Security Basics mailing list archives
RE: VPN Access for Consultants
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 20 Nov 2003 10:12:42 -0800
There are two kinds of VPN setup: 1. Tunnel between two LANs. This is what they've requested. This allows any machine on LAN A to talk to any on LAN B, and vice versa. It's appropriate for different branch offices of a single enterprise. It's not generally appropriate between different enterprises, as they've requested. (Recent CheckPoint FW-1 versions support an "extranet" VPN config where you can specify which servers at each end are visible to clients at the other end. IF both you and they run such versions, you might consider this option.) 2. Remote client. Allows a client machine on some foreign network to tunnel back to a corporate LAN to access network services as if they were in the office. Generally, the client is configured so that, when it is active, ALL client network traffic is tunnelled; this prevents clients from becoming unauthorized gateways between the networks in question. There can be issues if the client is on a network behind NAT; whether they can be resolved depends on the NAT device and the VPN product. I would have little hesitation about allowing them this level of access. The business decision to trust them on the premises and on your network has already been made. David Gillett
-----Original Message----- From: Jennifer Fountain [mailto:JFountain () rbinc com] Sent: November 19, 2003 15:28 To: security-basics () securityfocus com Subject: VPN Access for Consultants Hi All: We have several consultants working for my company and they have requested that I allow vpn access through our firewall to their company. They want to be able to access their network and our network at the same time (tunnel). I told them no, I do not want to create a tunnel between my network and theirs but I would allow them to plug their laptops into the dmz or outside the firewall so they can access their network. They proceeded to look at me like I had six heads and act like I was the only security admin that wouldn't allow this. What is the general consensus on this type of activity? What policies do you have implemented? Do you allow it if the remote network was confirmed to be secure? Thanks for any info Jenn -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- VPN Access for Consultants Jennifer Fountain (Nov 20)
- RE: VPN Access for Consultants David Gillett (Nov 20)
- Re: VPN Access for Consultants Mike Bowler (Nov 20)
- Re: VPN Access for Consultants Steve (Nov 20)
- Re: VPN Access for Consultants lennons (Nov 21)
- Re: VPN Access for Consultants (Little Late) Gabriel Orozco (Nov 25)
- RE: VPN Access for Consultants (Little Late) David Gillett (Nov 25)
- Re: VPN Access for Consultants (Little Late) Jimi Thompson (Nov 26)
- Re: VPN Access for Consultants lennons (Nov 21)
- Re: VPN Access for Consultants Alessandro (Nov 20)
- Re: VPN Access for Consultants Byron Sonne (Nov 21)
- Re: VPN Access for Consultants crtech (Nov 23)
- <Possible follow-ups>
- VPN Access for Consultants Louis Cypher (Nov 21)