Security Basics mailing list archives
RE: SSL VPN's from LAN to WAN
From: "Bill Lavalette" <blavalet () homenet-security com>
Date: Wed, 12 Dec 2007 12:10:15 -0500
S - I would follow this track if it were me.. First I would have a meeting with the manager of the contractors, Determine if there is a business justification for the access to the remote site they are accessing. Second I would take the strong hand and make it very clear that this was not presented as a need to MIS and that unless there is some type of authorization for this access written and approved. All access to the remote site will be terminated. If the access is approved and authorized, Then I would suggest that you build a safe harbor network and isolate the contracting team to this segment where they are sandboxed from your production network. This will protect your interests as well as provide them with internet access to the remote site. Any type of collaboration efforts, I.E "we need to access this or that on your network" can be addressed by a couple of machines that allow access to specific folders and files. This does not stop thumb drives or the like from moving data but it does at least show that a serious effort on your part was made to safe guard the data. That coupled with the original written authorization of accepted risk should keep you in the clear. The sandbox can be as simple as a access point with a few ip's allocated for visitors needing internet access on a port on your firewall that is treated as a hostile network. This isolates them and you can restrict access as you see fit with out impacting the normal course of business. In the very least I hope this helps or provides some ideas, Good Luck Bill ====== HomeNet Security =========== Bill Lavalette Network Security Officer CCSA-CCSE Crisis Mitigator ID Theft Prevention Mentor WWW http://www.homenet-security.com ==================================== Defending The Home LAN -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of fac51 Sent: Tuesday, December 11, 2007 5:09 AM To: security-basics () securityfocus com Subject: SSL VPN's from LAN to WAN Hi All, I would like some advice on a situation that is new to me. I have just discovered that some contractors that are on our corporate LAN have managed to install (Half Install) VPN Clients that allow them to connect directly back to their LAN (RDP'ing into their Desktops etc.) The desktops they are using here are locked down but still allow some VPN functionality. The VPN connects over 443 out of our network then to their Firewall as concentrator. Implications that I can think of are; 1. All traffic to and from us is encrypted and therefore we cannot monitor. 2. They can see network drives and could be stealing info. (although they don't have much access) 3. Any infections at their site could propogate to us (that could happen anyway I suppose via email) My first reaction is one of horror but am I over reacting? If my worst fears are confirmed I will need to block them. To do this I was thinking of blocking all traffic to and from their firewall however apparently some access to remote services is required by other staff. Help!?!? kind regards, S ______________________________________________________________________ ______________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Current thread:
- SSL VPN's from LAN to WAN fac51 (Dec 12)
- RE: SSL VPN's from LAN to WAN Yahsodhan Deshpande (Dec 12)
- Re: SSL VPN's from LAN to WAN Tremaine Lea (Dec 12)
- RE: SSL VPN's from LAN to WAN Serge Vondandamo (Dec 12)
- RE: SSL VPN's from LAN to WAN Bill Lavalette (Dec 13)