Security Basics mailing list archives
Re: Outgoing IPSEC
From: Securi Net <securinet2004 () yahoo ca>
Date: Mon, 21 Nov 2005 18:31:43 -0500 (EST)
Jason, Thank you for your elaborate response to my query. Excuse my ignorance of the way IPSEC tunnels are established here, but by permitting only outgoing traffic on port 500, would I not succeed in forcing a uni-directional tunnel to the external organization. Or is my understanding of the technology off the mark. We have mulled over the option of forcing him onto a seprate VLAN, but need a clinical argument about the secuirty risks in opening up IPSEC for him. This is also being backed by an acceptable use policy. Thanks again for your responses. CP --- Jason Thompson <securitux () gmail com> wrote:
Here's one of the big issues which deals with the endpoint rather than Internet threats. Once the VPN connection is established, you have no control over what traffic is transmitted on the tunnelled network. You essentially open an unchecked bidirectional link between the VPN client and the network to which he is connecting on the other end. You are essentially relying on the other company to enforce a policy on that contractor, which is a nauseating thought. Also in the case of a split tunnel, that contractor's PC could be used by someone or something in the other organization as a jumping point into your network. Further to that, since the traffic is encrypted, you do not have the ability to monitor what the contractor is doing. This individual could be doing anything from browsing questionable sites through company X's network to receiving the worm-du-jour. Single tunnel does nothing here, because in a single tunnel situation once disconnected from company X's network, it will spread throughout yours. It's all about acceptable risk of course, and unfortunately in a lot of cases contractor access to VPN is a requirement, so do what you can to lock it down. First off put the contractor on a different VLAN than other users and do not allow access to your internal resources; the VLAN should route right to your firewall. If s/he needs access to internal resources, then s/he does it with one of your company's PC's. Also, make the contractor and the other organization sign an acceptable use policy as well as a policy specifying that 'due care' will be taken while operating inside the network (AV always on, desktop firewall, regular AV scans and updates, etc). That way if they introduce something nasty into your environment and they didn't exercise due care, they can be held liable. But most importantly, the policy shows the other organization that you take information security seriously and you have your eye on them. If s/he needs access just to get e-mail, the consulting company should be putting up an OWA server with two factor auth... if they don't have one already. Some companies require it as they don't allow VPN out at all. -J On 11/18/05, Securi Net <securinet2004 () yahoo ca> wrote:Hello List members, I have a question on risks associated withallowingoutgoing IPSEC traffic on a firewall. I have a contractor who works onsite within our network and needs outgoing port 500 opened on our firewall for him to vpn into his company network. I would like to know about the risks involved in facilitating such access outside, as I have heardsometalk about security issues around splittunnelling. Asfar as I can understand it, the only threat to our network from the outside would be if someone ontheoutside tries to spoof a session inside using an existing outward connection. Can anyone shed some light on what I shud beconcernedabout here. CP
__________________________________________________________
Find your next car at http://autos.yahoo.ca
__________________________________________________________ Find your next car at http://autos.yahoo.ca
Current thread:
- Outgoing IPSEC Securi Net (Nov 21)
- Wireless N Stephen Alford (Nov 21)
- Re: Wireless N Paul Cychosz (Nov 22)
- RE: Wireless N Stephen Alford (Nov 22)
- Re: Wireless N Paul Cychosz (Nov 22)
- Re: Outgoing IPSEC Jason Thompson (Nov 22)
- Re: Outgoing IPSEC Securi Net (Nov 22)
- Re: Outgoing IPSEC Jason Thompson (Nov 22)
- Re: Outgoing IPSEC Securi Net (Nov 22)
- Re: Outgoing IPSEC Securi Net (Nov 22)
- Wireless N Stephen Alford (Nov 21)
- Re: Outgoing IPSEC Gaddis, Jeremy L. (Nov 22)