Re: Risks associated to branch office IPSec devices

[Chris Byrd <cbyrd01 () gmail com>]

Security of this type of solution can be improved by:

- Disabling split-tunnel routing.  Make all traffic go through the VPN
tunnel and apply the same policies that you use at the home office,
and
- Remove the default route from the router.  If you are only
communicating with a single subnet that terminates VPN, put that in
the router as a static route.  No reason for the router to talk to
other hosts on the Internet.
- Likewise, all remote management (except over the VPN tunnel) can
often be disabled or limited to a particular subnet.

Best of luck to you,

Chris


On 6/21/05, Rodrigo Blanco <rodrigo.blanco.r () gmail com> wrote:
> Hello list,
>
> I have just come across a doubt about branch office VPN devices.
> Normally, they are used so that a branch office's network - typically
> with a private addressing scheme - can securely connect to the
> headquarters' central network.
>
> Such VPN devices normally do not include a firewall, so I was
> wondering if this really represents a risk:
>
> Yes - it is a risk if the VPN device just acts as a router (no ACLs)
> and is attached to the Internet.
> No - because the addressing scheme behind it is private, hence
> non-routable, hence unreachable across the Internet (internet routers
> would drop packets with such destinations?)
>
> The only real risk I see is if the VPN device is cracked, and from
> there the security of the whole network (both brach office and
> headquarters) is exposed. Am I right?
>
> Any ideas would be more than welcome. Thanks in advance for your
> advice and best regards,
>
> Rodrigo.