Security Basics mailing list archives

Re: SSL VPN's from LAN to WAN

From: Tremaine Lea <tremaine () gmail com>
Date: Wed, 12 Dec 2007 09:31:38 -0700

I'd definitely recommend blocking all outbound vpn access. A goodstarting point would be to check your outbound logs for all activityon 443, explicitly allow the connections to business related ssl sitesand then block the rest. It may also be worth appending yourinformation security policy (cuz you have one, right? *grin*) allowingfor outbound vpn access but only under certain terms that they mustsign off on.

One option is to create a separate network within your network andallow contractors to connect out to their company vpn on a differentvlan, and restrict access to the vlan by MAC address and port security- of course, it would be best if they supplied their own laptop/pc forthat connection so you can keep corporate and non-corporate assetssegregated.


Cheers,

---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"



On 11-Dec-07, at 3:08 AM, fac51 wrote:

Hi All,

I would like some advice on a situation that is new to me.
I have just discovered that some contractors that are on ourcorporate LAN have managed to install (Half Install) VPN Clientsthat allow them to connect directly back to their LAN (RDP'ing intotheir Desktops etc.) The desktops they are using here are lockeddown but still allow some VPN functionality.
The VPN connects over 443 out of our network then to their Firewallas concentrator.
Implications that I can think of are;
1. All traffic to and from us is encrypted and therefore we cannotmonitor.2. They can see network drives and could be stealing info. (althoughthey don't have much access)3. Any infections at their site could propogate to us (that couldhappen anyway I suppose via email)
My first reaction is one of horror but am I over reacting?
If my worst fears are confirmed I will need to block them. To dothis I was thinking of blocking all traffic to and from theirfirewall however apparently some access to remote services isrequired by other staff.
Help!?!?

kind regards,

S
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page.
http://www.yahoo.com/r/hs

Current thread:

SSL VPN's from LAN to WAN fac51 (Dec 12)
- RE: SSL VPN's from LAN to WAN Yahsodhan Deshpande (Dec 12)
- Re: SSL VPN's from LAN to WAN Tremaine Lea (Dec 12)
- RE: SSL VPN's from LAN to WAN Serge Vondandamo (Dec 12)
- RE: SSL VPN's from LAN to WAN Bill Lavalette (Dec 13)