RE: Remote Access for Home Computers

["Beauford, Jason" <jbeauford () EightInOnePet com>]

It's my understanding that if you are not utilizing a virtual IPSEC
connector and you are only connecting over SSL, there is no worry of
your network becoming infected with any kind of worm / virus as there is
no TRUE connection between the infected computer and your network.
Rather your network files/resources are being SERVED to the end user.

Juniper has something called Network Connect which is a virtual IPSEC
adapter that actually gives you an IP on the internal network.  At that
point yes, there is a risk.

A big concern I can think of initially is the issue of keyloggers.  If a
keylogger infected machine connects to your SSL VPN, your valid
authentication credentials may be compromised.  Again, you can limit
access to specific resources via the SSL VPN, but still you should have
some other layers of security in place (Hours a user is allowed to log
on for instance).

As for copying files...If this is a problem, utilize the SSL VPN to
allow access to an internal Terminal Server.  This way, any/all files
are opened on your internal server and not on their local computer.

If you are worried about users stealing company data, it might make it
easier yes, however you can limit access to only authorized users and if
they really want to steal a document or 2, they can email it or setup
some sort of FTP server of their own and copy it up to there.  At that
point, you'll have more to worry about than SSL VPN. 

I'm all for SSL VPN.  When implemented properly, it makes the issue of
availabilty that much easier.  I use it as a supplement for my Cisco
IPSEC VPN when those protocols are blocked (like at some airports).
Additionally, users looking to work from home can connect right on in to
my TS and work there with all the access they would have at their desk
at work.  Juniper is the solution I chose to go with.

-JMB



     =|   -----Original Message-----
     =|   From: nick_hunt () mascohq com [mailto:nick_hunt () mascohq com] 
     =|   Sent: Tuesday, August 23, 2005 9:19 PM
     =|   To: security-basics () securityfocus com
     =|   Subject: Remote Access for Home Computers
     =|   
     =|   Hello all
     =|   
     =|   I have been getting asked a lot lately about the 
     =|   possibility of letting users access corporate 
     =|   resources with their home computers via SSL VPN that 
     =|   has NAC features on it.  I keep on fighting it, 
     =|   mostly because I think it will cause a lot of support 
     =|   calls, but more importantly because I am afraid of 
     =|   the possible vulnerabilities of allowing un-managed 
     =|   machines access to our network.  I was wondering if 
     =|   anyone knew of any statistics or good articles on the 
     =|   letting users access corporate data with their home 
     =|   machines.  
     =|   
     =|   The security implications that I am most worried about is:
     =|   1) worm propagation:  afraid infected machine will 
     =|   allow a worm onto our network.  Even though the SSL 
     =|   vpn does a check to see if AV is running and def's 
     =|   are up to date, and also does not give an IP on our 
     =|   network, there is the possibility of users uploading 
     =|   infected files to websites or network shares.
     =|   2) user copying confidential information to their 
     =|   home machines and then that information getting 
     =|   comprimised.  SSL vpn has the funtionality to block 
     =|   copying of files down to the local machine but 
     =|   misconfigurations or vulnerabilities in the VPN could 
     =|   allow for these controls to be subverted.
     =|   3) Machine that is infected with some type of bot 
     =|   getting on the VPN and launching a denial of service 
     =|   attack against internal servers.
     =|   
     =|   If anyone can give me more possible attacks, and more 
     =|   importantly any statistics on other companies that 
     =|   have done this and had problems would help me with 
     =|   taking this argument to my management.
     =|   
     =|   Thanks for the help
     =|   Nick
     =|