Security Basics mailing list archives
Risk from VPN client connections from enterprise network
From: "Dan Lynch" <dan.lynch () placer ca gov>
Date: Mon, 08 May 2006 09:21:16 -0700
Greetings list, My area of expertise is *not* vpn technologies, yet I need to understand the risks associated with the following. Any help you can offer is greatly appreciated. Our enterprise network is behind a Checkpoint firewall which performs address translation on outbound traffic to the internet. The NAT we use is (in Checkpoint language) "hide NAT", aka many-to-one or port address translation. An outside provider offers a service on an internet-connected server, accessible by PPTP VPN connection. Our users are being asked to configure the Windows XP VPN client to connect to the server. The VPN tunnel would extend from the desktop workstation, across one internal firewall, through a DMZ network, then across an external firewall which performs NAT, and out across the internet to the provider's site. (BTW, for the provider in question, a separate point-to-point connection exists from another leg of our private network. This VPN connection would not use that established link. But when monitoring that link, I see characteristically internet traffic: port scans from hosts in Korea, SQL-Slammer from Ukraine, etc. There are obviously few protections on their network.) My concerns are this: - once the tunnel is established, we'll be unable to audit or control what traffic flows across our perimeter within it - from the perspective of the provider's server does our workstation look like any other locally connected host? and from the workstation perspective, does the server look like it's locally connected? - can that server then initiate new connections to our workstation? - can the server be used as a gateway from their network into our workstation? How can we control these risks? Could the local Windows XP host firewall be used to control traffic inbound through the tunnel? In order to accomodate this VPN we must provide a static NAT (one-to-one) for the server to establish a return connection. I'm not terribly comfortable exposing our workstation to the internet in that way. Nor am I comfortable with my ignorance about the risks associated with the VPN client. How would you deal with this? Thanks, Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA It is often easier to not do something dumb than it is to do something smart. -- Marcus Ranum
Current thread:
- Risk from VPN client connections from enterprise network Dan Lynch (May 08)
- RE: Risk from VPN client connections from enterprise network Mehmet Buyukozer (May 10)
- <Possible follow-ups>
- Re: Risk from VPN client connections from enterprise network daleriver (May 09)
- Re: Risk from VPN client connections from enterprise network gazwj (May 09)