RE: VPN's - Firewall's and Security

["Halverson, Chris" <chris.halverson () encana com>]

Maybe restrict the acces to the essential services for the VPN Clients using
the same Technique.  Whether it is file sharing enabled ports or if you want
OWA then just port 80.  Security is only as good as what the users are
willing to put up with.  If the risks are known and followed, that combat's
most of the problems that will arise.  

Chris

-----Original Message-----
From: Christopher Joles [mailto:CJoles () proteabhs com]
Sent: Tuesday, August 26, 2003 10:29 AM
To: Halverson, Chris; security-basics () securityfocus com
Subject: RE: VPN's - Firewall's and Security


Chris

I'm relatively sure that I can apply an access list to the VPN network
(it gets a different subnet when connected which differs from our
internal network).  As I think about it, the VPN network (as currently
configured) can only talk to the internal network, It cant talk to the
DMZ, nor can it talk to any of my remote satellite locations that
connect via VPN links.  Would putting my servers on a separate subnet
help?  I'm just sitting here, thinking that my current configuration
works for today, but I'm not so sure for tomorrow or the next day.
There must be some way to block / firewall even my VPN connections to
limit their internal access and thus allow connectivity to only what
they need.

Maybe ACL's is what I need to be looking at?

Christopher J. Joles
Chief Information Officer


-----Original Message-----
From: Halverson, Chris [mailto:chris.halverson () encana com] 
Sent: Tuesday, August 26, 2003 12:19 PM
To: Christopher Joles; security-basics () securityfocus com
Subject: RE: VPN's - Firewall's and Security


Would it be possible to block within an access list the tcp port 135 for
VPN Access?  I haven't configured the PIX devices, so I am not sure if
you can do it...

chris

-----Original Message-----
From: Christopher Joles [mailto:CJoles () proteabhs com]
Sent: Tuesday, August 26, 2003 9:09 AM
To: security-basics () securityfocus com
Subject: VPN's - Firewall's and Security


Good Day All!

I'm looking for design advice.

Currently, I have a network that is protected by a Cisco PIX 515 =
firewall.  We have it configured to protect our internal network along =
with supplying access to our DMZ which holds our email and web servers.

My concern arises from the spread of the blaster worm.  Currently we =
give a couple employees (the boss, the CFO and myself) VPN access from =
home.  In this scenario, the bosses home computer was compromised by the
= blaster worm and luckily for me, he was on vacation in Germany at the
= time.  If he wasn't, he most assuridly would have made a VPN
connection = and the lovely blaster worm would have gotten through our
defenses.  = Keep in mind, I had applied the MS patch to our servers and
= workstations, however, it would have still gotten "inside".  How can I
= redesign my network to either firewall the VPN connections or at a =
minimum filter them.

Thanx for your opinions in advance!

Christopher J. Joles
Chief Information Officer

PROTEA Behavioral Health Services
187 Exchange St.
Bangor, ME 04401
Phone: (207)992-7010 Ext: 245  Fax:(207)992-7011



------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------