RE: VPN's - Firewall's and Security

["David Gillett" <gillettdavid () fhda edu>]

  Agreed.  Those policies would cover you.  The questions
then become:  How do you enforce these policies?  And how do
you ensure that the installed products are correctly configured
and kept up to date?
  (CheckPoint's VPN-1 includes a neat capability to specify a
firewall configuration for clients that is downloaded to the 
client when it connects.  Unfortunately, this config is only
in force while the client is connected to the VPN -- and since
you already have a PIX, buying CheckPoint is probably not an
option.)

David Gillett


> -----Original Message-----
> From: Christopher Joles [mailto:CJoles () proteabhs com]
> Sent: August 26, 2003 10:30
> To: gillettdavid () fhda edu; security-basics () securityfocus com
> Subject: RE: VPN's - Firewall's and Security
>
>
> David
>
> Thanx for your response.  Answers
> 1.  Currently the PIX is doing authentication for the VPNS.  
> I'm not in
> a position to have a separate box doing authentication for the VPN
> connectivity.  So the actual VPN connection is made at the 
> public end of
> the PIX, the pc connecting gets dhcp'd an address (on a 
> separate subnet
> than the internal net) and then it begins.
>
> The only thing that keeps coming to mind, is I have to 
> require any users
> that will VPN in from home to conform to a policy of 1.  Using an
> Antivirus Program of my choice (to conform with our existing antivirus
> policies), 2. Ensure they are using a hardware based firewall or a
> minimum of a software based one.
>
> Anything else that I might possibly do?
>
> Christopher J. Joles
> Chief Information Officer
>
>
> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu] 
> Sent: Tuesday, August 26, 2003 12:39 PM
> To: Christopher Joles; security-basics () securityfocus com
> Subject: RE: VPN's - Firewall's and Security
>
>
>   Two-part answer:
>
> 1. The PIX 515 can have up to 6 interfaces; put the VPN server 
> on a fourth interface as a second DMZ, so traffic from VPN 
> clients must
> traverse the PIX to get anywhere else.  [If you have the 515-ER, the
> software is limited to three interfaces.  In that case, put 
> the back end
> of the VPN server on your DMZ -- not as good, but probably 
> good enough.]
>
> 2. You probably have to allow port 135 between VPN clients and the
> internal network, so this would not have done anything to keep blaster
> out.
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Christopher Joles [mailto:CJoles () proteabhs com]
> > Sent: August 26, 2003 08:09
> > To: security-basics () securityfocus com
> > Subject: VPN's - Firewall's and Security
> >
> >
> > Good Day All!
> >
> > I'm looking for design advice.
> >
> > Currently, I have a network that is protected by a Cisco PIX 515 = 
> > firewall.  We have it configured to protect our internal 
> network along
>
> > = with supplying access to our DMZ which holds our email and
> > web servers.
> >
> > My concern arises from the spread of the blaster worm.  
> Currently we =
>
> > give a couple employees (the boss, the CFO and myself) VPN 
> access from
>
> > = home.  In this scenario, the bosses home computer was
> > compromised by the
> > = blaster worm and luckily for me, he was on vacation in 
> > Germany at the
> > = time.  If he wasn't, he most assuridly would have made a VPN
> > connection = and the lovely blaster worm would have gotten 
> through our
> > defenses.  = Keep in mind, I had applied the MS patch to our 
> > servers and
> > = workstations, however, it would have still gotten "inside". 
> >  How can I
> > = redesign my network to either firewall the VPN 
> connections or at a =
> > minimum filter them.
> >
> > Thanx for your opinions in advance!
> >
> > Christopher J. Joles
> > Chief Information Officer
> >
> > PROTEA Behavioral Health Services
> > 187 Exchange St.
> > Bangor, ME 04401
> > Phone: (207)992-7010 Ext: 245  Fax:(207)992-7011
> >
> >
> >
> > --------------------------------------------------------------
> > -------------
> > Attend Black Hat Briefings & Training Federal, September
> > 29-30 (Training), 
> > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
> > technical IT security event.  Modeled after the famous Black 
> > Hat event in 
> > Las Vegas! 6 tracks, 12 training sessions, top speakers and 
> > sponsors.  
> > Symantec is the Diamond sponsor.  Early-bird registration 
> > ends September 6.Visit us: www.blackhat.com
> > --------------------------------------------------------------
> > --------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------