Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: indirect doorway to network via mobile remote access stations

From: David Pick <D.M.Pick () QMW AC UK>
Date: Fri, 28 Jul 2000 23:10:04 +0100
When the stations are brought 'on the road', they are used to access the internal network via a VPN.
First they must establish a connection with a local ISP, then they connect to our VPN servers.
The entire duration of their 'Internet' connection, they are only protected by an anti-virus software.

Of course the information traveling on the VPN is (more) secure, but the station itself is vulnerable
to network scans and attacks.  The anti-virus software cannot help with the scans, and might be of
assistance with the copying or executing of know viral content.

However, this leaves the stations quite open to 'newer' attacks that may be unknown to the anti-virus
software.  If the station becomes compromised, information contained within that station, or transacted
over the VPN are not safe.


Absolutely classic problem. The *only* answer is to keep the mobile machines
as secure as possible. If you don't you're in trouble. And a simple malicious
applet loaded into your browser is enough to cause trouble.

Possible approaches to dealing with the problem:
 1) use a host-based firewall:
     * configured to prohibit *all* traffic except your PPTP tunnel
     * that may not be possible with Windows
 2) use an external firewall with the same characteristics:
     * you may be able to use one of the relatively cheap Ethernet-to-
       ISDN-or-modem boxes now on the market as an external firewall
       for the laptop; this would enable you to leave the laptop using
       Ethernet all the time whatever its location and use the external
       box to bring up the VPN
     * use another laptop running an operating system with decent
       packet filters to "protect" the Windows machine
 3) use a (logical) equivalent of (2) on one laptop:
     * run Linux or FreeBSD or OpenBSD with the firewall software
     * run the Windows environment using either:
        + VMWare (when you run a real copy of Windows in a VM)
        + WINE (when you run a Windows emulator)
     * if using the first, set it up so the (simulated) Ethernet
       interface in the Windows VM is connected to a simulated Ethernet
       interface in the **IX VM, so packets have to route through that
       environment and get filtered

--
        David Pick
Previous By Date Next
Previous By Thread Next

Current thread: