Firewall Wizards mailing list archives
RE: Cisco VPN Client "Stateful Firewall (Always On)"
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Wed, 2 Jul 2003 08:32:43 -0400
If your users will be connecting back to your network via client VPN, then a Cisco 3000 series VPN Concentrator can enforce that that (or another supported) stateful firewall be enabled on the client in order to successfully connect. If you want a higher degree of control over these clients, look into ZoneLabs Integrity. It can integrate with a Cisco VPN Concentrator or be a stand-alone solution. It lets you create a policy for desktop firewalls, including what applications are allowed to make outbound connections, and aggregates log data in a single location. It can also be configured so that users cannot disable it. There are similar products available from other vendors, but I couldn't tell you the specifics. I do know that the new Cisco VPN Client supports Sygate Personal Firewall as well, so perhaps the Sygate Secure Enterprise product is something you may wish to consider as well. PaulM
-----Original Message----- Basically, as I understand it, this feature allows all outbound connections while active, and all inbound connections originally established from the inside. However, it would block all inbound connections established from the outside. This would be similar to a PIX with no access lists configured. This feature is not configurable according to Cisco's web site. My concern is that, because this is not configurable, there will be times that the user will need to switch it off. Our desktop group believes this is a workable solution if they simply script something to push a registry or INI file entry to force it back on. I'm concerned that we're missing something here and are opening ourselves up to a potential problem. Unfortunately, I'm afraid this decision may get made before this email has time to gather replies, but any help, info, arguments you all can provide would be greatly appreciated.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco VPN Client "Stateful Firewall (Always On)" Crissup, John (MBNP is) (Jul 01)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Dave Rinker (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Peter Robinson (Jul 03)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Milon Papezik (Jul 06)
- <Possible follow-ups>
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Melson, Paul (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Sloane, David (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" George Peek (Jul 03)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Marcus J. Ranum (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" marco misitano (Jul 07)