Firewall Wizards mailing list archives

RE: worm + VPN + firewall

From: <lordchariot () earthlink net>
Date: Fri, 15 Aug 2003 12:52:34 -0400


No matter where the VPN tunnel actually terminates, it's the unencrypted
side that you have to worry about.

I've used VPNs in many fashions:
Terminate on the outside, Cleartext on the inside around a firewall.
Generally bad unless you can regulate traffic on VPN device.

Tunnel through a firewall to VPN in a DMZ, Cleartext direct to internal
network. 
Firewall can only block tunnel, can't discriminate connections within
tunnel. Still generally bad.

Terminate on the outside, Cleartext into a DMZ through the firewall.
Firewall can regulate ports to internal network. Much better.

Terminate at the firewall, Cleartext to internal network.
Firewall can regulate ports to internal network. Same as above.


No matter what, with any of the scenarios above, if you have 135/tcp
wide open from VPN client to internal networks, the worm will propagate
to the internal machines. The only way to prevent this is getting the
firewall to block 135/tcp once the tunnel is unencrypted.

The problem with blocking 135 with most VPN users is it will probably
break the native Outlook/Exchange connection and remote users will be
unable to connect to exchange server (just like when they are in the
office).

Is this an accurate assessment everyone? (I could be wrong)

Erik

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of
Mordechai T. Abzug
Sent: Wednesday, August 13, 2003 7:30 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] worm + VPN + firewall



Has anyone had a user's external Blasterized system that VPNd past a
firewall and compromised an internal network?  It would be nice to
have conrete examples for the "VPNs should terminate outside
firewalls" argument.

- Morty
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

worm + VPN + firewall Mordechai T. Abzug (Aug 15)
- Re: worm + VPN + firewall R. DuFresne (Aug 15)
  - Re: worm + VPN + firewall Carric Dooley (Aug 17)
    - Re: worm + VPN + firewall R. DuFresne (Aug 18)
    - Re: worm + VPN + firewall Paul Robertson (Aug 18)
    - Re: worm + VPN + firewall Bennett Todd (Aug 18)
- RE: worm + VPN + firewall lordchariot (Aug 15)
- <Possible follow-ups>
- RE: worm + VPN + firewall Ames, Neil (Aug 15)
- RE: worm + VPN + firewall Steve Evans (Aug 15)