Re: How safe is a VPN connexion from within an internal network?

[David Jacoby <dj () outpost24 com>]

Hi Pierre!

Ive noticed that alot of people who use a VPN connection to access for
example the internal network on their office or other DMZ zones does
not take in consideration that once the VPN connection is established
everyone who has access to the client machine can also access the
remote network.

What i meen is that lets say that you are using a VPN connection to
access some computers on a remote network and your machine gets
compromised via a vulnerability in Internet Explorer or another client
based vulnerability, the recent WinZip vulnerability for example. The
 attacker gets a shell on your machine, this will result in that the
attacker can access the same networks as you can because he is on a
"authenticated" computer.

There are a few solutions for this, ive seen some VPN clients that
disconnects the client machine from the Internet once the VPN
connection is established, this will prevent the attacker to keep his
connection because the client machine only allows connection to be
sent to the remote network via the VPN client, no other connections
are allowed.

But you need to take that in consideration, the client machine also
needs to be "secure" before it should be able to connect to any
private network.

Best regards,
David Jacoby





PIERRE.DUFRESNE () MESS GOUV QC CA wrote:
> Hi all!
>
> I have been asked to install a vpn client on a workstation inside our
> network that would access another network through our firewall.
> Besides the technical details of allowing IPSec traffic through a NATed
> device,  I was wondering how safe is this practice? Is it done often?
> Once the connexion is established, can a host on the external network
> access the workstation inside my network, ie initiate a connexion?
> Should I rather go with a "site to site" vpn connexion?
>
> Thanks for your time
>
> Pierre 
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------


-- 

David Jacoby
Vice President Customer Experience
http://www.outpost24.com

phone: +46-(0)455-612311
fax  : +46-(0)455-13960
email: dj () outpost24 com

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------