Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VPN for *DSL/CableModem Users

From: "Starkey, Kyle" <Kyle.Starkey () msdw com>
Date: Fri, 18 Aug 2000 08:56:54 -0700
Mike,
I believe that if you are using Checkpoint vers4.1 with SecureRemote you can
"push" policy to the remote client while connected to them.  This protects
you from an attacker using your users as a transit resource into your
network. This unfortunately does not help you out with Trojans already
planted on the users system, it only helps to attacks during the VPN
session.  I have not seen this work, but this is what I was told by some
unbiased individuals. The second thing you can do is to bring the idle
timeout down, this alleviates the problem of users setting a dial up
connection then while at work using it to go back out... kinda lame I know,
but on something like this layers of protection are your only resource and
being annoying and dropping the connection after 30 seconds might stop some
unmotivated indivuals.

Lastly you can only allow tunnells sourced from the client to the host only
and not the other way around, again this stops your users from getting a
tunnell created back to their house so that they can get to napster or
whatever...  unfortunately your last line of defense from internal attacks
is your corporate security attacks is your security policy.  If you make
sure to be a real fascist when it comes to this then people will get the
hint that running napster in the office is an offense for which they might
get fired.  This should stop your low end users from being annoying....


-Kyle
-----Original Message-----
From: Michael C. Ibarra [mailto:ibarra () hawk com]
Sent: Thursday, August 17, 2000 2:15 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] VPN for *DSL/CableModem Users


Hello:

 I've been asked to perform the horrible task of allowing
 in remote/home internet connections into a corporate LAN.
 The firewall/s in question are a FW-1 and IPFilter (separate 
 machines) combo. The pipe decided upon was either DSL or 
 cable modems, based of course on availibilty. The present
 method is an isdn/SecureID/dialback method. The present
 corporate policy allows no inbound traffic from the inter-
 net and allows a limited outbound connections, mainly http.
 My feeling is that users, unable to reach their AOL/Napster/
 whatever type of services could place a modem into these home
 PC's, corporate owned but that doesn't matter, making that
 box an insecure gateway or transfer point for a virus to the
 corporate network. VPN's IMO would do little to protect a 
 machine which has a greater chance of becoming compromised,
 besides breaking corporate security policy since all non-VPN
 connections would probably allow those same services not 
 normally allowed in the office. My question, and thank you
 for reading this far, is what VPN software and/or hardware
 is recommended and what can be done to enforce the present
 corporate policy (aside from asking users to sign an agreement).

Thank you all,

-mike


        
          The information contained in this message 
           is not necessarily the opinion of Hawk 
                   Technologies, Inc.


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: