RE: How secure is VPN access?

["David Gillett" <gillettdavid () fhda edu>]

  Yes, it's legitimate.

  Many companies terminate their VPNs directly on the internal network.
A better practice is to terminate in a DMZ, so that traffic between VPN
clients and the secured network is filtered through a firewall and/or
IDS.

  Some VPNs can be configured to allow "split tunnelling", where the
remote client only uses the tunnel for traffic to/from the secured
network, and doesn't use the tunnel for other Internet traffic.  Although
this makes efficient use of bandwidth, it opens up the possibility that
a VPN client machine, if compromised, could act as a proxy gateway between
the two, bypassing your other perimeter security measures.  Split
tunnelling,
if available, should be turned off.

  Several recent VPN offerings have begun including facilities to verify
up-to-date antivirus and other security configuration on remote clients
before allowing connection.  I think that this is a good way to address
your CIO's concerns while continuing to provide access for your users.

David Gillett


> -----Original Message-----
> From: Cesar Diaz [mailto:cdiaz00 () gmail com]
> Sent: Wednesday, November 17, 2004 8:39 AM
> To: security-basics () securityfocus com
> Subject: How secure is VPN access?
>
>
> List,
>
> After years of having VPN access for our remote users without a single
> know security incident, my boss and I have to justify to her boss why
> VPN is secure.
>
> The CIO wants us to only allow users to access the network from
> company laptops, not from their own home computers.  We currently will
> allow users to install the VPN client software on their home computers
> to connect remotely, or they can use Citrix through SSL access to get
> to network resources.  His concern is that if a users home PC is
> compromised, that compromise can spread to our network.
>
> Is this a legitimate concern?  Can anyone point me in the direction of
> some documentation backing either argument?
>
> Thanks in advance for any help.
>
> C