How secure is VPN access?

["Hayden Searle" <hayden.searle () safecom co nz>]

Hi

The way we work here is there is a firewall after the VPN endpoint so we
can control the ports the VPN users can access. We do not allow file and
print (135, 139, 445 etc) or anything that is not essential. We only
allow access to specific hosts on said specific ports.
To our knowledge this is the most secure way we can do it to prevent the
outbreak of the more prevalent virii, worms etc on the net.

If your boss is worried about the home PC situation and only the company
laptops can connect....well most home users have xDSL or cable modems
for the speed of connectivity etc, or use wireless. Not many ISP's
control their systems with tight firewall rules so once the PC is on the
net it can be open to infection or compromise, which is how the things
spread in the first place (ISP's take little to no responsibility for
stopping net bourne virii and most are only starting to do email
worms/virii on their mail servers), as well as from the users home PC as
soon as it gets connected to the home network.

You can make remote access highly secure by only allowing certain groups
of people access to certain machines, but even with a firewall you cant
be 100% secure. The best way of doing it IMO is to have a VPN endpoint
with a firewall inside it, and inside the second firewall have an
IDS/IPS system to check the traffic and block anything malicious that
sneaks through. Also the company could purchase bulk licenses for
antivirus and personal firewalls and supply them to the users who
require remote access to help ensure network security.

Well that's my 2c worth anyway :)

Hayden Searle
Network Security Specialist

-----Original Message-----
From: Cesar Diaz [mailto:cdiaz00 () gmail com] 
Sent: Thursday, 18 November 2004 5:39 a.m.
To: security-basics () securityfocus com
Subject: How secure is VPN access?

List,

After years of having VPN access for our remote users without a single
know security incident, my boss and I have to justify to her boss why
VPN is secure.

The CIO wants us to only allow users to access the network from
company laptops, not from their own home computers.  We currently will
allow users to install the VPN client software on their home computers
to connect remotely, or they can use Citrix through SSL access to get
to network resources.  His concern is that if a users home PC is
compromised, that compromise can spread to our network.

Is this a legitimate concern?  Can anyone point me in the direction of
some documentation backing either argument?

Thanks in advance for any help.

C
#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################