Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Security and VPN
From: "Kurt Buff" <kurt.buff () gmail com>
Date: Fri, 22 Jun 2007 08:49:24 -0700

On 6/19/07, Andrew Vliet <Andrew.Vliet () lvs1 com> wrote:
Sohail Sarwar,

2 factor authentication is great, but personally I would go one further
than Philip.  I would not be putting VPN clients on employee owned
systems.  Yes, I say no clients - period.  Too many variables - too
insecure.

I understand that it's expensive, but none the less, I would either put
in a Citrix farm or purchase dedicated, company owned and maintained
machines for your employees to use at home.  Add the VPN client to these
machines company owned machines.

When considering the speed and volatility of trojans and viruses these
days;  Adding VPN to an unknown, uncontrolled, insecure client - even
after adding Antivirus checking, etc - is simply asking for trouble.

Of course, we haven't even touched on the legal and privacy implications
of the company having direct access to an employee's personal network,
all computers there-in and visa versa.

VPN on employee machines == bad idea - don't do it.  Provide Citrix or
dedicated, managed machines.

Regards,
Andrew Vliet

I fully agree - no employee machines on the network. However, our
company will not entertain the idea of either a Citrix solution or
loaner machines for people to take home. We've come up with a solution
that mitigates this risk, at the cost of some end-user effort.

We have cobbled together a VMWare player app, with Ubuntu running
IPSec for connectivity and rdesktop so that they can connect to their
own machines, or a TS server.

This works well, if they have any kind of decent machine at home.

Kurt

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]