Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SSL VPN's from LAN to WAN

From: "Yahsodhan Deshpande" <yahsodhan.deshpande () nevisnetworks com>
Date: Wed, 12 Dec 2007 11:11:33 -0800
Hi,

  This is exactly where you need to go beyond traditional firewall and
look for identity based solutions.

   What you need is not just inbound and outbound rules for the entire
network, but specific rules as per the identity of the person that logs
in.

  There are few solutions out there which can solve your problem and do
much more. Have a look at Nevis Network's appliance
(www.nevisnetworks.com)

  To solve your specific problem, try putting the contractors on
different VLAN, and then configure the ACL's at your firewall
accordingly. This has its management overheads and the contractors would
loose mobility. But it would work around till you switch to identity
based solution.

Regards,
Yashodhan


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of fac51
Sent: Tuesday, December 11, 2007 2:09 AM
To: security-basics () securityfocus com
Subject: SSL VPN's from LAN to WAN

Hi All,

I would like some advice on a situation that is new to me.

I have just discovered that some contractors that are on our corporate
LAN have managed to install (Half Install) VPN Clients that allow them
to connect directly back to their LAN (RDP'ing into their Desktops etc.)
The desktops they are using here are locked down but still allow some
VPN functionality. 

The VPN connects over 443 out of our network then to their Firewall as
concentrator.

Implications that I can think of are;

1. All traffic to and from us is encrypted and therefore we cannot
monitor.
2. They can see network drives and could be stealing info. (although
they don't have much access)
3. Any infections at their site could propogate to us (that could happen
anyway I suppose via email)

My first reaction is one of horror but am I over reacting?

If my worst fears are confirmed I will need to block them. To do this I
was thinking of blocking all traffic to and from their firewall however
apparently some access to remote services is required by other staff.

Help!?!?

kind regards,

S


 
________________________________________________________________________
____________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs
Previous By Date Next
Previous By Thread Next

Current thread: