RE: VPN's - Firewall's and Security

["David Gillett" <gillettdavid () fhda edu>]

  Two-part answer:

1. The PIX 515 can have up to 6 interfaces; put the VPN server 
on a fourth interface as a second DMZ, so traffic from VPN clients
must traverse the PIX to get anywhere else.  [If you have the
515-ER, the software is limited to three interfaces.  In that
case, put the back end of the VPN server on your DMZ -- not as good,
but probably good enough.]

2. You probably have to allow port 135 between VPN clients and
the internal network, so this would not have done anything to
keep blaster out.

David Gillett


> -----Original Message-----
> From: Christopher Joles [mailto:CJoles () proteabhs com]
> Sent: August 26, 2003 08:09
> To: security-basics () securityfocus com
> Subject: VPN's - Firewall's and Security
>
>
> Good Day All!
>
> I'm looking for design advice.
>
> Currently, I have a network that is protected by a Cisco PIX 515 =
> firewall.  We have it configured to protect our internal 
> network along =
> with supplying access to our DMZ which holds our email and 
> web servers.
>
> My concern arises from the spread of the blaster worm.  Currently we =
> give a couple employees (the boss, the CFO and myself) VPN 
> access from =
> home.  In this scenario, the bosses home computer was 
> compromised by the
> = blaster worm and luckily for me, he was on vacation in 
> Germany at the
> = time.  If he wasn't, he most assuridly would have made a VPN
> connection = and the lovely blaster worm would have gotten through our
> defenses.  = Keep in mind, I had applied the MS patch to our 
> servers and
> = workstations, however, it would have still gotten "inside". 
>  How can I
> = redesign my network to either firewall the VPN connections or at a =
> minimum filter them.
>
> Thanx for your opinions in advance!
>
> Christopher J. Joles
> Chief Information Officer
>
> PROTEA Behavioral Health Services
> 187 Exchange St.
> Bangor, ME 04401
> Phone: (207)992-7010 Ext: 245  Fax:(207)992-7011
>
>
>
> --------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Federal, September 
> 29-30 (Training), 
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
> technical IT security event.  Modeled after the famous Black 
> Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and 
> sponsors.  
> Symantec is the Diamond sponsor.  Early-bird registration 
> ends September 6.Visit us: www.blackhat.com
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------