RE: VPN's - Firewall's and Security

["HOULE, FRANCIS" <francis.houle () bell ca>]

Hello Christopher,

Without using extended authentication (RADIUS, TACACS) you cannot apply
access-lists to vpn clients.  You can do so between two sites using
PIX`s but not with VPN clients.  The thing you need to do is use a
RADIUS or TACACS server for the VPN clients and you push an access-list
number when client connect to the PIX.  Specify your matching
access-list in the PIX and make sure the command sysopt conneciton
permit-ipsec is not there so that the trafic goes through your
access-lists.  If you try to do the same without XAUTH you will not be
able to filter your trafic.

The reason why by default you will not be able to go from vpn clients to
DMZ is because no nat 0 statements are defined from this interface to
this subnet...  It`s the only reason..  You can use sysopt ipsec
pl-compatible to bypass the nat features and access all subnets around
the PIX.

Final solution:  Use a Server for External Authentication.

Have any other questions, feel free to ask! :) 

--
Francis Houle



-----Original Message-----
From: Christopher Joles [mailto:CJoles () proteabhs com] 
Sent: Tuesday, August 26, 2003 1:30 PM
To: gillettdavid () fhda edu; security-basics () securityfocus com
Subject: RE: VPN's - Firewall's and Security


David

Thanx for your response.  Answers
1.  Currently the PIX is doing authentication for the VPNS.  I'm not in
a position to have a separate box doing authentication for the VPN
connectivity.  So the actual VPN connection is made at the public end of
the PIX, the pc connecting gets dhcp'd an address (on a separate subnet
than the internal net) and then it begins.

The only thing that keeps coming to mind, is I have to require any users
that will VPN in from home to conform to a policy of 1.  Using an
Antivirus Program of my choice (to conform with our existing antivirus
policies), 2. Ensure they are using a hardware based firewall or a
minimum of a software based one.

Anything else that I might possibly do?

Christopher J. Joles
Chief Information Officer


-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Tuesday, August 26, 2003 12:39 PM
To: Christopher Joles; security-basics () securityfocus com
Subject: RE: VPN's - Firewall's and Security


  Two-part answer:

1. The PIX 515 can have up to 6 interfaces; put the VPN server 
on a fourth interface as a second DMZ, so traffic from VPN clients must
traverse the PIX to get anywhere else.  [If you have the 515-ER, the
software is limited to three interfaces.  In that case, put the back end
of the VPN server on your DMZ -- not as good, but probably good enough.]

2. You probably have to allow port 135 between VPN clients and the
internal network, so this would not have done anything to keep blaster
out.

David Gillett


> -----Original Message-----
> From: Christopher Joles [mailto:CJoles () proteabhs com]
> Sent: August 26, 2003 08:09
> To: security-basics () securityfocus com
> Subject: VPN's - Firewall's and Security
>
>
> Good Day All!
>
> I'm looking for design advice.
>
> Currently, I have a network that is protected by a Cisco PIX 515 =
> firewall.  We have it configured to protect our internal network along

> = with supplying access to our DMZ which holds our email and web 
> servers.
>
> My concern arises from the spread of the blaster worm.  Currently we =

> give a couple employees (the boss, the CFO and myself) VPN access from

> = home.  In this scenario, the bosses home computer was compromised by

> the = blaster worm and luckily for me, he was on vacation in
> Germany at the
> = time.  If he wasn't, he most assuridly would have made a VPN
> connection = and the lovely blaster worm would have gotten through our
> defenses.  = Keep in mind, I had applied the MS patch to our 
> servers and
> = workstations, however, it would have still gotten "inside". 
>  How can I
> = redesign my network to either firewall the VPN connections or at a =
> minimum filter them.
>
> Thanx for your opinions in advance!
>
> Christopher J. Joles
> Chief Information Officer
>
> PROTEA Behavioral Health Services
> 187 Exchange St.
> Bangor, ME 04401
> Phone: (207)992-7010 Ext: 245  Fax:(207)992-7011
>
>
>
> --------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Federal, September 29-30 
> (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's 
> premier technical IT security event.  Modeled after the famous Black
> Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and 
> sponsors.  
> Symantec is the Diamond sponsor.  Early-bird registration 
> ends September 6.Visit us: www.blackhat.com
> --------------------------------------------------------------
> --------------

------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----






---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------