Re: indirect doorway to network via mobile remote access stations

["Tinberg, Mark" <mtinberg () SECUREPIPE COM>]

As you have so asutely pointed out, you can't _really_ 
control these workstations when they leave your care,
especially since they can connect to the net unprotected.The 
best thing you can do is limit the damage they can do.  You
could try to put AV software and Firewalls on each machine, 
but you answered your own question, these methods will never
be anything close to fool proof when the system leaves your
control.

The best solution I can think of is to firewall the PPP and
PPTP machines so that errent remote users can't do much
damage.  Ideally you should be able to limit access to a
set of IP/Port pairs on a per-user basis.

Mark Tinberg
--Insert Standard Disclaimer Here--

(I am sending this email from a different domain not to draw
attention to
the
 affected domain, please respond to <A
HREF="mailto:incidents () securityfocus com">incidents () securityfocus com</A>)

We have WinNT 4.0 sp4 (laptop) stations accessing the
internal network in
three ways:

     1. Directly connected         RJ45 to the internal LANs
     2. Remotely connected         PPP Dialup (w/ SecurID)
to the internal
LANs
     3. Remotely connected         PPTP Tunnel (w/ SecurID)
through the
Internet, to the internal LANs

     - There is a firewall protecting the internal LANs/WANs
from number 2
and 3 (remotely connected).
     - There is an anti-virus software running on the
servers and the
stations.
     - There is no firewall between the corporate resources
and the
LANs/WANs.

Our problem is with number 3 (remotely connected via the
Internet).

- On one station whose anti-virus was not up to date, we
found a virus
trying to contact IRC servers.
- We have discovered other stations that are scanning the
network on udp
port 161 (snmp).
   We have yet to investigate this one, so we do not know
yet what software
is doing this,
   however, we've eliminated known (enterprise standardized)
software.

Scenario:

When the stations are brought 'on the road', they are used
to access the
internal network via a VPN.
First they must establish a connection with a local ISP,
then they connect
to our VPN servers.
The entire duration of their 'Internet' connection, they are
only protected
by an anti-virus software.

Of course the information traveling on the VPN is (more)
secure, but the
station itself is vulnerable
to network scans and attacks.  The anti-virus software
cannot help with the
scans, and might be of
assistance with the copying or executing of know viral
content.
However, this leaves the stations quite open to 'newer'
attacks that may be
unknown to the anti-virus
software.  If the station becomes compromised, information
contained within
that station, or transacted
over the VPN are not safe.

Problem:

Our concern is that when the station is brought back on
site, and directly
connected to the internal
network, undetected viral software is then free to roam and
discover our
LANs/WANs.  This
information could then be gathered later when the station
returns on the
Internet.  (Of course, the
affected station could also simply perform various attacks
onto our
corporate resources.)

We consider this a 'time-differentiated security whole' into
our internal
network.

We are currently evaluating three avenues:

     1. Impose a firewall policy on the stations,
     2. Impose an access policy on the internal routers
(this only limits
the damage)
     3. impose a security policy on the servers (and other
corporate
resources)

Number two and three are a matter of cost/benefit analysis. 
However, if we
do not secure the
stations themselves, there will always be a risk of
invasion.

We have contacted our firewall manufacturer for information
on products
that would answer
our specific need, but we were told that they did not offer
solutions in
the 'personal firewall'
market.  Their focus is on 'enterprise-level' solutions.
(Well, we consider this to be an 'enterprise-level'
problem.)

We have evaluated 'personal firewall' products that are
available on the
Internet.  Most of
them are not adequate for our needs as they require either
knowledge and/or
interaction
on the part of the user for the purpose of decision making. 
We have
retained one product
so far as being a 'close call', but there are issues where
deployment is
concerned.  Also,
a great deal of effort will have to be made on our part to
attempt to
secure it in the case
where the anti-virus software didn't 'catch' a user's action
which would
result in infection.
(This product is 'ConSeal PC Firewall' from
www.signal9.com.)

Conclusion:

What we seek from the community are insight, info, ideas or
experiences
with products or
solutions that may help with our problem.

Yours truly,
Frank.