Security Basics mailing list archives
Re: How secure is VPN access?
From: Jimi Thompson <jimi.thompson () gmail com>
Date: Thu, 18 Nov 2004 22:43:03 -0600
This is definitely a legitimate concern. However, many of the newer commercial VPN clients come with a "policy enforcement" add-on specifically to address this. What this does is check your OS patch levels to be sure they are current and that the OS version is acceptable. For example, we don't allow Windows 95 or 98. It also checks to see if the antivirus software is 1) installed 2) the correct version 3) active 4) has updates no older than <fill in # of days that makes you feel warm and fuzzy) and 5) has scanned the machine with in an appropriate time frame. The list of things that must be "acceptable" is quite long. My advice is that you should continue to allow your home users to use VPN. HOWEVER, you should shift as many services to web based applications as possible. You should also be handing out a free copy of AV software to your employees to be installed on the machine along with your new policy-based VPN client. You may also wish to have them install some patch management software so that you can force updates to the OS and upgrades to the antivirus software remotely when they connect via VPN. In addition, laptops don't alleviate the issue. They worsen it. Now you have users that aren't just using the computer at home. They go up to the public library. They go to Starbucks. They go to the apartment complex pool and use the wireless there. Now, instead of only being exposed to whatever's on their cable modem segment like a static computer, they're mobile now so they end up exposed to order of magnitude more nasty little critters. I know because I work for a University with a large wireless network. I've seen what floats around out there. The really lovely part is that once they're done gathering up every virus, downloading every Trojan, and installing every back door and piece of spyware known to man, they're going to bring that in to the office, sans the policy based VPN client, and plug straight in to the wall socket. That's what laptops do for you. Prime example, we had one laptop user who returned from a rambling trip abroad. He came to the Help Desk because his computer "was really slow". He'd picked up 746 different viruses over the course of the summer and mostly from using dial up access in various hotels in Europe and Asia. Oddly, right after this (like 5 minutes later), we had an extreme virus outbreak that took down a portion of one of our network segments. It seems that the 746 viruses that laptop was carrying weren't content to live on his hard drive and squabble amongst themselves. Since his laptop was slow, he decided to forgo his wireless card and use the cable from his computer to plug in his on board NIC. On Thu, 18 Nov 2004 00:11:58 -0500, dave kleiman <dave () isecureu com> wrote:
Cesar, Would allow a user to bring their home computer to the office, and just hand them an IP and allow them full network access? Do your users have access to network resources through the VPN? They can spread viruses, Trojans etc. to the network from the VPN. No, you definitely should not let home computers access the VPN, you should have complete control of the systems that do access via VPN and keep them up-to-date, etc. Citrix is a different story, as long as you restrict drive and port redirection, it can be a "better-controlled" situation. ______________________________________ Dave Kleiman, CISSP, CISM, CIFI, MCSE www.SecurityBreachResponse.com -----Original Message----- From: Cesar Diaz [mailto:cdiaz00 () gmail com] Sent: Wednesday, November 17, 2004 11:39 To: security-basics () securityfocus com Subject: How secure is VPN access? List, After years of having VPN access for our remote users without a single know security incident, my boss and I have to justify to her boss why VPN is secure. The CIO wants us to only allow users to access the network from company laptops, not from their own home computers. We currently will allow users to install the VPN client software on their home computers to connect remotely, or they can use Citrix through SSL access to get to network resources. His concern is that if a users home PC is compromised, that compromise can spread to our network. Is this a legitimate concern? Can anyone point me in the direction of some documentation backing either argument? Thanks in advance for any help. C
-- Thanks, Jimi
Current thread:
- How secure is VPN access? Cesar Diaz (Nov 17)
- RE: How secure is VPN access? dave kleiman (Nov 18)
- Re: How secure is VPN access? Jimi Thompson (Nov 19)
- Re: How secure is VPN access? GuidoZ (Nov 19)
- RE: How secure is VPN access? David Gillett (Nov 18)
- Re: How secure is VPN access? Nathaniel Hall (Nov 19)
- <Possible follow-ups>
- RE: How secure is VPN access? Alsobrook, Taylor (C.) (Nov 18)
- RE: How secure is VPN access? Matvei Kliuchnikov (Nov 18)
- Re: How secure is VPN access? K. K. Mookhey (Nov 22)
- RE: How secure is VPN access? Javier Otero De Alba (Nov 18)
- Re: How secure is VPN access? Jonathan Loh (Nov 19)
- How secure is VPN access? Hayden Searle (Nov 19)
- FW: How secure is VPN access? Stephane Auger (Nov 19)
- RE: How secure is VPN access? dave kleiman (Nov 18)