Security Basics mailing list archives
RE: Risk from VPN client connections from enterprise network
From: "Mehmet Buyukozer" <mbuyukozer () gmx co uk>
Date: Wed, 10 May 2006 03:42:36 -0500
Hi Dan,
- once the tunnel is established, we'll be unable to audit or control what traffic flows across our perimeter within it
Since your host is establishing client-to-site connection, you will not have control on the data flowing through. Your host will be assigned with another logical IP address to connect to the site, meaning it will act as a node in the other site's network. However since your host will not have routing option set (from Windows registry), and even it has the routing option set, since you will not have that subnet used in your local network, that will not lead to a direct threat for your local network. Of course if someone else on the other side has access to the remote desktop of your host, then he will have direct access to your local network.
- from the perspective of the provider's server does our workstation look like any other locally connected host? and from the workstation perspective, does the server look like it's locally connected?
Yes, it's both ways.
- can that server then initiate new connections to our workstation?
Server can initiate new connections as long as tunnel is up. But in your case, they are asking for static NAT which changes the scenario. I'm not sure if Windows XP VPN client capable of opening VPN connection when requested from other side. You may check this from Microsoft Support website.
- can the server be used as a gateway from their network into our workstation?
Yes. Since your host will get the same ip address as the other nodes, if the firewall lets them connect, they should be able to connect to your host.
How can we control these risks? Could the local Windows XP host firewall be used to control traffic inbound through the tunnel?
For the VPN connection, you will have another connection on your host's network configuration. I believe you should be able to configure the Windows XP firewall but it's very well known that XP firewall is very awkward. You may try to install host firewall to let only specific ports accessible by them while rest is not.
In order to accomodate this VPN we must provide a static NAT (one-to-one) for the server to establish a return connection.
I believe you should talk with them not to ask for this option.
How would you deal with this?
If you have required licenses for your Checkpoint firewall, it'd be best to establish this VPN connection between sites. You could set up rules that will let only granted ports to be accessible. That's the only option I can think of right now. I'd suggest you to send this email to http://www.checkpoint.com/services/mailing.html Checkpoint Firewall-1 mailing list too. There are many firewall administrators over there, and they are dealing with VPN problems nearly everyday so you might get better suggestions from them. Hope this helps. Regards Mehmet http://www.sonofnights.com
Current thread:
- Risk from VPN client connections from enterprise network Dan Lynch (May 08)
- RE: Risk from VPN client connections from enterprise network Mehmet Buyukozer (May 10)
- <Possible follow-ups>
- Re: Risk from VPN client connections from enterprise network daleriver (May 09)
- Re: Risk from VPN client connections from enterprise network gazwj (May 09)