RE: Risk from VPN client connections from enterprise network

["Mehmet Buyukozer" <mbuyukozer () gmx co uk>]

Hi Dan,

> - once the tunnel is established, we'll be unable to audit or control
> what traffic flows across our perimeter within it

Since your host is establishing client-to-site connection, you will not have
control on the data flowing through. Your host will be assigned with another
logical IP address to connect to the site, meaning it will act as a node in
the other site's network. However since your host will not have routing
option set (from Windows registry), and even it has the routing option set,
since you will not have that subnet used in your local network, that will
not lead to a direct threat for your local network. Of course if someone
else on the other side has access to the remote desktop of your host, then
he will have direct access to your local network.

> - from the perspective of the provider's server does our workstation
> look like any other locally connected host? and from the workstation
> perspective, does the server look like it's locally connected?

Yes, it's both ways.

> - can that server then initiate new connections to our workstation?

Server can initiate new connections as long as tunnel is up. But in your
case, they are asking for static NAT which changes the scenario. I'm not
sure if Windows XP VPN client capable of opening VPN connection when
requested from other side. You may check this from Microsoft Support
website.

> - can the server be used as a gateway from their network into our
> workstation? 

Yes. Since your host will get the same ip address as the other nodes, if the
firewall lets them connect, they should be able to connect to your host.

> How can we control these risks? Could the local Windows XP host
> firewall be used to control traffic inbound through the tunnel?

For the VPN connection, you will have another connection on your host's
network configuration. I believe you should be able to configure the Windows
XP firewall but it's very well known that XP firewall is very awkward. You
may try to install host firewall to let only specific ports accessible by
them while rest is not.

> In order to accomodate this VPN we must provide a static NAT
> (one-to-one) for the server to establish a return connection. 

I believe you should talk with them not to ask for this option.

> How would you deal with this?

If you have required licenses for your Checkpoint firewall, it'd be best to
establish this VPN connection between sites. You could set up rules that
will let only granted ports to be accessible. That's the only option I can
think of right now.

I'd suggest you to send this email to
http://www.checkpoint.com/services/mailing.html  Checkpoint Firewall-1
mailing list too. There are many firewall administrators over there, and
they are dealing with VPN problems nearly everyday so you might get better
suggestions from them.

Hope this helps.
Regards

Mehmet
http://www.sonofnights.com