Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Risk from VPN client connections from enterprise network

From: "Dan Lynch" <dan.lynch () placer ca gov>
Date: Mon, 08 May 2006 09:21:16 -0700
Greetings list,

My area of expertise is *not* vpn technologies, yet I need to
understand the risks associated with the following. Any help you can
offer is greatly appreciated. 

Our enterprise network is behind a Checkpoint firewall which performs
address translation on outbound traffic to the internet. The NAT we use
is (in Checkpoint language) "hide NAT", aka many-to-one or port address
translation. An outside provider offers a service on an
internet-connected server, accessible by PPTP VPN connection. Our users
are being asked to configure the Windows XP VPN client to connect to the
server. The VPN tunnel would extend from the desktop workstation, across
one internal firewall, through a DMZ network, then across an external
firewall which performs NAT, and out across the internet to the
provider's site.

(BTW, for the provider in question, a separate point-to-point
connection exists from another leg of our private network. This VPN
connection would not use that established link. But when monitoring that
link, I see characteristically internet traffic: port scans from hosts
in Korea, SQL-Slammer from Ukraine, etc. There are obviously few
protections on their network.)

My concerns are this:
- once the tunnel is established, we'll be unable to audit or control
what traffic flows across our perimeter within it
- from the perspective of the provider's server does our workstation
look like any other locally connected host? and from the workstation
perspective, does the server look like it's locally connected?
- can that server then initiate new connections to our workstation?
- can the server be used as a gateway from their network into our
workstation? 

How can we control these risks? Could the local Windows XP host
firewall be used to control traffic inbound through the tunnel?

In order to accomodate this VPN we must provide a static NAT
(one-to-one) for the server to establish a return connection. I'm not
terribly comfortable exposing our workstation to the internet in that
way. Nor am I comfortable with my ignorance about the risks associated
with the VPN client. 

How would you deal with this?

Thanks,


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA



It is often easier to not do something dumb than it is to do something
smart.
     -- Marcus Ranum
Previous By Date Next
Previous By Thread Next

Current thread: