Firewall Wizards mailing list archives
RE: VPN for *DSL/CableModem Users
From: "Starkey, Kyle" <Kyle.Starkey () msdw com>
Date: Fri, 18 Aug 2000 08:56:54 -0700
Mike, I believe that if you are using Checkpoint vers4.1 with SecureRemote you can "push" policy to the remote client while connected to them. This protects you from an attacker using your users as a transit resource into your network. This unfortunately does not help you out with Trojans already planted on the users system, it only helps to attacks during the VPN session. I have not seen this work, but this is what I was told by some unbiased individuals. The second thing you can do is to bring the idle timeout down, this alleviates the problem of users setting a dial up connection then while at work using it to go back out... kinda lame I know, but on something like this layers of protection are your only resource and being annoying and dropping the connection after 30 seconds might stop some unmotivated indivuals. Lastly you can only allow tunnells sourced from the client to the host only and not the other way around, again this stops your users from getting a tunnell created back to their house so that they can get to napster or whatever... unfortunately your last line of defense from internal attacks is your corporate security attacks is your security policy. If you make sure to be a real fascist when it comes to this then people will get the hint that running napster in the office is an offense for which they might get fired. This should stop your low end users from being annoying.... -Kyle -----Original Message----- From: Michael C. Ibarra [mailto:ibarra () hawk com] Sent: Thursday, August 17, 2000 2:15 PM To: firewall-wizards () nfr net Subject: [fw-wiz] VPN for *DSL/CableModem Users Hello: I've been asked to perform the horrible task of allowing in remote/home internet connections into a corporate LAN. The firewall/s in question are a FW-1 and IPFilter (separate machines) combo. The pipe decided upon was either DSL or cable modems, based of course on availibilty. The present method is an isdn/SecureID/dialback method. The present corporate policy allows no inbound traffic from the inter- net and allows a limited outbound connections, mainly http. My feeling is that users, unable to reach their AOL/Napster/ whatever type of services could place a modem into these home PC's, corporate owned but that doesn't matter, making that box an insecure gateway or transfer point for a virus to the corporate network. VPN's IMO would do little to protect a machine which has a greater chance of becoming compromised, besides breaking corporate security policy since all non-VPN connections would probably allow those same services not normally allowed in the office. My question, and thank you for reading this far, is what VPN software and/or hardware is recommended and what can be done to enforce the present corporate policy (aside from asking users to sign an agreement). Thank you all, -mike The information contained in this message is not necessarily the opinion of Hawk Technologies, Inc. _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- VPN for *DSL/CableModem Users Michael C. Ibarra (Aug 18)
- Re: VPN for *DSL/CableModem Users Ray Hooker (Aug 19)
- <Possible follow-ups>
- RE: VPN for *DSL/CableModem Users Irwin Lazar (Aug 19)
- RE: VPN for *DSL/CableModem Users Starkey, Kyle (Aug 19)
- RE: VPN for *DSL/CableModem Users John Adams (Aug 20)
- RE: VPN for *DSL/CableModem Users Robert Purdy (Aug 21)
- RE: VPN for *DSL/CableModem Users sean . kelly (Aug 19)
- Re: VPN for *DSL/CableModem Users Chuck Fasching (Aug 19)
- Re: VPN for *DSL/CableModem Users Andrew J Bernoth/Boulder/IBM (Aug 19)
- Re: VPN for *DSL/CableModem Users Michael C. Ibarra (Aug 19)
- RE: VPN for *DSL/CableModem Users Jensen, Greg (Aug 20)
- Re: VPN for *DSL/CableModem Users amanda (Aug 20)
- Re: VPN for *DSL/CableModem Users Bill_Royds (Aug 20)
- RE: VPN for *DSL/CableModem Users Patrick Darden (Aug 21)