Firewall Wizards mailing list archives
RE: worm + VPN + firewall
From: <lordchariot () earthlink net>
Date: Fri, 15 Aug 2003 12:52:34 -0400
No matter where the VPN tunnel actually terminates, it's the unencrypted side that you have to worry about. I've used VPNs in many fashions: Terminate on the outside, Cleartext on the inside around a firewall. Generally bad unless you can regulate traffic on VPN device. Tunnel through a firewall to VPN in a DMZ, Cleartext direct to internal network. Firewall can only block tunnel, can't discriminate connections within tunnel. Still generally bad. Terminate on the outside, Cleartext into a DMZ through the firewall. Firewall can regulate ports to internal network. Much better. Terminate at the firewall, Cleartext to internal network. Firewall can regulate ports to internal network. Same as above. No matter what, with any of the scenarios above, if you have 135/tcp wide open from VPN client to internal networks, the worm will propagate to the internal machines. The only way to prevent this is getting the firewall to block 135/tcp once the tunnel is unencrypted. The problem with blocking 135 with most VPN users is it will probably break the native Outlook/Exchange connection and remote users will be unable to connect to exchange server (just like when they are in the office). Is this an accurate assessment everyone? (I could be wrong) Erik -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Mordechai T. Abzug Sent: Wednesday, August 13, 2003 7:30 PM To: firewall-wizards () nfr com Subject: [fw-wiz] worm + VPN + firewall Has anyone had a user's external Blasterized system that VPNd past a firewall and compromised an internal network? It would be nice to have conrete examples for the "VPNs should terminate outside firewalls" argument. - Morty _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- worm + VPN + firewall Mordechai T. Abzug (Aug 15)
- Re: worm + VPN + firewall R. DuFresne (Aug 15)
- Re: worm + VPN + firewall Carric Dooley (Aug 17)
- Re: worm + VPN + firewall R. DuFresne (Aug 18)
- Re: worm + VPN + firewall Paul Robertson (Aug 18)
- Re: worm + VPN + firewall Bennett Todd (Aug 18)
- Re: worm + VPN + firewall Carric Dooley (Aug 17)
- Re: worm + VPN + firewall R. DuFresne (Aug 15)
- RE: worm + VPN + firewall lordchariot (Aug 15)
- <Possible follow-ups>
- RE: worm + VPN + firewall Ames, Neil (Aug 15)
- RE: worm + VPN + firewall Steve Evans (Aug 15)