Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Security and VPN
From: Robert Hagen <rdh () stealthllama org>
Date: Tue, 19 Jun 2007 10:16:36 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sohail,

As you've pointed out, the risks are much greater than authentication and access control. Each endpoint is a potential exposure. User workstations (particular personally owned computers) are often unpatched, unprotected, and exposed to a constant barrage of intrusion attempts over broadband connections. In order to secure the VPN connection, you have to secure that endpoint.

Network admission control is a nice fit here. There are many different desktop agents that can be used to verify the integrity of its host computer before being allowed through the VPN. It can be customized to check for patches, a working anti-virus agent, and any other conditions you deem necessary. Many of these NAC solution will even provide a mechanism to automatically remediate hosts that fail their integrity checks or put them in a network quarantine where help- desk or IT support personnel can work with the user to correct their configuration.

Another consideration would be to disable "split-tunneling" on your VPN solution. If split-tunneling is enabled, the host can simultaneously route traffic to their local network (and the Internet) as well as through the VPN tunnel. This effectively extends your network perimeter to that host. Are you willing to make that host a perimeter firewall? Probably not. If a user needs to connect to the VPN, that should be the only network access they have for the duration of that VPN session.

This combination of endpoint security and network segregation has worked well for me. I'm sure there are other considerations out there that may help as well. Hopefully this helps to address your concerns.

Regards,
- -Bob-


On Jun 18, 2007, at 9:08 AM, Sohail Sarwar wrote:

Hi there,

        I just wanted to put this out there.  How secure is VPN.
Meaning, if my users take home the client and install it on their
desktop at home, and connect to the corporate network and production
network, wheat are we really looking at.  Are they secure or not.

        Two factor authentication would only help the authentication
purpose and to protect the user name and password ?

        How about restricting them to access, and how about worrying
about their home computer that can be effected.

        Has anyone been through this.  Any one give home users a list of
requirements that they must have before vpn can be offered to them ?

        Should there be some type of desktop policy installed on their
home computer, just to protect the company network ?  Any help and
guidance would be great

Regards,
Sohail

---------------------------------------------------------------------- --
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
---------------------------------------------------------------------- --


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFGd+VEH/ts2mEf2fMRAuyLAKDeuC6+3nOweKd117Cikqe/SOYg6ACg15UK
YELat7w0cKiehUKEEbmxU80=
=lXyq
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]