Security Basics mailing list archives

RE: VPN and Security

From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Wed, 20 Jun 2007 14:10:40 +1000

If you go down this route I would also suggest you do split tunneling.


Do you mean for a more secure setup he should split tunnel? Or do you mean
for less legal hassle he should split tunnel?(Like Hopper's brother said: I
got confused). 
As I said, the split tunneling makes me think 'less secure' precisely
because the user can be surfing pr0n/bearshare etc whilst printing to a
network printer or accessing a share on the file server at the office.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Herb Steck
Sent: Wednesday, June 20, 2007 5:33 AM
To: security-basics () securityfocus com
Subject: RE: VPN and Security

Aside from what everyone else has said you need to consider the legal
impacts as well.  If the home machine is owned by the employee then you have
few options.  Legally you can not install or force someone to comply with
your standards if you do not own the equipment.  You can of course deny them
access to the network, but for example, you can't tell the user that they
have to have xyz software/updates on their machine.  Since you don't know
what software is installed on their home computer you are pretty much
opening yourself to a big potential bag of worms here.

If you go down this route I would also suggest you do split tunneling.  An
employee can not get in trouble for surfing adult sites on their home
computer if you force all their internet traffic through your Internet pipe
& filters/logging.  

Having employees work from home is a great idea.  There are some big
technical "what if's" as well as legal "what if's" that need to be thought
out before going down this road.

Easiest solution is to do something like a web based citrix or similar.
Then you don't have to worry about the NAC side or legal side.

I didn't even touch on the licensing issues either, so if you're a Microsoft
shop you need to look at the impact of this as well.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Michael J. Benedetto
Sent: Tuesday, June 19, 2007 11:07 AM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics () securityfocus com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check and
enforce endpoint compliance with you standards (patch levels, antivirus,
etc.). That should help on the user side if you can't force them to use a
company configured and maintained PC from outside the office.

-Mike

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud
Sent: Monday, June 18, 2007 9:00 PM
To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI'; 
security-basics () securityfocus com
Subject: RE: VPN and Security

VPN is as secure as how well it is implemented and used. 
Also, the various encryption algorithms used determine how 
secure it is. Like everything, it is as strong as the weakest 
link and usually in this scenario that means the home user or 
their PC.

You're right about the two factor authentication. What were 
you thinking of using-smart cards or similar?

Giving home users the list of things they must have in 
place(AV for example) is a good idea. Will you allow them to 
split tunnel from their home connections or will they have to 
come through the VPN connection to be able to browse so that 
they can still go through your firewall/proxy etc?
Second option is safer but prob slower. And how would you 
control them when they're not on a VPN? 
Depending on how far you want to go, you could specify that 
they only use their laptop for the VPN and have no split and 
then they can use their home pc for their own use.

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Sohail Sarwar
Sent: Monday, June 18, 2007 11:08 PM
To: Scott Ramsdell; WALI; security-basics () securityfocus com
Subject: VPN and Security

Hi there,

      I just wanted to put this out there.  How secure is VPN.
Meaning, if my users take home the client and install it on 
their desktop at home, and connect to the corporate network 
and production network, wheat are we really looking at.  Are 
they secure or not.

      Two factor authentication would only help the 
authentication purpose and to protect the user name and password ?

      How about restricting them to access, and how about 
worrying about their home computer that can be effected.

      Has anyone been through this.  Any one give home users 
a list of requirements that they must have before vpn can be 
offered to them ?

      Should there be some type of desktop policy installed 
on their home computer, just to protect the company network ? 
 Any help and guidance would be great

Regards,
Sohail

Current thread:

VPN and Security Sohail Sarwar (Jun 18)
- Re: VPN and Security Simon Chang (Jun 19)
- RE: VPN and Security Murda Mcloud (Jun 19)
  - RE: VPN and Security Michael J. Benedetto (Jun 19)
    - RE: VPN and Security Nick Duda (Jun 19)
    - RE: VPN and Security Cruse, Kevin (Jun 19)
    - RE: VPN and Security Nick Duda (Jun 19)
    - RE: VPN and Security Herb Steck (Jun 19)
    - RE: VPN and Security Nick Duda (Jun 19)
    - RE: VPN and Security Murda Mcloud (Jun 20)