-)
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Robin Wood
Sent: Wednesday, June 20, 2007 1:03 PM
To: Russell Butturini
Cc: pen-test@securityfocus.com
Subject: Re: Security and VPN
Hi
A quick question about point 2, what do you do to stop the clients
giving themselves a static IP and bypassing the restrictions?
Robin
On 6/20/07, Russell Butturini <rbutturini@tcstech.com> wrote:
> We work with a lot of customers who need to have the connectivity options
> for using a VPN client from home, but have a limited budget to work with
and
> can't afford network upgrades/reconfigurations/more appliances to
> accommodate this. The procedure I usually follow is two steps:
>
> 1. Each machine is brought in and "sanitized" (i.e. reformatted and data
> reloaded if the employee will allow it, or at the least given thorough
> spyware, virus, and Trojan scans), and then has all available MS and
> manufacturer updates loaded on it.
>
> 2. Give clients connecting over the VPN a particular block of DHCP
> addresses, and then block traffic to internal servers we don't want
accessed
> across the VPN from those IPs.
>
> Are there better solutions? Yes. Unfortunately "you gotta do what you
gotta
> do" sometimes. We try to make the employees bring in the remote PCs on a
> regular basis for checkups, but this is not always realistic (i.e. people
> are stubborn :-) ).
>
>
> On a related note, does anyone have reccomendations for a good SSL VPN
> appliance? We have been testing the Sonicwall appliance in house and it
has
> been less than impressive so far.
>
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On
> Behalf Of The Sun
> Sent: Tuesday, June 19, 2007 9:44 PM
> To: Andrew Vliet; Sohail Sarwar
> Cc: Philip Cox; pen-test@securityfocus.com
> Subject: Re: Security and VPN
>
> Andrew said:
> I would not be putting VPN clients on employee owned systems.
>
> I would agree with you Andrew.
> I also suggest one more option - SSL VPN.
> So far in this thread, everyone has been focusing on IPSEC VPNs only.
> Many organizations are moving towards SSL-VPN to get more granular
control.
> For instance, some SSL-VPN solutions can give access to web applications,
> file sharing and RDP without a client to be installed - you still would
need
>
> some activeX or java applet and a browser.
> You could then allow third parties to only some of these and at the same
> time allow full network access (all TCP/UDP protocols supported) to
trusted
> users from trusted devices only, if required.
>
>
>
>
>
> ----- Original Message -----
> From: "Andrew Vliet" <Andrew.Vliet@lvs1.com>
> To: "Sohail Sarwar" <ssarwar@ecredit.com>
> Cc: "Philip Cox" <Phil.Cox@systemexperts.com>;
<pen-test@securityfocus.com>
> Sent: Wednesday, June 20, 2007 4:12 AM
> Subject: RE: Security and VPN
>
> Sohail Sarwar,
>
> 2 factor authentication is great, but personally I would go one further
> than Philip. I would not be putting VPN clients on employee owned
> systems. Yes, I say no clients - period. Too many variables - too
> insecure.
>
> I understand that it's expensive, but none the less, I would either put
> in a Citrix farm or purchase dedicated, company owned and maintained
> machines for your employees to use at home. Add the VPN client to these
> machines company owned machines.
>
> When considering the speed and volatility of trojans and viruses these
> days; Adding VPN to an unknown, uncontrolled, insecure client - even
> after adding Antivirus checking, etc - is simply asking for trouble.
>
> Of course, we haven't even touched on the legal and privacy implications
> of the company having direct access to an employee's personal network,
> all computers there-in and visa versa.
>
> VPN on employee machines == bad idea - don't do it. Provide Citrix or
> dedicated, managed machines.
>
> Regards,
> Andrew Vliet
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Philip Cox
> Sent: Tuesday, June 19, 2007 9:25 AM
> To: 'Sohail Sarwar'; pen-test@securityfocus.com
> Subject: RE: Security and VPN
>
>
>
> > -----Original Message-----
> > From: listbounce@securityfocus.com
> > [mailto:listbounce@securityfocus.com] On Behalf Of Sohail Sarwar
> > Sent: Monday, June 18, 2007 6:08 AM
> > To: James Patterson; pen-test@securityfocus.com
> > Cc: holstein.robert@bls.gov
> > Subject: Security and VPN
> >
> > Hi there,
> >
> > I just wanted to put this out there. How secure is VPN.
> > Meaning, if my users take home the client and install it on their
> > desktop at home, and connect to the corporate network and production
> > network, wheat are we really looking at. Are they secure or not.
>
> Just given this decription, I would say NO, they are not secure.
>
>
> > Has anyone been through this. Any one give home users a list of
>
> > requirements that they must have before vpn can be offered to them ?
> >
> > Should there be some type of desktop policy installed on their
> home
> > computer, just to protect the company network ? Any help and guidance
>
> > would be great
>
> My recommendation would be to...
>
> 1. Require 2 factor authenticaiton for VPN access 2. Ensure that the VPN
> server/environment performs some type of system validaiton prior to
> letting the system have full access to the internal network. This
> typically includes verifying a patch level and that anti-virus is
> installed and up-to-date 3. Use the VPN server to restirct where the VPN
> client can connect 4. Review the VPN server logs for who is accessign
> the server and from where
>
> Just my $.02
>
> Phil
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic See HOW Now with our 20/20
> program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:53 EDT