Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Vendors, laptops, and VPN clients

From: "Burton M. Strauss III" <Burton () FelisCatus org>
Date: Sat, 20 Nov 2004 09:25:17 -0600
The safest bet is to put all of your PUBLIC and semi-PUBLIC spaces
(conference rooms, lobby, etc.) into a DMZ:

 (Internet)-->(router)->(minimal-firewall)--->(DMZ)
                                           |->(semiPUB)
                                           \->(firewall)->(LAN)

Then let 'em VPN back home, just like your folks will need to VPN in.

Is it perfect?  Nope.  But is it good enough?  Probably...

Most VPNs configure the PC to force all traffic down the tunnel.  Sure you
CAN "route add" around it, but that's 1) beyond most users and 2) something
you can prohibit via policy and training.

-----Burton



-----Original Message-----
From: Dan Lynch [mailto:dan.lynch () placer ca gov]
Sent: Friday, November 19, 2004 4:57 PM
To: security-basics () securityfocus com
Subject: Vendors, laptops, and VPN clients


Greetings list,

I'm interested in opinions and common practices vis allowing vendors to
connect their laptops to a corporate LAN. To begin, it's already an
established precedent here that visiting vendors be allowed to connect.
Occasionally we'll be able to ensure adequate virus protection on the
machine, but most often, it's done without the knowledge or approval of
IT. We've been bitten by this practice on more than one occasion, but
what can I say, we're not allowed to inconvenience the implementation of
a customer's project.

My particular concern then has to do with vendors' laptops running VPN
client software to connect from our LAN across our internet connection
to their corporate network. Once that tunnel is established, can someone
on the other end establish connections to the laptop here? That is, is
the tunnel bi-directional? Could a virus that infects Windows shares
touch the laptop (assuming file sharing is enabled)? If IP forwarding
were enabled could traffic pass *through* the box onto our LAN? Like
broadcast traffic, maybe? Could a desktop management remote control
application connection be established to the laptop? What are the
specific risks we expose ourselves to when this is allowed?

Thanks in advance for any and all thoughts on this.

Dan Lynch
County of Placer
Auburn, CA
Previous By Date Next
Previous By Thread Next

Current thread: