Re: VPN Access for Consultants (Little Late)

[Jimi Thompson <jimit () myrealbox com>]

This type of things is what lead us to install a VPN client that "locks" 
the NIC and doesn't allow any other network connections other than the 
VPN while the VPN is active.  Once the VPN session is closed, it allows 
normal use of the NIC.  There are a lot of them out there.

HTH,

Jimi

PS: Ours also has a policy enforcement module that allows us to require 
current OS updates as well as current antivirus software. 

Gabriel Orozco wrote:

> I use VPN to my networks for several employees.
>
> but they can easily change their setup from being not shared to share both
> networks.
>
> how you as a netadmin can assure they will not do this? I don't think it's a
> reasonable way unless you are the Administrator for their notebooks and they
> don't have access to the setup of the VPN client.
>
> other than that, or you trust them (and of course protect yourself via
> signed papers) or you don't and you thell what are the possibilities if a
> person has this kind of access to your net.
>
>
>
> ----- Original Message ----- 
> From: <lennons () comcast net>
> To: <security-basics () securityfocus com>
> Sent: Thursday, November 20, 2003 8:59 PM
> Subject: Re: VPN Access for Consultants
>
>
>  
>
> > Jenn:
> >
> > Speaking as a consultant and an IT manager as well.  On client
> > networks that we are allowed to plug into their network we can VPN
> > into our network.
> >
> > However, that will drop my connection to their resources and allows
> > me to access our company's resources.  Once I kill the Tunnel I am
> > back to accessing their network resources.
> >
> > The difference between a split tunnel and a dedicated tunnel.  We do
> > a lot of server and application support on Physician networks and
> > sometimes spend lots of time on site.  We need to be able to check
> > our email and our help system for updates.  But again.  No split
> > tunnel.  Dedicated.
> >
> >
> >
> > Steve
> >
> >
> >
> >
> > Send reply to:  "Steve" <securityfocus () delahunty com>
> > From:           "Steve" <securityfocus () delahunty com>
> > To:             "Jennifer Fountain" <JFountain () rbinc com>,
> > <security-basics () securityfocus com>
> > Subject:        Re: VPN Access for Consultants
> > Date sent:      Thu, 20 Nov 2003 17:57:24 -0500
> >
> >    
> >
> > > We require use of our DMZ, or simple enough to have them on a VLAN into
> > >      
> the
>  
>
> > > DMZ.  We require temps/consultants to sign our non disclosure agreement
> > >      
> and
>  
>
> > > acceptable use policy.  We require that they let us check their machines
> > >      
> for
>  
>
> > > anti-virus software.
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Jennifer Fountain" <JFountain () rbinc com>
> > > To: <security-basics () securityfocus com>
> > > Sent: Wednesday, November 19, 2003 6:28 PM
> > > Subject: VPN Access for Consultants
> > >
> > >
> > > Hi All:
> > >
> > > We have several consultants working for my company and they have
> > > requested that I allow vpn access through our firewall to their company.
> > > They want to be able to access their network and our network at the same
> > > time (tunnel).  I told them no, I do not want to create a tunnel between
> > > my network and theirs but I would allow them to plug their laptops into
> > > the dmz or outside the firewall so they can access their network.  They
> > > proceeded to look at me like I had six heads and act like I was the only
> > > security admin that wouldn't allow this.  What is the general consensus
> > > on this type of activity?  What policies do you have implemented?  Do
> > > you allow it if the remote network was confirmed to be secure?
> > >
> > > Thanks for any info
> > > Jenn
> > >
> > >      
> > --------------------------------------------------------------------------
> >    
> -
>  
>
> > --------------------------------------------------------------------------
> >    
> --
>  
>
> > >      
> > --------------------------------------------------------------------------
> >    
> -
>  
>
> > --------------------------------------------------------------------------
> >    
> --
>  
>
> > --------------------------------------------------------------------------
> >    
> -
>  
>
> > --------------------------------------------------------------------------
> >    
> --
>  
>
> >    
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
>
>  



---------------------------------------------------------------------------
----------------------------------------------------------------------------