Re: How secure is VPN access?

[Jimi Thompson <jimi.thompson () gmail com>]

This is definitely a legitimate concern.  However, many of the newer
commercial VPN clients come with a "policy enforcement" add-on
specifically to address this.  What this does is check  your OS patch
levels to be sure they are current and that the OS version is
acceptable.  For example, we don't allow Windows 95 or 98.  It also
checks to see if the antivirus software is 1) installed 2) the correct
version 3) active 4) has updates no older than <fill in # of days that
makes you feel warm and fuzzy) and 5) has scanned the machine with in
an appropriate time frame.   The list of things that must be
"acceptable" is quite long.

My advice is that you should continue to allow your home users to use
VPN. HOWEVER, you should shift as many services to web based
applications as possible.  You should also be handing out a free copy
of AV software to your employees to be installed on the machine along
with your new policy-based VPN client.  You may also wish to have them
install some patch management software so that you can force updates
to the OS and upgrades to the antivirus software remotely when they
connect via VPN.

In addition, laptops don't alleviate the issue.  They worsen it.  Now
you have users that aren't just using the computer at home.  They go
up to the public library.  They go to Starbucks.  They go to the
apartment complex pool and use the wireless there.  Now, instead of
only being exposed to whatever's on their cable modem segment like a
static computer, they're mobile now so they end up exposed to order of
magnitude more nasty little critters. I know because I work for a
University with a large wireless network.  I've seen what floats
around out there.  The really lovely part is that once they're done
gathering up every virus, downloading every Trojan, and installing
every back door and piece of spyware known to man, they're going to
bring that in to the office, sans the policy based VPN client, and
plug straight in to the wall socket.  That's what laptops do for you.

Prime example, we had one laptop user who returned from a rambling
trip abroad.  He came to the Help Desk because his computer "was
really slow".  He'd picked up 746 different viruses over the course of
the summer and mostly from using dial up access in various hotels in
Europe and Asia.   Oddly, right after this (like 5 minutes later), we
had an extreme virus outbreak that took down a portion of one of our
network segments.  It seems that the 746 viruses that laptop was
carrying weren't content to live on his hard drive and squabble
amongst themselves.  Since his laptop was slow, he decided to forgo
his wireless card and use the cable from his computer to plug in his
on board NIC.


On Thu, 18 Nov 2004 00:11:58 -0500, dave kleiman <dave () isecureu com> wrote:
> Cesar,
>
> Would allow a user to bring their home computer to the office, and just hand
> them an IP and allow them full network access?
>
> Do your users have access to network resources through the VPN?
>
> They can spread viruses, Trojans etc. to the network from the VPN.
>
> No, you definitely should not let home computers access the VPN, you should
> have complete control of the systems that do access via VPN and keep them
> up-to-date, etc.
>
> Citrix is a different story, as long as you restrict drive and port
> redirection, it can be a "better-controlled" situation.
>
> ______________________________________
> Dave Kleiman, CISSP, CISM, CIFI, MCSE
> www.SecurityBreachResponse.com
>
> -----Original Message-----
> From: Cesar Diaz [mailto:cdiaz00 () gmail com]
> Sent: Wednesday, November 17, 2004 11:39
> To: security-basics () securityfocus com
> Subject: How secure is VPN access?
>
> List,
>
> After years of having VPN access for our remote users without a single know
> security incident, my boss and I have to justify to her boss why VPN is
> secure.
>
> The CIO wants us to only allow users to access the network from company
> laptops, not from their own home computers.  We currently will allow users
> to install the VPN client software on their home computers to connect
> remotely, or they can use Citrix through SSL access to get to network
> resources.  His concern is that if a users home PC is compromised, that
> compromise can spread to our network.
>
> Is this a legitimate concern?  Can anyone point me in the direction of some
> documentation backing either argument?
>
> Thanks in advance for any help.
>
> C


-- 
Thanks,

Jimi