Home page logo

basics logo Security Basics mailing list archives

Re: VPN Access for Consultants (Little Late)
From: Jimi Thompson <jimit () myrealbox com>
Date: Tue, 25 Nov 2003 21:06:12 -0600

This type of things is what lead us to install a VPN client that "locks" the NIC and doesn't allow any other network connections other than the VPN while the VPN is active. Once the VPN session is closed, it allows normal use of the NIC. There are a lot of them out there.



PS: Ours also has a policy enforcement module that allows us to require current OS updates as well as current antivirus software.
Gabriel Orozco wrote:

I use VPN to my networks for several employees.

but they can easily change their setup from being not shared to share both

how you as a netadmin can assure they will not do this? I don't think it's a
reasonable way unless you are the Administrator for their notebooks and they
don't have access to the setup of the VPN client.

other than that, or you trust them (and of course protect yourself via
signed papers) or you don't and you thell what are the possibilities if a
person has this kind of access to your net.

----- Original Message ----- From: <lennons () comcast net>
To: <security-basics () securityfocus com>
Sent: Thursday, November 20, 2003 8:59 PM
Subject: Re: VPN Access for Consultants


Speaking as a consultant and an IT manager as well.  On client
networks that we are allowed to plug into their network we can VPN
into our network.

However, that will drop my connection to their resources and allows
me to access our company's resources.  Once I kill the Tunnel I am
back to accessing their network resources.

The difference between a split tunnel and a dedicated tunnel.  We do
a lot of server and application support on Physician networks and
sometimes spend lots of time on site.  We need to be able to check
our email and our help system for updates.  But again.  No split
tunnel.  Dedicated.


Send reply to:  "Steve" <securityfocus () delahunty com>
From:           "Steve" <securityfocus () delahunty com>
To:             "Jennifer Fountain" <JFountain () rbinc com>,
<security-basics () securityfocus com>
Subject:        Re: VPN Access for Consultants
Date sent:      Thu, 20 Nov 2003 17:57:24 -0500

We require use of our DMZ, or simple enough to have them on a VLAN into
DMZ.  We require temps/consultants to sign our non disclosure agreement
acceptable use policy.  We require that they let us check their machines
anti-virus software.

----- Original Message ----- From: "Jennifer Fountain" <JFountain () rbinc com>
To: <security-basics () securityfocus com>
Sent: Wednesday, November 19, 2003 6:28 PM
Subject: VPN Access for Consultants

Hi All:

We have several consultants working for my company and they have
requested that I allow vpn access through our firewall to their company.
They want to be able to access their network and our network at the same
time (tunnel).  I told them no, I do not want to create a tunnel between
my network and theirs but I would allow them to plug their laptops into
the dmz or outside the firewall so they can access their network.  They
proceeded to look at me like I had six heads and act like I was the only
security admin that wouldn't allow this.  What is the general consensus
on this type of activity?  What policies do you have implemented?  Do
you allow it if the remote network was confirmed to be secure?

Thanks for any info





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]