Security Basics mailing list archives
RE: VPN's - Firewall's and Security
From: "HOULE, FRANCIS" <francis.houle () bell ca>
Date: Tue, 26 Aug 2003 16:29:45 -0400
Hello Christopher, Without using extended authentication (RADIUS, TACACS) you cannot apply access-lists to vpn clients. You can do so between two sites using PIX`s but not with VPN clients. The thing you need to do is use a RADIUS or TACACS server for the VPN clients and you push an access-list number when client connect to the PIX. Specify your matching access-list in the PIX and make sure the command sysopt conneciton permit-ipsec is not there so that the trafic goes through your access-lists. If you try to do the same without XAUTH you will not be able to filter your trafic. The reason why by default you will not be able to go from vpn clients to DMZ is because no nat 0 statements are defined from this interface to this subnet... It`s the only reason.. You can use sysopt ipsec pl-compatible to bypass the nat features and access all subnets around the PIX. Final solution: Use a Server for External Authentication. Have any other questions, feel free to ask! :) -- Francis Houle -----Original Message----- From: Christopher Joles [mailto:CJoles () proteabhs com] Sent: Tuesday, August 26, 2003 1:30 PM To: gillettdavid () fhda edu; security-basics () securityfocus com Subject: RE: VPN's - Firewall's and Security David Thanx for your response. Answers 1. Currently the PIX is doing authentication for the VPNS. I'm not in a position to have a separate box doing authentication for the VPN connectivity. So the actual VPN connection is made at the public end of the PIX, the pc connecting gets dhcp'd an address (on a separate subnet than the internal net) and then it begins. The only thing that keeps coming to mind, is I have to require any users that will VPN in from home to conform to a policy of 1. Using an Antivirus Program of my choice (to conform with our existing antivirus policies), 2. Ensure they are using a hardware based firewall or a minimum of a software based one. Anything else that I might possibly do? Christopher J. Joles Chief Information Officer -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Tuesday, August 26, 2003 12:39 PM To: Christopher Joles; security-basics () securityfocus com Subject: RE: VPN's - Firewall's and Security Two-part answer: 1. The PIX 515 can have up to 6 interfaces; put the VPN server on a fourth interface as a second DMZ, so traffic from VPN clients must traverse the PIX to get anywhere else. [If you have the 515-ER, the software is limited to three interfaces. In that case, put the back end of the VPN server on your DMZ -- not as good, but probably good enough.] 2. You probably have to allow port 135 between VPN clients and the internal network, so this would not have done anything to keep blaster out. David Gillett
-----Original Message----- From: Christopher Joles [mailto:CJoles () proteabhs com] Sent: August 26, 2003 08:09 To: security-basics () securityfocus com Subject: VPN's - Firewall's and Security Good Day All! I'm looking for design advice. Currently, I have a network that is protected by a Cisco PIX 515 = firewall. We have it configured to protect our internal network along
= with supplying access to our DMZ which holds our email and web servers. My concern arises from the spread of the blaster worm. Currently we =
give a couple employees (the boss, the CFO and myself) VPN access from
= home. In this scenario, the bosses home computer was compromised by
the = blaster worm and luckily for me, he was on vacation in Germany at the = time. If he wasn't, he most assuridly would have made a VPN connection = and the lovely blaster worm would have gotten through our defenses. = Keep in mind, I had applied the MS patch to our servers and = workstations, however, it would have still gotten "inside". How can I = redesign my network to either firewall the VPN connections or at a = minimum filter them. Thanx for your opinions in advance! Christopher J. Joles Chief Information Officer PROTEA Behavioral Health Services 187 Exchange St. Bangor, ME 04401 Phone: (207)992-7010 Ext: 245 Fax:(207)992-7011 -------------------------------------------------------------- ------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com -------------------------------------------------------------- --------------
------------------------------------------------------------------------ --- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- VPN's - Firewall's and Security Christopher Joles (Aug 26)
- RE: VPN's - Firewall's and Security David Gillett (Aug 26)
- RE: VPN's - Firewall's and Security Larry Thompson (Aug 27)
- <Possible follow-ups>
- RE: VPN's - Firewall's and Security Christopher Joles (Aug 26)
- RE: VPN's - Firewall's and Security Halverson, Chris (Aug 26)
- RE: VPN's - Firewall's and Security Halverson, Chris (Aug 26)
- RE: VPN's - Firewall's and Security Christopher Joles (Aug 26)
- RE: VPN's - Firewall's and Security David Gillett (Aug 26)
- Looking for security resources for SCO open server Ramneek Puri (Aug 27)
- RE: VPN's - Firewall's and Security HOULE, FRANCIS (Aug 27)
- RE: VPN's - Firewall's and Security David Gillett (Aug 26)