Firewall Wizards mailing list archives
RE: VPN & Terminal Server was: VPN for *DSL/CableModem Users
From: "Kalat, Andrew (ISS Atlanta)" <akalat () iss net>
Date: Thu, 24 Aug 2000 15:40:25 -0400
Well, this is one way to do things. Couple of things to watch out for(Yeah, I know, not security, but techincal): 1) Certain versions of SecuRemote hate Citrix traffic. Make sure you are using the latest version of both SecuRemote and FW-1. I believe it's 4.1, SP2. 2) Most versions of SecuRemote, depending on how you use and authenticate them, have lots of trouble with NAT devices, IE DSL/Cable. If you want this to work over NAT, you need to be careful how you set this up. How do you plan to authenticate? If you want to use something like SecurID, you'll have issues with NAT unless you are using the latest rev and employ hybrid mode ISKAMP. Otherwise, you are stuck with FWZ which can work over NAT, but only if you play with it a bit, and make sure you aren't using Encapsulated FWZ. As for the security items: How do you plan to authenticate the user? For instance, let's say the home box was trojaned. If the user is relying on static passwords or a private key with a passphrase, you're still in trouble. I might recommend a strong token in a situation like this. You still have the risk that the attacker could be controlling the box while the user is authenticated, but at least they couldn't start the VPN connection without the user there authing with the token. If they can take over the box, they can access the Terminal Server and access the resources the user has access to. Granted, this is much better than the user have direct access to machines. Just be aware that you still have a certain risk profile here to your data. Do you have plans to run a firewall or some sort of IDS at the home users site? SecuRemote does a have a FW component for the desktop, but I have not had any experience with it. --------------------------------------------------------- Andrew J. Kalat, | Voice: (678)443-6000 IT Infrastructure Manager | Fax: (678)443-6484 Internet Security Systems, Inc. | E-Mail: akalat () iss net 6600 Peachtree-Dunwoody Road | http://www.iss.net/ 300 Embassy Row, Suite 500 | PGP key available. Atlanta, GA 30328 | Note: All comments, thoughts, advice, opinions, or any other text contained herein are those of myself, and not of my employer. -----Original Message----- From: Adrian Brinton [mailto:adrian () brinton to] Sent: Wednesday, August 23, 2000 9:11 PM To: firewall-wizards () nfr net Subject: [fw-wiz] VPN & Terminal Server was: VPN for *DSL/CableModem Users We are looking at using NT Terminal Server as a solution to this. Users connect via DSL/Cable/Dialup or whatever, using the SecurRemote client, and only have access to a terminal server in a DMZ. They can get to the office resources they need, but not directly from home. This way, if a home machine were compromised, there would be no direct path to the corporate network. Can anyone comment on downsides to this (security-wise, not Terminal Server limitations)? Adrian Brinton Network Engineer -----Original Message----- From: Michael C. Ibarra [mailto:ibarra () hawk com] Sent: Thursday, August 17, 2000 2:15 PM To: firewall-wizards () nfr net Subject: [fw-wiz] VPN for *DSL/CableModem Users Hello: I've been asked to perform the horrible task of allowing in remote/home internet connections into a corporate LAN. The firewall/s in question are a FW-1 and IPFilter (separate machines) combo. The pipe decided upon was either DSL or cable modems, based of course on availibilty. The present method is an isdn/SecureID/dialback method. The present corporate policy allows no inbound traffic from the inter- net and allows a limited outbound connections, mainly http. My feeling is that users, unable to reach their AOL/Napster/ whatever type of services could place a modem into these home PC's, corporate owned but that doesn't matter, making that box an insecure gateway or transfer point for a virus to the corporate network. VPN's IMO would do little to protect a machine which has a greater chance of becoming compromised, besides breaking corporate security policy since all non-VPN connections would probably allow those same services not normally allowed in the office. My question, and thank you for reading this far, is what VPN software and/or hardware is recommended and what can be done to enforce the present corporate policy (aside from asking users to sign an agreement). Thank you all, -mike The information contained in this message is not necessarily the opinion of Hawk Technologies, Inc. _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN & Terminal Server was: VPN for *DSL/CableModem Users Kalat, Andrew (ISS Atlanta) (Aug 25)