Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

RE: Radius access from provider to internal MS ISA Server
From: "Ben Nagy" <ben () iagu net>
Date: Sun, 7 Jul 2002 10:45:34 +0200
Most of the VPN client software I have seen allows you to check a box
which drops all unsecured traffic when the client is active. That gets
you most of the way.

With Win2K you could use company laptops and a security policy with the
correct, unalterable, configuration of the dialup/VPN connector. 

Both situations work OK until you have a user who is actively trying to
bypass the policy - you can't effectively secure a box if someone has
unsupervised physical access to it.[1]

With virii and trojans, though, you also need to worry about
non-concurrent threats - so you now need to worry about any home user
that ever connects to the Internet and also sometimes connects to the
company VPN.

Basically, it's a major problem with trust boundaries, and almost nobody
worries about it. This is well known among the security community, but
the benefits of VPNs are pretty huge, so people implement them anyway. 

Cheers,

[1] Yes, OK, I know I'm lying, but it's accurate for the 99.9th
percentile. 8)
--
Ben Nagy
Network Security Specialist
Mb: TBA  PGP Key ID: 0x1A86E304 



-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com] 

[...]

My question on VPN tunnels in particular is;  how many force 
all communication out via the VPN, restricting access via 
other potential internet'able pathways?  The reason I ask is, 
it seems one of the issues with especially home users 
accessing work servers would be pushing a security policy 
through the VPN, preventing such things as viri and trojans 
and other malicious activity from gaining a foothold and 
running up the trusted tunnel into the workplace while the 
home user is connected to work systems and servers.

How do others push their security policies to their home 
users in these scenarios in a concurrent manner?  Is it 
possible?  Or is this just an open trust scenario?


Thanks,

Ron DuFresne


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]