RE: Remote access problem

["Gautier . Rich" <RGautier () drc com>]

Sounds to me like you need to put your foot down.  Too often, the reason
for the DMZ is bypassed because of a business need.  People need to
understand that security is a business need too.  When you open a VPN to
someone, you have to be able to trust their security.  If you can't
trust the other endpoint to have the same security standards that you
have, or if you can't trust the endpoint itself (contracting
competitor!), you shouldn't be opening a hole through your protections.


  You can mitigate the risk partly with end-point VPN connections on the
desktops themselves, but this still leaves any open holes on those
desktops as a vulnerability they can use to try to infiltrate your
network.

  You weren't very specific about the requirements, but I'm sure we
might have some suggestions, if you could give us some specifics (i.e.
what type of authentication needs to pass, what types of protocols
you're talking, etc.)

  But in the end, I think you've a battle on your hands.  As firewall,
nay, as SECURITY admins, our responsibility is to protect the network,
and allowing a VPN'd user to infect your network with today's virus
because he had a 'business need' to connect to something, or because he
is inconvenienced, does not sound like something you want to happen.

Rich Gautier
Dynamics Research Corp
Personal Website - http://rgautier.tripod.com
Attachment is Public Key for the sender: rgautier () drc com


-----Original Message-----
From: James X [mailto:scouser () paradise net nz]
Sent: Thursday, October 03, 2002 6:12 AM
To: 'firewall-wizards () honor icsalabs com'
Subject: [fw-wiz] Remote access problem


I need ideas for solving a remote access issue.

Problem:
Users in my organisation require a connection to an application running
on a server in a second organisation.
The solution they came up with was a IPSec tunnel terminating on a PIX
box at their end and the pcs of the users in my organisation.

My issues:
The tunnel terminates inside my network, therfore I have no way of
filtering the traffic in the tunnel. The will be using a cisco VPN
client.
Users need to be able to communicate with my network while the tunnel is
up so I can't just cut them off while they use this facility.
The second orgnaisation require the users to authenticate with their
server, so I can't just put up a gateway - gateway solution.
Any suggestions would be welcome.


To add the cream to the cake the timeframe is very tight, infact they
only thought my team (network security) might be interested a few weeks
before they planned to test this !! (when will people realise that
security conerns are best dealt with during design !)



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: smime.p7s
Description: