RE: worm + VPN + firewall

["Ames, Neil" <NAmes () anteon com>]

Morty,
        I agree, but I see some bigger problems.  Are you hoping to protect from all VPNs, to include SSL?  What about 
other avenues for infection.  A mobile user who traverses the perimeter with an infected machine is the equivalent 
problem.  You need absolute policy compliance or absolute control of the network for that kind of protection.  Kind of 
hard.  That's why the AV vendors are coming out with pretty good host-based firewalls tacked right onto the AV utility. 
 That's why Microsoft made a point of telling their customers, in the reaction to blaster, to look into filtering by 
ports on every host.  I *do* look forward to some juicy VPN infection stories, but to bolster the greater security 
arguments not just firewalling VPN end-points (with which I agree).


Thank you,

Fritz

-----Original Message-----
From: Mordechai T. Abzug [mailto:morty () frakir org]
Sent: Wednesday, August 13, 2003 7:30 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] worm + VPN + firewall



Has anyone had a user's external Blasterized system that VPNd past a
firewall and compromised an internal network?  It would be nice to
have conrete examples for the "VPNs should terminate outside
firewalls" argument.

- Morty
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards