RE: Security from VPN connections

["Anstett, Brad" <Brad.Anstett () quill com>]

You could also put you internal VPN interface out side of the firewall on
another port (creating another DMZ). Maybe only access for terminal services
through that DMZ into your internal network. 


Brad



  On Tue, 26 Aug 2003 11:57:24 -0400, Christopher
Joles wrote:
> Good Day All!
>
> I'm looking for design advice.
>
> Currently, I have a network that is protected by a
Cisco PIX 515 = firewall.
> We have it configured to protect our internal
network along = with supplying
> access to our DMZ which holds our email and web
servers.
> My concern arises from the spread of the blaster
worm.  Currently we = give  a
> couple employees (the boss, the CFO and myself) VPN
access from = home.  In
> this scenario, the bosses home computer was
compromised by the = blaster  worm
> and luckily for me, he was on vacation in Germany at
the = time.  If he
> wasn't, he most assuridly would have made a VPN
connection = and the lovely
> blaster worm would have gotten through our defenses.
 = Keep in mind, I had
> applied the MS patch to our servers and =
workstations, however, it would  have
> still gotten "inside".  How can I = redesign my
network to either firewall  the
> VPN connections or at a = minimum filter them.
>
> Thanx for your opinions in advance!
>
>
> Christopher J. Joles Chief Information Officer

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------