Re: VPN between PC and VPN server

[Bill_Royds () pch gc ca]

Unfortunately  my organization has not been too good about security of home
machines so we don't allow VPN's from home just yet (we are about to try it).
We had an interesting incident a few weeks ago. I detected SNMP scans hitting
the firewall for a fairly sensistive subnet inside the firewall.It was blocked
by firewall of course but still worrisome.
 It was dialups coming from a large local ISP and they appeared 2 successive
evenings around the same time. I contacted abuse at ISP with IP numbers and
time. They said the 2 connections were same person and blocked that user from
access.
Next day I get a call from support about an executive having their home Internet
access being blocked.

It turned out that this executive had been given a machine to take home for
e-mail/wordprocessing at home that was originally used for network monitoring in
that sensitive segment. No one had formatted it before re-installing it and it
had a SNMP monitor program merrily following its schedule every night to gather
stats on the subnet.

Polciy is now that all machines be reformatted and re-installed before leaving
building. This has helped convince people about the weakness of indiscriminate
telework.

Adding a personal firewall would probably be no problem with any user if it were
done at companies expense since large scale licenses are fairly cheap. That and
virus scanning are probably easy to enforce since  users want them anyway.






Chad Schieken <Chad.Schieken () ins com> on 05/23/99 08:54:23 AM

Please respond to Chad Schieken <Chad.Schieken () ins com>

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Re: VPN between PC and VPN server




Bill,

Does your organization allow individual users to control connections to the
Internet? Your note seems to suggest that or at least that they implement
generally good security practices on their own.

I do agree that running firewall software on the home machines and insisting
they follow some security guidelines is a good idea, however you have very
little authority to do so.

If the hardware is owned by the employee this is much like dictating which
safety devices they use in their car on the drive to work. Also the computer
sitting at home will, hopefully, be accesable to any children (it's not a
firearm or munition no matter what the Commerce dept says). Those children
will also probably cause some havoc on this machine in an attempt to run the
new quake server or other such purpose.

That havoc is no doubt likely to weaken the security stance of the machine.

While expensive, the option of providing the computer at home (normally done
via laptop) is a decision many companies have already made. If the company
owns the hardware they can dictate exactly what the configuration, and level
of access (user/admin) the users will have. Also they will be to "lock" a
secure configuration onto the machine.







> The other alternative to filtering at the office end is to insist on apersonal
> firewall like ConSeal (http://www.signal9.com) or Sygate on the home machine.
> These filter out connections to the home machine so they are less likely to be
> hacked. As well, home machines used as VPN ends should be treated as internal
> machines and subject to the same security constraints as office machines (Good
> passwords, virus scans, up to date OS versions etc.)