RE: Cisco VPN Client "Stateful Firewall (Always On)"

["Peter Robinson" <peter () securegateway org>]

John

I have had to illustrate this exact issue to some of my clients as they
use the same setup.

It is by no means secure and the host machine is susceptible to all type
of attack before and after the VPN client is used.

I suggest a centrally managed personal firewall like ISS desktop
Protector or the likes that the user can't turn off or effect change
policy to. This off course creates other issues and management problems
as you are restricting the user even when they are not connected to you
network.

User education is also relevant under these circumstances. The user
needs to be made aware of the potential threat they expose your company
to every time they connect remotely, be it by Wifi, cable or dsl. The
risk is the same only Wireless is becoming a very popular playground for
the malicious.
Free Wifi Hotspots typically don't use WEP so effectively it's like all
being plugged into the same hub and all hacking/cracking/DOS techniques
apply.   

Regards
Peter Robinson
peter () securegateway org


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Crissup,
John (MBNP is)
Sent: Tuesday, 1 July 2003 5:44 AM
To: 'firewall-wizards () honor icsalabs com'
Subject: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"

  Need some opinions on a firewall solution for our notebook computers.
We
are looking to set our notebooks up with a wireless card to utilize
hotspots
in Starbucks, etc.   I have insisted that a firewall be included in this
configuration.  We now have a spirited discussion running concerning
whether
or not the "Stateful Firewall (Always On)" feature of the Cisco VPN
client
is sufficient for this purpose.  Note that this is different from using
the
firewall features that are only active while the IPSEC tunnel is up.

  Basically, as I understand it, this feature allows all outbound
connections while active, and all inbound connections originally
established
from the inside.  However, it would block all inbound connections
established from the outside.  This would be similar to a PIX with no
access
lists configured.  This feature is not configurable according to Cisco's
web
site.

  My concern is that, because this is not configurable, there will be
times
that the user will need to switch it off.  Our desktop group believes
this
is a workable solution if they simply script something to push a
registry or
INI file entry to force it back on.  I'm concerned that we're missing
something here and are opening ourselves up to a potential problem.
Unfortunately, I'm afraid this decision may get made before this email
has
time to gather replies, but any help, info, arguments you all can
provide
would be greatly appreciated.

  Thanks much!!

--
John


_____________________________________________________
This email is confidential and intended solely for the use of
the individual or organization to whom it is addressed. Any
opinions or advice presented are solely those of the author
and do not necessarily represent those of the Millward Brown
Group of Companies.  DO NOT copy, modify, distribute or
take any action in reliance on this email if you are not the
intended recipient.  If you have received this email in error
please notify the sender and delete this email from your system.
Although this email has been checked for viruses and other
defects, no responsibility can be accepted for any loss or
damage arising from its receipt or use.
______________________________________________________

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards