Security Basics mailing list archives
RE: Vendors, laptops, and VPN clients
From: "Burton M. Strauss III" <Burton () FelisCatus org>
Date: Sat, 20 Nov 2004 09:25:17 -0600
The safest bet is to put all of your PUBLIC and semi-PUBLIC spaces (conference rooms, lobby, etc.) into a DMZ: (Internet)-->(router)->(minimal-firewall)--->(DMZ) |->(semiPUB) \->(firewall)->(LAN) Then let 'em VPN back home, just like your folks will need to VPN in. Is it perfect? Nope. But is it good enough? Probably... Most VPNs configure the PC to force all traffic down the tunnel. Sure you CAN "route add" around it, but that's 1) beyond most users and 2) something you can prohibit via policy and training. -----Burton
-----Original Message----- From: Dan Lynch [mailto:dan.lynch () placer ca gov] Sent: Friday, November 19, 2004 4:57 PM To: security-basics () securityfocus com Subject: Vendors, laptops, and VPN clients Greetings list, I'm interested in opinions and common practices vis allowing vendors to connect their laptops to a corporate LAN. To begin, it's already an established precedent here that visiting vendors be allowed to connect. Occasionally we'll be able to ensure adequate virus protection on the machine, but most often, it's done without the knowledge or approval of IT. We've been bitten by this practice on more than one occasion, but what can I say, we're not allowed to inconvenience the implementation of a customer's project. My particular concern then has to do with vendors' laptops running VPN client software to connect from our LAN across our internet connection to their corporate network. Once that tunnel is established, can someone on the other end establish connections to the laptop here? That is, is the tunnel bi-directional? Could a virus that infects Windows shares touch the laptop (assuming file sharing is enabled)? If IP forwarding were enabled could traffic pass *through* the box onto our LAN? Like broadcast traffic, maybe? Could a desktop management remote control application connection be established to the laptop? What are the specific risks we expose ourselves to when this is allowed? Thanks in advance for any and all thoughts on this. Dan Lynch County of Placer Auburn, CA
Current thread:
- Vendors, laptops, and VPN clients Dan Lynch (Nov 19)
- RE: Vendors, laptops, and VPN clients Burton M. Strauss III (Nov 22)