Re: Outgoing IPSEC

[Jason Thompson <securitux () gmail com>]

Here's one of the big issues which deals with the endpoint rather than
Internet threats.

Once the VPN connection is established, you have no control over what
traffic is transmitted on the tunnelled network. You essentially open
an unchecked bidirectional link between the VPN client and the network
to which he is connecting on the other end. You are essentially
relying on the other company to enforce a policy on that contractor,
which  is a nauseating thought. Also in the case of a split tunnel,
that contractor's PC could be used by someone or something in the
other organization as a jumping point into your network. Further to
that, since the traffic is encrypted, you do not have the ability to
monitor what the contractor is doing. This individual could be doing
anything from browsing questionable sites through company X's network
to receiving the worm-du-jour. Single tunnel does nothing here,
because in a single tunnel situation once disconnected from company
X's network, it will spread throughout yours.

It's all about acceptable risk of course, and unfortunately in a lot
of cases contractor access to VPN is a requirement, so do what you can
to lock it down. First off put the contractor on a different VLAN than
other users and do not allow access to your internal resources; the
VLAN should route right to your firewall. If s/he needs access to
internal resources, then s/he does it with one of your company's PC's.
Also, make the contractor and the other organization sign an
acceptable use policy as well as a policy specifying that 'due care'
will be taken while operating inside the network (AV always on,
desktop firewall, regular AV scans and updates, etc). That way if they
introduce something nasty into your environment and they didn't
exercise due care, they can be held liable. But most importantly, the
policy shows the other organization that you take information security
seriously and you have your eye on them.

If s/he needs access just to get e-mail, the consulting company should
be putting up an OWA server with two factor auth... if they don't have
one already. Some companies require it as they don't allow VPN out at
all.

-J

On 11/18/05, Securi Net <securinet2004 () yahoo ca> wrote:
> Hello List members,
>
> I have a question on risks associated with allowing
> outgoing IPSEC traffic on a firewall.
>
> I have a contractor who works onsite within our
> network and needs outgoing port 500 opened  on our
> firewall for him to vpn into his company network.
>
> I would like to know about the risks involved in
> facilitating such access outside, as I have heard some
> talk about security issues around split tunnelling. As
> far as I can understand it, the only threat to our
> network from the outside would be if someone on the
> outside tries to spoof a session inside using an
> existing outward connection.
>
> Can anyone shed some light on what I shud be concerned
> about here.
>
> CP
>
>
>
>
>
>
>
> __________________________________________________________
> Find your next car at http://autos.yahoo.ca