RE: VPN & Terminal Server was: VPN for *DSL/CableModem Users

["Kalat, Andrew (ISS Atlanta)" <akalat () iss net>]

Well, this is one way to do things. Couple of things to watch out for(Yeah,
I know, not security, but techincal):

1) Certain versions of SecuRemote hate Citrix traffic. Make sure you are
using the latest version of both SecuRemote and FW-1. I believe it's 4.1,
SP2.

2) Most versions of SecuRemote, depending on how you use and authenticate
them, have lots of trouble with NAT devices, IE DSL/Cable. If you want this
to work over NAT, you need to be careful how you set this up. How do you
plan to authenticate? If you want to use something like SecurID, you'll have
issues with NAT unless you are using the latest rev and employ hybrid mode
ISKAMP. Otherwise, you are stuck with FWZ which can work over NAT, but only
if you play with it a bit, and make sure you aren't using Encapsulated FWZ. 

As for the security items:
How do you plan to authenticate the user? For instance, let's say the home
box was trojaned. If the user is relying on static passwords or a private
key with a passphrase, you're still in trouble. I might recommend a strong
token in a situation like this. You still have the risk that the attacker
could be controlling the box while the user is authenticated, but at least
they couldn't start the VPN connection without the user there authing with
the token. If they can take over the box, they can access the Terminal
Server and access the resources the user has access to. Granted, this is
much better than the user have direct access to machines. Just be aware that
you still have a certain risk profile here to your data. 

Do you have plans to run a firewall or some sort of IDS at the home users
site? SecuRemote does a have a FW component for the desktop, but I have not
had any experience with it. 

---------------------------------------------------------
Andrew J. Kalat,                | Voice: (678)443-6000  
IT Infrastructure Manager       | Fax:   (678)443-6484
Internet Security Systems, Inc. | E-Mail: akalat () iss net
6600 Peachtree-Dunwoody Road    | http://www.iss.net/
300 Embassy Row, Suite 500      | PGP key available.
Atlanta, GA 30328               | 

Note: All comments, thoughts, advice, opinions, or any other text contained
herein are those of myself, and not of my employer. 

-----Original Message-----
From: Adrian Brinton [mailto:adrian () brinton to]
Sent: Wednesday, August 23, 2000 9:11 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] VPN & Terminal Server was: VPN for *DSL/CableModem
Users


We are looking at using NT Terminal Server as a solution to this. Users
connect via DSL/Cable/Dialup or whatever, using the SecurRemote client,
and only have access to a terminal server in a DMZ. They can get to the
office resources they need, but not directly from home. This way, if a
home machine were compromised, there would be no direct path to the
corporate network. 

Can anyone comment on downsides to this (security-wise, not Terminal
Server limitations)?


Adrian Brinton
Network Engineer

-----Original Message-----
From: Michael C. Ibarra [mailto:ibarra () hawk com]
Sent: Thursday, August 17, 2000 2:15 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] VPN for *DSL/CableModem Users


Hello:

 I've been asked to perform the horrible task of allowing
 in remote/home internet connections into a corporate LAN.
 The firewall/s in question are a FW-1 and IPFilter (separate 
 machines) combo. The pipe decided upon was either DSL or 
 cable modems, based of course on availibilty. The present
 method is an isdn/SecureID/dialback method. The present
 corporate policy allows no inbound traffic from the inter-
 net and allows a limited outbound connections, mainly http.
 My feeling is that users, unable to reach their AOL/Napster/
 whatever type of services could place a modem into these home
 PC's, corporate owned but that doesn't matter, making that
 box an insecure gateway or transfer point for a virus to the
 corporate network. VPN's IMO would do little to protect a 
 machine which has a greater chance of becoming compromised,
 besides breaking corporate security policy since all non-VPN
 connections would probably allow those same services not 
 normally allowed in the office. My question, and thank you
 for reading this far, is what VPN software and/or hardware
 is recommended and what can be done to enforce the present
 corporate policy (aside from asking users to sign an agreement).

Thank you all,

-mike


        
          The information contained in this message 
           is not necessarily the opinion of Hawk 
                   Technologies, Inc.


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards