Security Incidents mailing list archives
Re: indirect doorway to network via mobile remote access stations
From: David Pick <D.M.Pick () QMW AC UK>
Date: Fri, 28 Jul 2000 23:10:04 +0100
When the stations are brought 'on the road', they are used to access the internal network via a VPN. First they must establish a connection with a local ISP, then they connect to our VPN servers. The entire duration of their 'Internet' connection, they are only protected by an anti-virus software. Of course the information traveling on the VPN is (more) secure, but the station itself is vulnerable to network scans and attacks. The anti-virus software cannot help with the scans, and might be of assistance with the copying or executing of know viral content. However, this leaves the stations quite open to 'newer' attacks that may be unknown to the anti-virus software. If the station becomes compromised, information contained within that station, or transacted over the VPN are not safe.
Absolutely classic problem. The *only* answer is to keep the mobile machines as secure as possible. If you don't you're in trouble. And a simple malicious applet loaded into your browser is enough to cause trouble. Possible approaches to dealing with the problem: 1) use a host-based firewall: * configured to prohibit *all* traffic except your PPTP tunnel * that may not be possible with Windows 2) use an external firewall with the same characteristics: * you may be able to use one of the relatively cheap Ethernet-to- ISDN-or-modem boxes now on the market as an external firewall for the laptop; this would enable you to leave the laptop using Ethernet all the time whatever its location and use the external box to bring up the VPN * use another laptop running an operating system with decent packet filters to "protect" the Windows machine 3) use a (logical) equivalent of (2) on one laptop: * run Linux or FreeBSD or OpenBSD with the firewall software * run the Windows environment using either: + VMWare (when you run a real copy of Windows in a VM) + WINE (when you run a Windows emulator) * if using the first, set it up so the (simulated) Ethernet interface in the Windows VM is connected to a simulated Ethernet interface in the **IX VM, so packets have to route through that environment and get filtered -- David Pick
Current thread:
- indirect doorway to network via mobile remote access stations Francois_J_Perreault/Cybermindwest%CYBERMINDWEST (Jul 28)
- Re: indirect doorway to network via mobile remote access stations David Pick (Jul 29)