Firewall Wizards mailing list archives

RE: Cisco VPN Client "Stateful Firewall (Always On)"

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Wed, 2 Jul 2003 08:32:43 -0400

If your users will be connecting back to your network via client VPN, then a Cisco 3000 series VPN Concentrator can 
enforce that that (or another supported) stateful firewall be enabled on the client in order to successfully connect.  
If you want a higher degree of control over these clients, look into ZoneLabs Integrity.  It can integrate with a Cisco 
VPN Concentrator or  be a stand-alone solution.  It lets you create a policy for desktop firewalls, including what 
applications are allowed to make outbound connections, and aggregates log data in a single location.  It can also be 
configured so that users cannot disable it.  There are similar products available from other vendors, but I couldn't 
tell you the specifics.  I do know that the new Cisco VPN Client supports Sygate Personal Firewall as well, so perhaps 
the Sygate Secure Enterprise product is something you may wish to consider as well.

PaulM

 -----Original Message-----
  Basically, as I understand it, this feature allows all outbound
connections while active, and all inbound connections originally established
from the inside.  However, it would block all inbound connections
established from the outside.  This would be similar to a PIX with no access
lists configured.  This feature is not configurable according to Cisco's web
site.

  My concern is that, because this is not configurable, there will be times
that the user will need to switch it off.  Our desktop group believes this
is a workable solution if they simply script something to push a registry or
INI file entry to force it back on.  I'm concerned that we're missing
something here and are opening ourselves up to a potential problem.
Unfortunately, I'm afraid this decision may get made before this email has
time to gather replies, but any help, info, arguments you all can provide
would be greatly appreciated.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco VPN Client "Stateful Firewall (Always On)" Crissup, John (MBNP is) (Jul 01)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Dave Rinker (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Peter Robinson (Jul 03)
  - Re: Cisco VPN Client "Stateful Firewall (Always On)" Milon Papezik (Jul 06)
- <Possible follow-ups>
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Melson, Paul (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Sloane, David (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" George Peek (Jul 03)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Marcus J. Ranum (Jul 03)
  - RE: Cisco VPN Client "Stateful Firewall (Always On)" marco misitano (Jul 07)