Firewall Wizards mailing list archives
Re: VPN between PC and VPN server
From: Bill_Royds () pch gc ca
Date: Sun, 30 May 1999 10:45:35 -0400
Unfortunately my organization has not been too good about security of home machines so we don't allow VPN's from home just yet (we are about to try it). We had an interesting incident a few weeks ago. I detected SNMP scans hitting the firewall for a fairly sensistive subnet inside the firewall.It was blocked by firewall of course but still worrisome. It was dialups coming from a large local ISP and they appeared 2 successive evenings around the same time. I contacted abuse at ISP with IP numbers and time. They said the 2 connections were same person and blocked that user from access. Next day I get a call from support about an executive having their home Internet access being blocked. It turned out that this executive had been given a machine to take home for e-mail/wordprocessing at home that was originally used for network monitoring in that sensitive segment. No one had formatted it before re-installing it and it had a SNMP monitor program merrily following its schedule every night to gather stats on the subnet. Polciy is now that all machines be reformatted and re-installed before leaving building. This has helped convince people about the weakness of indiscriminate telework. Adding a personal firewall would probably be no problem with any user if it were done at companies expense since large scale licenses are fairly cheap. That and virus scanning are probably easy to enforce since users want them anyway. Chad Schieken <Chad.Schieken () ins com> on 05/23/99 08:54:23 AM Please respond to Chad Schieken <Chad.Schieken () ins com> To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Re: VPN between PC and VPN server Bill, Does your organization allow individual users to control connections to the Internet? Your note seems to suggest that or at least that they implement generally good security practices on their own. I do agree that running firewall software on the home machines and insisting they follow some security guidelines is a good idea, however you have very little authority to do so. If the hardware is owned by the employee this is much like dictating which safety devices they use in their car on the drive to work. Also the computer sitting at home will, hopefully, be accesable to any children (it's not a firearm or munition no matter what the Commerce dept says). Those children will also probably cause some havoc on this machine in an attempt to run the new quake server or other such purpose. That havoc is no doubt likely to weaken the security stance of the machine. While expensive, the option of providing the computer at home (normally done via laptop) is a decision many companies have already made. If the company owns the hardware they can dictate exactly what the configuration, and level of access (user/admin) the users will have. Also they will be to "lock" a secure configuration onto the machine.
The other alternative to filtering at the office end is to insist on apersonal firewall like ConSeal (http://www.signal9.com) or Sygate on the home machine. These filter out connections to the home machine so they are less likely to be hacked. As well, home machines used as VPN ends should be treated as internal machines and subject to the same security constraints as office machines (Good passwords, virus scans, up to date OS versions etc.)
Current thread:
- VPN between PC and VPN server Ellis Luk (May 21)
- <Possible follow-ups>
- RE: VPN between PC and VPN server Dave Goldsmith (May 22)
- Re: VPN between PC and VPN server Bill_Royds (May 22)
- Re: VPN between PC and VPN server Chad Schieken (May 28)
- Re: VPN between PC and VPN server Bill_Royds (May 30)
- Re: VPN between PC and VPN server Bill_Royds (May 30)