Firewall Wizards mailing list archives
RE: Cisco VPN Client "Stateful Firewall (Always On)"
From: "Peter Robinson" <peter () securegateway org>
Date: Thu, 3 Jul 2003 23:50:27 +1000
John I have had to illustrate this exact issue to some of my clients as they use the same setup. It is by no means secure and the host machine is susceptible to all type of attack before and after the VPN client is used. I suggest a centrally managed personal firewall like ISS desktop Protector or the likes that the user can't turn off or effect change policy to. This off course creates other issues and management problems as you are restricting the user even when they are not connected to you network. User education is also relevant under these circumstances. The user needs to be made aware of the potential threat they expose your company to every time they connect remotely, be it by Wifi, cable or dsl. The risk is the same only Wireless is becoming a very popular playground for the malicious. Free Wifi Hotspots typically don't use WEP so effectively it's like all being plugged into the same hub and all hacking/cracking/DOS techniques apply. Regards Peter Robinson peter () securegateway org -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Crissup, John (MBNP is) Sent: Tuesday, 1 July 2003 5:44 AM To: 'firewall-wizards () honor icsalabs com' Subject: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)" Need some opinions on a firewall solution for our notebook computers. We are looking to set our notebooks up with a wireless card to utilize hotspots in Starbucks, etc. I have insisted that a firewall be included in this configuration. We now have a spirited discussion running concerning whether or not the "Stateful Firewall (Always On)" feature of the Cisco VPN client is sufficient for this purpose. Note that this is different from using the firewall features that are only active while the IPSEC tunnel is up. Basically, as I understand it, this feature allows all outbound connections while active, and all inbound connections originally established from the inside. However, it would block all inbound connections established from the outside. This would be similar to a PIX with no access lists configured. This feature is not configurable according to Cisco's web site. My concern is that, because this is not configurable, there will be times that the user will need to switch it off. Our desktop group believes this is a workable solution if they simply script something to push a registry or INI file entry to force it back on. I'm concerned that we're missing something here and are opening ourselves up to a potential problem. Unfortunately, I'm afraid this decision may get made before this email has time to gather replies, but any help, info, arguments you all can provide would be greatly appreciated. Thanks much!! -- John _____________________________________________________ This email is confidential and intended solely for the use of the individual or organization to whom it is addressed. Any opinions or advice presented are solely those of the author and do not necessarily represent those of the Millward Brown Group of Companies. DO NOT copy, modify, distribute or take any action in reliance on this email if you are not the intended recipient. If you have received this email in error please notify the sender and delete this email from your system. Although this email has been checked for viruses and other defects, no responsibility can be accepted for any loss or damage arising from its receipt or use. ______________________________________________________ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco VPN Client "Stateful Firewall (Always On)" Crissup, John (MBNP is) (Jul 01)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Dave Rinker (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Peter Robinson (Jul 03)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Milon Papezik (Jul 06)
- <Possible follow-ups>
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Melson, Paul (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Sloane, David (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" George Peek (Jul 03)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Marcus J. Ranum (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" marco misitano (Jul 07)