RE: VPN for *DSL/CableModem Users

["Robert Purdy" <liteyear () ihug co nz>]

I have to agree with Kyle here.  Secure Client is your only option.

To refute other suggestions posted:

"Have you considered using KSE (formerly CMDS) to monitor input from
FW-1..."
        There is no point, it will never seem like an attack if the user has a
dialup connection to the internet; the computer will act as a router, ie the
traffic will come from an authenticated host

"...some VPN software based on IPSec.  Windows 2000 actually uses IPSec..."
        Again same arugment; the traffic between the user and the company network
will be encrypted, but the traffic coming via the modem won't be until the
computer acts as a router and encrypts it to the Firewall.  There is no
advantage there.

"...use xxxxx third party product..."
        Users have a great knack of disabling or not loading such programs.  There
is no way to check, (that I know of, someone correct me), that when they
enter your network that the third party product is running.  "Oh it crashed
so I forgot" or "Oh it stopped ICQ running even when I wasn't connected to
the company so I disabled it"
        Also small 3rd party firewalls have this great "learn" feature; esentially
people allow everything and end up defeating the purpose of having a
firewall

Really your only option is to run SecureRemote:
1) You require encryption between user and company network (firewall) - this
is standard with SR
2) You require security at the user end (SR is a mini firewall @ the end
users pc, a defined policy is pushed out each time the user connects to the
firewall)
3) You need to make sure that its running; the user has to access the
network via SR, no other options

It does have draw backs;
1) It only comes with 4.1 (CP 2000) and its an addon feature which could be
expensive.  Check to see if you have a maintainence contract with CP; if you
do they will upgrade you to 4.1 free of charge.
2) Its new; checkpoint are pretty good with service packs so it's probably
reasonably bullet proof
3) I have only seen it running in the labs; not in real situations

Regards,
Rob Purdy

> -----Original Message-----
> From: firewall-wizards-admin () nfr net
> [mailto:firewall-wizards-admin () nfr net]On Behalf Of Starkey, Kyle
> Sent: Saturday, 19 August 2000 3:57 a.m.
> To: 'Michael C. Ibarra'; firewall-wizards () nfr net
> Subject: RE: [fw-wiz] VPN for *DSL/CableModem Users
>
>
> Mike,
> I believe that if you are using Checkpoint vers4.1 with
> SecureRemote you can
> "push" policy to the remote client while connected to them.  This protects
> you from an attacker using your users as a transit resource into your
> network. This unfortunately does not help you out with Trojans already
> planted on the users system, it only helps to attacks during the VPN
> session.  I have not seen this work, but this is what I was told by some
> unbiased individuals. The second thing you can do is to bring the idle
> timeout down, this alleviates the problem of users setting a dial up
> connection then while at work using it to go back out... kinda
> lame I know,
> but on something like this layers of protection are your only resource and
> being annoying and dropping the connection after 30 seconds might
> stop some
> unmotivated indivuals.
>
> Lastly you can only allow tunnells sourced from the client to the
> host only
> and not the other way around, again this stops your users from getting a
> tunnell created back to their house so that they can get to napster or
> whatever...  unfortunately your last line of defense from internal attacks
> is your corporate security attacks is your security policy.  If you make
> sure to be a real fascist when it comes to this then people will get the
> hint that running napster in the office is an offense for which they might
> get fired.  This should stop your low end users from being annoying....
>
>
> -Kyle
> -----Original Message-----
> From: Michael C. Ibarra [mailto:ibarra () hawk com]
> Sent: Thursday, August 17, 2000 2:15 PM
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] VPN for *DSL/CableModem Users
>
>
> Hello:
>
>  I've been asked to perform the horrible task of allowing
>  in remote/home internet connections into a corporate LAN.
>  The firewall/s in question are a FW-1 and IPFilter (separate
>  machines) combo. The pipe decided upon was either DSL or
>  cable modems, based of course on availibilty. The present
>  method is an isdn/SecureID/dialback method. The present
>  corporate policy allows no inbound traffic from the inter-
>  net and allows a limited outbound connections, mainly http.
>  My feeling is that users, unable to reach their AOL/Napster/
>  whatever type of services could place a modem into these home
>  PC's, corporate owned but that doesn't matter, making that
>  box an insecure gateway or transfer point for a virus to the
>  corporate network. VPN's IMO would do little to protect a
>  machine which has a greater chance of becoming compromised,
>  besides breaking corporate security policy since all non-VPN
>  connections would probably allow those same services not
>  normally allowed in the office. My question, and thank you
>  for reading this far, is what VPN software and/or hardware
>  is recommended and what can be done to enforce the present
>  corporate policy (aside from asking users to sign an agreement).
>
> Thank you all,
>
> -mike
>
>
>
>         The information contained in this message
>          is not necessarily the opinion of Hawk
>                  Technologies, Inc.
>
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards