RE: SSL VPN's from LAN to WAN

["Bill Lavalette" <blavalet () homenet-security com>]

S -

I would follow this track if it were me..

First I would have a meeting with the manager of the contractors, Determine
if there is a business justification for the access to the remote site they
are accessing. Second I would take the strong hand and make it very clear
that this was not presented as a need to MIS and that unless there is some
type of authorization for this access written and approved. All access to
the remote site will be terminated. If the access is approved and
authorized, Then I would suggest that you build a safe harbor network and
isolate the contracting team to this segment where they are sandboxed from
your production network. This will protect your interests as well as provide
them with internet access to the remote site. Any type of collaboration
efforts, I.E "we need to access this or that on your network" can be
addressed by a couple of machines that allow access to specific folders and
files. This does not stop thumb drives or the like from moving data but it
does at least show that a serious effort on your part was made to safe guard
the data. That coupled with the original written authorization of accepted
risk should keep you in the clear.

The sandbox can be as simple as a access point with a few ip's allocated for
visitors needing internet access on a port on your firewall that is treated
as a hostile network. This isolates them and you can restrict access as you
see fit with out impacting the normal course of business.


In the very least I hope this helps or provides some ideas,

Good Luck

Bill
====== HomeNet Security ===========
Bill Lavalette
Network Security Officer
CCSA-CCSE
Crisis Mitigator
ID Theft Prevention Mentor
WWW http://www.homenet-security.com
====================================
     Defending The Home LAN


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of fac51
Sent: Tuesday, December 11, 2007 5:09 AM
To: security-basics () securityfocus com
Subject: SSL VPN's from LAN to WAN


Hi All,

I would like some advice on a situation that is new to me.

I have just discovered that some contractors that are on our corporate LAN
have managed to install (Half Install) VPN Clients that allow them to
connect directly back to their LAN (RDP'ing into their Desktops etc.) The
desktops they are using here are locked down but still allow some VPN
functionality.

The VPN connects over 443 out of our network then to their Firewall as
concentrator.

Implications that I can think of are;

1. All traffic to and from us is encrypted and therefore we cannot monitor.
2. They can see network drives and could be stealing info. (although they
don't have much access)
3. Any infections at their site could propogate to us (that could happen
anyway I suppose via email)

My first reaction is one of horror but am I over reacting?

If my worst fears are confirmed I will need to block them. To do this I was
thinking of blocking all traffic to and from their firewall however
apparently some access to remote services is required by other staff.

Help!?!?

kind regards,

S


      ______________________________________________________________________
______________
Never miss a thing.  Make Yahoo your home page.
http://www.yahoo.com/r/hs