RE: VPN's - Firewall's and Security

["Shota Gedenidze" <security () tub ge>]

Hi there,

Since you have vpn it is not firewalled!

You had configured that vpn users access internal network, You need to
modify your PIX Config, you have configured "crypto map [mapname] match
address [access-list name]"

You should modify that access-list and prohibit there following traffic:

Tcp/udp 135, 137, 139, 445

These ports are commonly used by rpc service.

Also block tftp protocol , tcp port 4444- this port is opened by
blaster.


My advise:

Block everything and then allow ONLY important protocols you use.

In access-lists use permit tcp, permit udp, permit icmp rather than
permit ip which is less specific.


Sincerely,
Shota Gedenidze.


-----Original Message-----
From: Christopher Joles [mailto:CJoles () proteabhs com] 
Sent: Tuesday, August 26, 2003 7:09 PM
To: security-basics () securityfocus com
Subject: VPN's - Firewall's and Security

Good Day All!

I'm looking for design advice.

Currently, I have a network that is protected by a Cisco PIX 515 =
firewall.  We have it configured to protect our internal network along =
with supplying access to our DMZ which holds our email and web servers.

My concern arises from the spread of the blaster worm.  Currently we =
give a couple employees (the boss, the CFO and myself) VPN access from =
home.  In this scenario, the bosses home computer was compromised by the
= blaster worm and luckily for me, he was on vacation in Germany at the
= time.  If he wasn't, he most assuridly would have made a VPN
connection = and the lovely blaster worm would have gotten through our
defenses.  = Keep in mind, I had applied the MS patch to our servers and
= workstations, however, it would have still gotten "inside".  How can I
= redesign my network to either firewall the VPN connections or at a =
minimum filter them.

Thanx for your opinions in advance!

Christopher J. Joles
Chief Information Officer

PROTEA Behavioral Health Services
187 Exchange St.
Bangor, ME 04401
Phone: (207)992-7010 Ext: 245  Fax:(207)992-7011



------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------