mailing list archives
Re: SSL VPN's from LAN to WAN
From: Tremaine Lea <tremaine () gmail com>
Date: Wed, 12 Dec 2007 09:31:38 -0700
I'd definitely recommend blocking all outbound vpn access. A good
starting point would be to check your outbound logs for all activity
on 443, explicitly allow the connections to business related ssl sites
and then block the rest. It may also be worth appending your
information security policy (cuz you have one, right? *grin*) allowing
for outbound vpn access but only under certain terms that they must
sign off on.
One option is to create a separate network within your network and
allow contractors to connect out to their company vpn on a different
vlan, and restrict access to the vlan by MAC address and port security
- of course, it would be best if they supplied their own laptop/pc for
that connection so you can keep corporate and non-corporate assets
Network Security Consultant
"Paranoia for hire"
On 11-Dec-07, at 3:08 AM, fac51 wrote:
I would like some advice on a situation that is new to me.
I have just discovered that some contractors that are on our
corporate LAN have managed to install (Half Install) VPN Clients
that allow them to connect directly back to their LAN (RDP'ing into
their Desktops etc.) The desktops they are using here are locked
down but still allow some VPN functionality.
The VPN connects over 443 out of our network then to their Firewall
Implications that I can think of are;
1. All traffic to and from us is encrypted and therefore we cannot
2. They can see network drives and could be stealing info. (although
they don't have much access)
3. Any infections at their site could propogate to us (that could
happen anyway I suppose via email)
My first reaction is one of horror but am I over reacting?
If my worst fears are confirmed I will need to block them. To do
this I was thinking of blocking all traffic to and from their
firewall however apparently some access to remote services is
required by other staff.
Never miss a thing. Make Yahoo your home page.