Firewall Wizards mailing list archives
RE: VPN for *DSL/CableModem Users
From: "Robert Purdy" <liteyear () ihug co nz>
Date: Mon, 21 Aug 2000 19:54:14 +1200
I have to agree with Kyle here. Secure Client is your only option. To refute other suggestions posted: "Have you considered using KSE (formerly CMDS) to monitor input from FW-1..." There is no point, it will never seem like an attack if the user has a dialup connection to the internet; the computer will act as a router, ie the traffic will come from an authenticated host "...some VPN software based on IPSec. Windows 2000 actually uses IPSec..." Again same arugment; the traffic between the user and the company network will be encrypted, but the traffic coming via the modem won't be until the computer acts as a router and encrypts it to the Firewall. There is no advantage there. "...use xxxxx third party product..." Users have a great knack of disabling or not loading such programs. There is no way to check, (that I know of, someone correct me), that when they enter your network that the third party product is running. "Oh it crashed so I forgot" or "Oh it stopped ICQ running even when I wasn't connected to the company so I disabled it" Also small 3rd party firewalls have this great "learn" feature; esentially people allow everything and end up defeating the purpose of having a firewall Really your only option is to run SecureRemote: 1) You require encryption between user and company network (firewall) - this is standard with SR 2) You require security at the user end (SR is a mini firewall @ the end users pc, a defined policy is pushed out each time the user connects to the firewall) 3) You need to make sure that its running; the user has to access the network via SR, no other options It does have draw backs; 1) It only comes with 4.1 (CP 2000) and its an addon feature which could be expensive. Check to see if you have a maintainence contract with CP; if you do they will upgrade you to 4.1 free of charge. 2) Its new; checkpoint are pretty good with service packs so it's probably reasonably bullet proof 3) I have only seen it running in the labs; not in real situations Regards, Rob Purdy
-----Original Message----- From: firewall-wizards-admin () nfr net [mailto:firewall-wizards-admin () nfr net]On Behalf Of Starkey, Kyle Sent: Saturday, 19 August 2000 3:57 a.m. To: 'Michael C. Ibarra'; firewall-wizards () nfr net Subject: RE: [fw-wiz] VPN for *DSL/CableModem Users Mike, I believe that if you are using Checkpoint vers4.1 with SecureRemote you can "push" policy to the remote client while connected to them. This protects you from an attacker using your users as a transit resource into your network. This unfortunately does not help you out with Trojans already planted on the users system, it only helps to attacks during the VPN session. I have not seen this work, but this is what I was told by some unbiased individuals. The second thing you can do is to bring the idle timeout down, this alleviates the problem of users setting a dial up connection then while at work using it to go back out... kinda lame I know, but on something like this layers of protection are your only resource and being annoying and dropping the connection after 30 seconds might stop some unmotivated indivuals. Lastly you can only allow tunnells sourced from the client to the host only and not the other way around, again this stops your users from getting a tunnell created back to their house so that they can get to napster or whatever... unfortunately your last line of defense from internal attacks is your corporate security attacks is your security policy. If you make sure to be a real fascist when it comes to this then people will get the hint that running napster in the office is an offense for which they might get fired. This should stop your low end users from being annoying.... -Kyle -----Original Message----- From: Michael C. Ibarra [mailto:ibarra () hawk com] Sent: Thursday, August 17, 2000 2:15 PM To: firewall-wizards () nfr net Subject: [fw-wiz] VPN for *DSL/CableModem Users Hello: I've been asked to perform the horrible task of allowing in remote/home internet connections into a corporate LAN. The firewall/s in question are a FW-1 and IPFilter (separate machines) combo. The pipe decided upon was either DSL or cable modems, based of course on availibilty. The present method is an isdn/SecureID/dialback method. The present corporate policy allows no inbound traffic from the inter- net and allows a limited outbound connections, mainly http. My feeling is that users, unable to reach their AOL/Napster/ whatever type of services could place a modem into these home PC's, corporate owned but that doesn't matter, making that box an insecure gateway or transfer point for a virus to the corporate network. VPN's IMO would do little to protect a machine which has a greater chance of becoming compromised, besides breaking corporate security policy since all non-VPN connections would probably allow those same services not normally allowed in the office. My question, and thank you for reading this far, is what VPN software and/or hardware is recommended and what can be done to enforce the present corporate policy (aside from asking users to sign an agreement). Thank you all, -mike The information contained in this message is not necessarily the opinion of Hawk Technologies, Inc. _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- VPN for *DSL/CableModem Users Michael C. Ibarra (Aug 18)
- Re: VPN for *DSL/CableModem Users Ray Hooker (Aug 19)
- <Possible follow-ups>
- RE: VPN for *DSL/CableModem Users Irwin Lazar (Aug 19)
- RE: VPN for *DSL/CableModem Users Starkey, Kyle (Aug 19)
- RE: VPN for *DSL/CableModem Users John Adams (Aug 20)
- RE: VPN for *DSL/CableModem Users Robert Purdy (Aug 21)
- RE: VPN for *DSL/CableModem Users sean . kelly (Aug 19)
- Re: VPN for *DSL/CableModem Users Chuck Fasching (Aug 19)
- Re: VPN for *DSL/CableModem Users Andrew J Bernoth/Boulder/IBM (Aug 19)
- Re: VPN for *DSL/CableModem Users Michael C. Ibarra (Aug 19)
- RE: VPN for *DSL/CableModem Users Jensen, Greg (Aug 20)
- Re: VPN for *DSL/CableModem Users amanda (Aug 20)
- Re: VPN for *DSL/CableModem Users Bill_Royds (Aug 20)
- RE: VPN for *DSL/CableModem Users Patrick Darden (Aug 21)