RE: CISCO Vpn

[Matt Wagenknecht <matt.wagenknecht () quantum com>]

a more expensive but more secure (if done right) option would be a
Citrix Secure gateway.. no direct connectivity from the client machine
at all.. 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht                          CISSP  |  MCSE
Sr. Security Administrator                  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.

This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this email message.

On Wed, 2004-06-23 at 12:06, Bryan K. Watson wrote:
> > Patrick Olsen wrote:
> > I have been asked what the PROs and CONs of setting up a vpn would be. 
> > Im trying to find security pros and cons. Basically to find out if it 
> > is worth the risk. This individual would be using a desktop at home 
> > which we would be setting up for her.
>
> I consider the best practice to be an antivirus firewall like a Fortinet
> Fortigate to either be the VPN tunnel endpoint, or in transparent mode on
> the inside of the network between your Cisco VPN device and the internal
> network.  This way you can enforce additional access controls and stop
> virus/worm/hack activity from getting in or out to your VPN users.  The
> Cisco alone will not stop this mal-activity.
>
> An option that also provides access without opening up a full network tunnel
> is the use of an SSL application gateway like Array Networks makes or like a
> Neoteris (Netscreen/Juniper now) SSL gateway appliance.  This way you can
> give limited access to client-server applications and not the whole network.
> These devices also do allow you to selectively allow full TCPIP layer 3
> VPN's...then you need to provide protection like I mentioned above.
>
> Another consideration with IPSEC and PPTP versus SSL VPN's is that IPSEC and
> PPTP will have problems traversing some network firewalls (even old PIX
> versions), and your remote users will keep you on the help-desk phone trying
> to figure out why the VPN doesn't work.  That is because IPSEC and PPTP
> require special firewall rules to allow them to get out of a network.  SSL
> only uses a single outbound channel (typically over port 443/HTTPS) for all
> two way communication of VPN traffic.  Firewalls usually do not complain
> about this unless they have specific traffic inspection policies to shut
> down SSL VPN traffic (Checkpoint can do this).
>
> If the remote user only needs a couple of apps, figure out a way to limit
> access to only the needed resources or setup a remote access RDP/Terminal
> Server to facilitate secure access.  Also consider that a home system will
> store data locally and will not be under your company backup procedures.  A
> terminal server will be on your local network and you can use you existing
> backup systems to keep your corporate Intellectual Property secure.
> Revocation of a home system in case of employee termination also becomes a
> problem and you are likely to lose IP in such an event with a home system
> with locally stored data.
>
> And finally, opening up a remote access method of any kind will expose your
> weak password policy to brute forcing. Multi-factor authentication should be
> employed and enforced.  Client system certificates, SecurID and Authenex are
> some ways to do this multifactor authentication.  
>
> Have fun,
> - Bryan K. Watson
> - bwatson () nettracers com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html